AWS blog guide ain't updated accordingly to current situation in a repository

Question

AWS blog guide ain't updated accordingly to current situation in a repository

Opened this issue a year ago · 4 comments

source: #124
AWS blog guide ain't updated accordingly to current situation in a repository, as processing changed

              - key: images
                value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].image }}"

Doesn't work anymore, which may result in confusion further for whoever tries to implement it and provide bad user experience
More details: https://aws.amazon.com/blogs/containers/announcing-container-image-signing-with-aws-signer-and-amazon-eks/
From my side, it was assumed initially will work, but created a lot of confusion & time in order to implement working PoC

Answer 1 · 2024-01-23T04:00:38.000Z

Thanks @vponoikoait for opening these issues, I will fix them as soon as I can

Answer 2 · 2024-01-23T05:08:34.000Z

@vponoikoait, That blog was published when this service was in early stages and we added a lot of features after that. Unfortunately, some of those required us to break backwards compatibility with 0.x alpha versions.
You can follow this blog: https://nirmata.com/2023/11/20/verifying-images-and-attestations-using-aws-signer-notation-and-kyverno/

We will see if we can get that AWS blog updated

Answer 3 · 2024-01-23T09:20:17.000Z

@vishal-chdhry would you be kind to include there that current auth requires for kyverno to stay in kyverno namespace and have specific SA name? So nobody would potentially go confused.
Referencing: nirmata/kyverno-notation-verifier#27

Answer 4 · 2024-01-23T09:27:46.000Z

It would be also a valid mentioning regarding that it's available since Kyverno version 1.10+, when service calls started to be a thing