How can I disable mutation for managed sidecars #1220
Comments
|
@BitRacer I wouldn't recommend to disable the mutation for a container. In addition to that, I won't recommend it as a security best practice consists on relying on digests instead of tags. |
|
It is not possible today to disable it with the existing source code. Feel free to make any changes to that logic. |
|
It would be nice to be able to disable the mutation, it is more obvious what version of image is running on the cluster |
|
cosign support verify using image with Tag, as during cosign verify cosign converts tag to digest before doing the verification, so i dont see really the benefit of doing the mutation in policy controller to modify IMAG:TAG -> IMAGE@sha256 as with this in podsepcs we loose the important TAG information, it would be nice if policy controller does not do this mutation and let cosign library does it. do we have an specific reason why we do this in policy controller before calling cosign verify |
|
/assign |
|
Mu suggestion would be to have a flag -disableMutation similar to what we have for disabling TUF (-disableTUF) so if this flag is used than the logic for Mutating TAG to Digest does not happen. so based on the user requirement we can choose to have mutation of the tag to digest or not , currently it is hardcoded in the code. |
|
Hi @BitRacer , what do you mean by "chaos ensued". I'm also using Anthos Service Mesh and I see no side effect for now. Maybe when updating Istio? |
|
@hectorj2f - could you please share your thoughts? |
|
As mentioned above, disabling the mutation of sidecars won't follow security best practices. However, you could try using policy rules which match specific labels so the policy-controller only enforce these policies on specific pods or other type of resources. That could exclude the sidecars pods of istio although I haven't tried myself. |
|
Thank Hector for your comment. |
|
We've tried this "Match" functinailty that only pods would be in the scope and in a way to pass everything beside that, but seems to be only instrumenting the Validation webhook, not the Mutating one. We've found as issue with this. Scenario is the following: Is there any issue which would deal with this behavior ? Btw Connaisseur also supports the different scope for mutation: After a quick search it seems kyverno also does the mutation and validation on the pod level: |
|
#1105 (comment) |
I'm using a managed version of service mesh in GKE, Anthos Service Mesh. The managed service mesh injects envoy sidecars and references the containers by tag, not with a sha. The result of mutating the sha on the sidecar is that ASM cannot determine what version is installed and chaos ensues.
Is there a way to disable mutation for a container, or set of containers. for example gcr.io/releases/asm*
I only want to skip this mutation for theses sidecars. Not for the main container, which is signed and delivered with a sha
I can't find any examples of how to set this in the cluster policy or mutating webhook config.
The text was updated successfully, but these errors were encountered: