[Feature] GAP switch for requiring multiple attestations
ba32107 opened this issue · 1 comments
Is your feature request related to a problem? Please describe.
When setting up a GAP, I have the ability to specify a list of attestation authorities. If the image is attested by any of those authorities, it will be allowed.
We have several use-cases where we would like an image to be attested by all attestation authorities before it can be admitted to the cluster. We would set up multiple attestation authorities, each of them would represent a different check (that we perform in our CI pipeline), and we require all these checks to be done in order to deploy an image.
Describe the solution you'd like
A possible solution is to modify the GAP and add a requireAttestationsFromAll switch. Perhaps something like this:
apiVersion: kritis.grafeas.io/v1beta1
kind: GenericAttestationPolicy
metadata:
name: my-gap
namespace: default
spec:
attestationAuthorityAdmissionPolicy:
requireAttestationsFromAll: true
attestationAuthorityNames:
- my-authority-1
- my-authority-2Describe alternatives you've considered
We could work around this by having an additional "master" attestation authority that we only use when all our other authorities are satisfied, but this is just a workaround, and does not allow for fine-grained control during the deployment phase.
I am sorry, please ignore this issue. I mixed up the use case of having multiple attestation authorities within the same GAP and multiple GAPs in the same namespace.
The documentation actually clearly says that all authorities must be satisfied, so this is already working as expected. My mistake!