generated from coulomb/repo-seed
44 lines
1.2 KiB
Markdown
44 lines
1.2 KiB
Markdown
# Pattern: Signed Image Admission
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, artifact-store, product repos
|
|
Genesis family: Kubernetes and platform
|
|
|
|
## Problem
|
|
|
|
Clusters cannot trust that an image came from reviewed source or an
|
|
approved build unless admission verifies signature and provenance.
|
|
|
|
## Context
|
|
|
|
Use this pattern for Kubernetes admission, container registries,
|
|
artifact-store, release promotion, and supply-chain evidence.
|
|
|
|
## Forces
|
|
|
|
- Developers need fast image builds.
|
|
- Production needs evidence of review and provenance.
|
|
- Not every image source is equally trusted.
|
|
- Emergency rollback must still use trusted artifacts.
|
|
|
|
## Solution
|
|
|
|
Require production workloads to use signed images from approved
|
|
registries. Admission verifies signature, digest, provenance, and policy
|
|
before the workload runs.
|
|
|
|
## Verification
|
|
|
|
- Unsigned images are rejected in production namespaces.
|
|
- Admission pins by digest or verifies immutable references.
|
|
- Signatures and provenance link to reviewed source and build identity.
|
|
- Emergency images follow the same trust policy.
|
|
|
|
## Related Patterns
|
|
|
|
- Supply-Chain Provenance.
|
|
- Signed Container Images.
|
|
- SLSA Build Provenance.
|
|
- Policy-as-Code Admission Control.
|