Support enforcement of zero vulnerabilities #71
Comments
sjhx
changed the title
|
Shouldn't this be the task of the Registry? |
|
I don't see how it could be implemented in a registry, unless the registry prevented image pull acording to policy which would be problematic, for example pull to investigate the vulnerability and pull due to rescheduling would also be blocked. Its the responsibilty of an admission controller to enforce an image policy and this would seem to be a reasonable policy to implement as a additional feature. The idea is that portieris would query the vulnerability status at the time of deployment (admission). |
|
We would want to allow for different vulnerability analysis services to be integrated so the policy should be open to that for example: policy:
vulnerabilities:
ibmcloud:
enforce: trueOther services would need to extend the policy crd but would not disrupt existing policies. |
|
The referenced PR adds support for checking with IBM Cloud Container Registry's Vulnerability Advisor, other sources of image analysis information could be added to the same policy structure. |
Using for example https://github.com/quay/clair in order that images with known vulnerabilities can be blocked from initial deployment.
The text was updated successfully, but these errors were encountered: