►
Description
Join Pushkar with Christoph from SSE - Secure Systems Engineering GmbH, as we explore, why having signed images only is not enough. But having a way to verify them for each workload, is equally important. In this episode we will explore Connaisseur project that acts as an admission controller to verify signed images at deployment time.
A
Hello,
everyone
welcome
to
this
special
edition
of
djik,
which
is
going
to
be
broadcasted
twice,
so
we
are
doing
our
first
stream
today,
I'm
your
friendly
tgik
host,
pushkar
zaweker.
I
work
for
vmware
and
work
in
upstream
kubernetes
and
cncf
focusing
on
security.
A
A
It's
called
connoisseur
and
it's
going
to
help
act
like
an
admission
controller
for
all
the
images
that
are
signed
and
then
you
can
use
them
to
verify
so
now
the
idea
is
what
it
is
and
how
can
I
use
it
and
I'm
going
to
use
it
as
a
beginner,
and
for
that
I
thought
it
would
be
great
if
we
could
get
one
of
the
creators
of
connoisseur
to
join
us,
so
I'm
lucky
and
excited
to
welcome
christoph
who
is
one
of
the
creators
of
connoisseur
christoph.
Why
don't
you
quickly
introduce
yourself.
B
Hi
everyone
super
happy
to
be
here,
thank
you
for
the
invitation
pushkar
very
exciting,
also
exciting,
to
see
bandy
somebody
using
it
without
having
it
tested.
First,
that's
certainly
going
to
be
interesting
from
a
support
perspective
and
very
worrying
from
a
show
perspective,
but
let's
see
yeah
quickly
about
myself,
I'm
a
security
expert
from
secure
systems,
engineering
and
one
of
the
maintainers
of
connoisseur,
secure
systems.
Engineering
is
a
security
company
actually
from
berlin,
and
we
obviously
do
offensive
security
and
defensive
security
and
we
have
an
engineering
section.
B
Actually,
we
do
also
host
a
dns
service,
a
secure,
dns
service
and
also
we
built
connoisseur
in
that
realm.
It
actually
very
much
came
out
of
our
defensive
security
work
for
companies
where
we
ran
into
the
problem
that
we
needed
to
verify
signatures
in
the
kubernetes
cluster,
and
that
was
more
than
maybe
roughly
one
and
a
half
years
ago
and
back
then
there
was
no
solution,
so
yeah
we
kind
of
got
into
it.
That
way,
and
now
we're
sitting
here
talking
about
it.
So
I'm
excited
how
it's
going
to
go.
A
Wow,
that's
that's
amazing.
I
love
to
always
understand
the
history
behind
how
this
came
about,
and
people
have
already
started
asking
some
questions
about
like
hey.
Why
are
we
having
two
tgi
guys
today?
What
what
are
what
is
going
on
really?
So
I
just
wanted
to
give
some
idea
about
why
this
is
happening
and
what
we
are
trying
to
do
so.
A
A
The
1pm
slot
is
really
probably
the
worst
time
for
everyone,
except
people
in
pacific
time
zone,
so
the
idea
was
could
potentially,
we
have
episodes
in
future
where
we
have
an
episode
that
is
friendlier
to
other
time
zones,
especially
apac
time
zones
and
emea
time
zones.
So
this
is
why
we
are
trying
this
out.
We
will
have
two
episodes
today.
This
is
the
one
that
hopefully
is
more
convenient
for
people
in
apec
anemia.
A
I
know
christoph
you
yourself
are
joining
from
europe,
so
it
would
have
been
very
hard
to
join
on
the
regularly
scheduled
time
for
you
as
well.
So
so
that's
that's
why
we
are
here
they.
I
j.
I
also
posted
a
link
to
the
overall
schedule
for
the
upcoming
weeks
on
for
tgik
what
it
is
going
to
look
like
and
where
we
are
really
going
to
go.
So
let
me
do
that
first
and
then
we'll
go
to
all
the
week.
We
can
review
announcements
so
I'll
start
sharing.
My
screen.
A
What
basically
you're
seeing
is
today's
episode,
so
we
have
one
from
that
is
going
on
now,
and
one
ricardo
is
doing
later
on
a
regularly
scheduled
time.
We
have
another
one
for
during
thanksgiving
and
then
few
more
in
december,
so
it's
it's
gonna
be
packed
week
and
packed
month,
and
I'm
excited
to
see
how
this
goes.
We'll
probably
make
a
make
a
few
mistakes,
we'll
probably
do
a
bit
more
of
exploration,
of
how
the
time
zones
look
like
how
the
timelines
are
going
to
look
like
and
any
feedback
related
to.
A
We
also
have
kubernetes
patch
releases
that
were
out
this
week
for
all
the
supported
releases
and
we
had
some
in
very
interesting
salsa
stuff
digged
into
it.
So
take
a
look
at
that
tweet
thread
there
are.
There
is
also
a
new
golang
version
coming
in
which
is
1.18,
and
there
is
a
very
cool
twitter
thread
covering
about
the
new
stuff
that's
coming
in,
so
we
have
fuzz
fuzzing
generics,
even
a
new
net
net
ip
package
and
a
new
strings
bytes
dot
cut.
A
A
The
mutation
looks
like
move
to
beta
and
there
is
a
new
cli.
There
are
test
constraints
and
constraint
templates
without
kubernetes,
and
the
most
popular
announcement
of
potentially
last
year
was
docker
shim
deprecation.
So
now
that
it's
been
deprecated
for
a
bit
and
again
just
to
emphasize
it's
docker
shim,
that
is
being
deprecated,
it's
going
to
be
marked
for
removal
in
version
124.
A
So
for
that
purpose,
one
of
our
six
in
kubernetes
signature
is
collecting
some
feedback.
So
there
is
a
link
to
the
blog
and
they
want
to
basically
know.
Are
you
using
docker
shim?
How
are
you
using
docker
shim
for
in
your
clusters?
Does
this
impact?
You?
Are
you
aware
of
this
deprecation
and
removal,
so
any
feedback
that
you
can
share
there
will
be
really
appreciated,
and
then
my
favorite
announcement
for
the
week
is
port
security.
A
Admission
is
going
to
move
to
beta
in
version
123
and
by
moving
to
beta
it
means
it
will
be
enabled
by
default
the
tweet
tag.
There
also
has
some
very
interesting
details
and
some
history
behind
it.
So
take
a
look
at
that
and
some
very
exciting
documentation,
updates
and
blogs
are
also
coming
in
as
well.
A
So
let's
me
check
out
any
comments
with
some
wicked
review
from
everyone
else.
In
the
meantime,
all
right,
yay
people
are
excited
about
dual
tgi
case
is
the
image
signature
located
in
ocm
metadata.
I
think
that's
a
good
question
for
the
rest
of
the
episode
happy
friday
yusuf
happy
friday
engine.
Hopefully
I
pronounce
your
name
right:
hey
nestor
from
central,
california,
central
america
and
yusuf.
Finally,
we
will
maybe
change
timing
for
tgik
yup
and
then
hba
v2.
Yes,
that's
right.
A
Okay,
cool
tell
us
if
anybody
else
who
has
joined
where
you're
from
and
what
is
what
you're
excited
about
for
today's
episode,
cool.
So
back
to
the
topic
of
the
session
and
the
episode,
I
think
one
thing,
I'm
very
interested
to
know
and
kind
of
dig
deep
into
the
history.
B
A
Connoisseur
and
and
the
name
yes,
especially
the
name,
because
whenever
I've
used
the
name,
it's
always
like
the
spell
checkers
have
always
told
me:
hey.
Is
this
the
correct
name
and
I'm
like
I
know
the
github
repo
is
named.
That
so
tell
us
then
system
behind
the
name,
history
behind
the
tool
and
how
it's
all
started.
B
So
I
make
both
statements
here
that
I
haven't
checked,
but
I
can
tell
you
how
it
happened.
It
turns
out
when
we
built
the
tool
we
first
at
some
point.
You
need
a
name
right
and
we
did
it
in
the
way
you
shouldn't
be
doing
it.
I
was
like
well,
our
company
initials
are
sse,
so
it
would
be
fun
to
have
a
name
where
sse
is
actually
in,
and
my
colleague
was
sitting
on
the
other
side
of
the
table
and
he's
like
well.
B
I
can
just
grab
something
from
the
dictionary
and
take
the
first
word
that
comes
up
and
that
was
actually
connoisseur
and
then
people
are
complaining.
We
actually
had
a
very
early
review
at
some
point
where
somebody
said
well,
but
that's
wrong,
english
and
it
actually
is,
and
it
turns
out
it's
very-
it's
actually
very
interesting.
It's
a
very
interesting
name,
connoisseur,
obviously
has
a
french
route,
and
it
turns
out
that
originally
the
name
was
the
connoisseur,
as
you
have
it.
B
In
the
english
version
and
split
of
then
and
later
it
was
changed
to
connect
from
connecticut
to
connoisseur,
and
that's
where
germany
or
german
language
has
it
from
so
connoisseurs.
Technically,
it's
the
german
french
version
of
the
english
connor.
Yes,
so
that's
how
we
got
into
this
mess?
Yes,
but
actually
internally,
I
I'm
not
allowed
to
like
people
always
complain
when
I
propose
that
internally
we
call
it
call
her
connie
to
keep
things
short.
So
there.
B
Exactly
and
that
would
be
connie
but
yeah-
we're
probably
not
going
to
change
that
anytime
soon,
except
if
people
make
up
an
issue
and
vote
for
it
highly
right.
A
Follow
the
lead
yeah
that
makes
sense.
So
if
somebody
asked
how
do
you
pronounce
cornosaurus
so
is
that
the
is
the
best
way
to
describe
it?
Is
that
it's
it
because
it
has
french
and
german
origin?
It
is,
like
you
probably
said,
connor
or
conoso.
B
We
tend
to
do
connoisseur,
but
I
think
we're
very
flexible
on
how
to
call.
I
think
connoisseur
is
just
fine.
It
would
be
interesting.
We
should
get
a
french
person
on
the
stream
to
go
back
to
the
origin
and
then
have
like
the
proper
french,
difficult
yeah.
A
B
A
Okay,
cool
and
her
tell
us
more
about
like
what
made
the
company
and
the
team
that
you're
working
on
feel
like
okay,
we
should
build
this
tool
and
we
because
it's
solving
a
problem,
obviously,
and
we
should
also
open
source
it
like
what's
the
history
behind
it,.
B
So
this
originates,
I
mean
I'm
part
of
the
defensive
team.
B
We
support
many
customers
in
application,
security,
typically
in
modern
environments,
containerized
applications
in
kubernetes
and
in
many
cases
it's
it's
a
transformation
effort
and
a
company
going
from
an
older
system
to
new
kubernetes
a
system,
and
there
was
at
ceso
who
made
an
obvious
remark
that
I
think
is
very
fair
and
it
actually
should
be
true
in
any
environment,
the
claim
was
just
I
mean
code
should
be
signed,
and
that
also
means
that
container
images
that
you
deploy
to
production
should
have
a
signature
and
that
signature
should
be
verified
to
ensure
we're
only
running
valid
images
here,
and
so
we
were
yeah.
B
Absolutely
that's.
That's
correct!
We're
working
in
a
devsecops
type
role,
so
we
were
like
okay,
let's
we
should
do
this
and
then
the
devops
people
and
and
some
of
the
developers
came
back
they're
like
yeah,
that's
nice,
but
that
doesn't
work.
There's
nothing!
B
You
just
can't
do
it,
and
but
if
you
want
to
have
it
feel
free
to
build
it
yourself.
So
we
were
like
that
ain't,
a
problem,
that's
just
a
few
weeks
of
work
yeah.
So
we
got
started
back
then,
and
I
felt
like
yeah
it's
it's
actually,
there's
really.
B
No,
let's
say
wildly
compatible
solution
out
there
to
to
achieve
this
right
now
and
then
we
felt
like
we
should
definitely
open
source
it
because
I
think
that's
also
the
the
spirit
of
the
whole
kubernetes
cloud
native
environment.
It's
it's
amazing.
It
actually
is
it's
it's
a
lot
of
fun.
If
there's
people
who've
never
worked
on
an
open
source
project,
it's
it's
exciting
to
do
and
yeah.
So
we
got
started
on
it
and
then
we
got
feedback
and
it
kept
growing
and
evolving.
A
All
right,
okay,
that's
definitely
that
definitely
makes
sense
like
so
there
was
a
clear,
legitimate
customer
requirement,
and
then
we
said:
okay,
this
makes
sense,
but
nothing
exists
right
now.
So
why
not
build
it
and
then
once
it
is
working,
why
not
open
source
it
so
be?
More
people
can
contribute
more
people
can
adopt
it
and
the
oral
community
and
the
project
gets
richer
because
of
it.
B
Yes,
absolutely,
and
I
think
it's
something.
On
the
other
hand,
I
think
it's
something
that
is
required.
I
mean
kubernetes
currently
doesn't
have
like
a
common
solution
that
is
being
used
to
verify
container
images
that
are
deployed
to
the
cluster,
and
I
think
that
that's
really
a
lacking
that
that
should
be.
That
should
be
improved
right
right
and
I'm
happy
there's
like
so
much
motion,
I
mean
when
we
started
there
wasn't
much
traction
on
the
topic,
it's
all
in
the
range
of
supply
chain
security,
but
nowadays
that's
certainly
different.
B
A
B
A
B
Okay,
so
I
mean
you
already
take
the
part
of
it
on
a
very
high
level.
Why
why?
Why
have
a
signature
at
all
right
and
that
accounts
for
any
any
situation
in
which
you
may
use
a
signature?
It's
it's
typically
used
to
ensure
one
authenticity
of
whatever
you're
getting
that
can
be
for
a
message,
source
code
or
a
binary
that
you're
trying
to
download
or
install,
and
the
second
thing
is
integrity,
making
sure
that
the
content
of
whatever
you're
deploying
installing
or
seeing
has
not
been
modified
after
creation.
B
That's
the
two
main
main
ideas.
Why
use
signatures
at
all
now
and
that's
been
widely
adopted
right
I
mean
we
all
know
that
apt
has
a
signature
solution.
All
mobile
phones
use
app
stores.
That's,
I
think,
a
major
improvement
from
mobile
phones.
They
have
like
one
app
store
that
has
signatures
and
so
on
and
so
forth.
That
already
mitigates
a
lot
of
problems
in
the
case
of
kubernetes,
as
you
said
you
could
have
you
could
say,
I
have
a
secure
registry.
B
I
think
that's
in
general,
not
how
it
works,
because
people
want
to
have
some
freedom
on
the
registry.
So
essentially,
what
you'll
be
doing
is
you'll,
be
building
your
image
in
some
ci
cd
on
your
local
computer
or
wherever
you'll
be
uploading
it
to
some
registry
or
directly
to
your
kubernetes
and
then
deploy
it
to
the
kubernetes
cluster,
to
run
your
image,
your
container
image
in
a
pot
and
and
there's
obviously
several
things
that
could
go
wrong
right.
If,
for
example,
you
upload
it
to
a
public
registry,
it
could
be.
B
I
don't
know,
I
don't
want
to
name
any
names,
but
this
I
mean
there's
a
ton
of
registries
these
days
available,
and
that
also
means
that,
for
example,
the
hosting
the
host
of
the
registry
would
technically
have
access
to
your
container
images
and
could
implement
changes
or
an
attacker
could
either
attack
the
service
that
you're
using.
B
B
Or
it
could
be
that
one
of
your
developers
loses
his
or
her
credentials,
and
that
makes
it
possible
for
an
attacker
to
push
new
images
to
the
container
registry.
Now
in
all
of
those
situations,
when
you
deploy
your
you,
you
start
up
your
pot.
It
will
kubernetes
will
pull
the
container
image
from
the
registry
and
there's
no
real
certainty
that
this
container
image
hasn't
been
modified
from
when
it
was
built
and
that
it's
actually
an
there's.
B
No
there's
no
adjective
for
integrity
that
it's
an
unmodified
container
image
and
that
it's
authentic,
like
the
container
image
you
want
to
deploy.
So
ultimately,
what
what
is
the
ideal
case
you'll
be
building
your
container
image,
then
upload
it
or
sign
and
upload
it
to
the
container
registry,
and
now,
when
you
deploy
it
just
before
deployment,
you'll
have
a
solution
say
connoisseur
as
an
admission
controller
that
will
check
whether
the
image
you
are
about
to
spin
up
in
your
cluster
has
actually
not
been
modified
and
comes
from.
B
Like
has
a
trusted
signature
from
assigner
that
you
said
this
is
a
valid
signer
to
ensure
it's,
it's
a
valid
image
that
you
want
to
deploy.
A
Right
right,
okay,
that
that
makes
a
lot
of
sense.
I
mean
one
thing:
many,
maybe
smaller
projects
that
can't
really
host
their
own
registry
have
to
do
is
rely
on
a
public
one,
that's
either
easily
accessible
or
where
I
don't
have
to
worry
about
maintaining
that
registry,
and
in
that
case
it
shouldn't
be
a
boolean
decision
like
I
either
trust
the
entire
registry,
or
I
don't
trust
it
so
with
signatures,
you
can
at
least
say.
A
I
know
that
registry
could
have
something
go
wrong,
but
I
will
still
be
able
to
figure
out
if
my
container
images
are
tampered
or
not.
If
my
container
images
are
still
coming
from
me
or
my
teammates
who
have
signed
it,
because
I
I
can
now
verify
it
before
I
deploy
my
board
in
production.
B
Right
and
then,
depending
on
the
solution
you're
using
there
comes
various
different
security
guarantees
that
you
can
include
in
such
a
solution.
There's,
for
example,
the
update
framework
which
really
tackles
this
question:
what
is
common
attacks
on
updating
systems
or
installation
systems
or
software
distribution
and
how
to
tackle
them?
It's
an
it's
a
very
exciting
read.
Actually,
I
can
only
recommend,
because
there's
so
many
things
so
many
more
things
to
to
learn
about
it.
Yeah.
B
That
that
would
be
it
and
actually
it's
to
be
to
spin
this
a
bit
wider.
I
think
this
even
holds
in
many
cases.
People
are
using
cloud
solutions
these
days
for
kubernetes
and
the
registry
itself,
so
that
would
mean
that
you're
always
sort
of
dependent
on
the
cloud
provider
and
you
could
mitigate
some
associated
risks
using
signatures,
not
all,
but
at
least
some
yeah.
A
Yeah
yeah,
that
makes
sense
hopefully
for
everyone
listening
in
this-
gives
kind
of
good
enough
context
about
why
we
are
doing
this
and
why
connoisseur
kind
of
makes
sense
for
some
use
cases,
if
feel
free
to
add
your
questions
there,
but
we'll
now
jump,
I
think
straight
to
the
demo.
So
I
will
open
the
link
that
shows
the
connoisseur
repo
and,
let's
start
sharing
that.
A
All
right,
okay,
so
here's
the
repo
where
connoisseur
project
exists.
Now
what
I
I
would
look
like
look
at
when
I'm
starting
with
a
project
is
okay.
Is
this
the
best
place
for
me
to
download
the
tool
right
and
one
of
the
common
things
I
look
at?
Is
okay
in
this
releases?
Okay,
when
is
it
last
release?
So
last
release
looks
like
is
almost
one
month
ago,
so
that
means
the
project
is
maintained
and
updated
regularly.
A
There
are
releases,
there
are
contributors
and
then
so
that
gives
me
some
confidence
that
about
the
health
of
the
project.
So
that's
good
to
know,
and
then
this
next
thing
I
start
looking
at
is
okay,
where
is
the
documentation?
So
looks
like
this?
Is
the
documentation
and
now
can
I
start
working
on
this.
So
this
looks
like
a
quick
start
with
the
helm,
and
then
I
have
to
clone
the
repo,
and
I
have
to
run
cube
ctl
so
from
prerequisites
perspective
christoph,
I
would
need
helm.
A
The
kubernetes
cluster
right,
okay,
all
right,
so
I'm
gonna
use
my
favorite
tool
to
spin
up
kubernetes
clusters,
which
is
kind
which
is
built
on
top
of
docker.
So
for
that,
let
me
start
docker,
while
we're
looking
at
this
and
now
I'll
switch
my
screen
to
the
terminal
where
we
can
actually
get
started
with
the
demo.
A
A
A
B
Right
and
technically
by
now
it's
actually,
you
could
use
it
only
using
helm.
Oh.
A
B
Yeah
we
edit
it
on
artifact
hub
recently,
but
I
think
doing
it
like
this
may
be
easier
for
configuring.
It
later.
A
Yeah
exactly
and
then
we
can
go
into
the
source
code
also,
if
needed,
all
right
cool.
So
next
up,
I
think,
is
helm.
I
think
I
have
helm
installed.
So,
let's
see
so
what
is
this
doing?
Install
connoisseur
with
helm
atomic
create
namespace,
namespace
connoisseur.
Tell
tell
me
more
about
this
kristoff.
A
B
The
simple
home
install
to
set
up
connoisseur
as
an
admission
controller,
I'm
not
sure
if
people
are
aware
of
what
admission
controllers
are
essentially
any
request
that
goes
via
the
cube.
Api
will
pass
through
different
phases.
There's,
for
example,
authentication
authorization,
and
there
is
two
phases
of
admission.
B
I
see
one
is
validating
and
one
is
mutating
admission
and
connoisseur
will
be
implemented
as
a
mutating
admission
controller,
so
that
we'll
sort
of
install
the
admission
webhook
that
is
technically
just
it
will
make
a
call
to
a
service.
That
service
will
be
the
connoisseur
service,
which
then
responds
to
this
call
with
either
it's
valid,
or
it
has
to
be
changed
like
like
this
and
that
or
it's
invalid,
so
the
request
say
for
creating
a
resource.
Maybe
a
pot
would
be
either
accepted,
mutated
or
denied,
and
that
will
technically
install
it.
B
There's
this
atomic
option
in
it.
That's
a
bit
because
admission
control
is
a
bit
special
right.
If
you
deny
everything
to
a
cluster,
if
it
does
not
fulfill
a
certain
rule,
you
always
have
to
make
sure
you
don't
start
denying
before
the
tool
is
fully
spun
up.
So
that
means
the
connoisseur
service
with
the
connoisseur
pot
will
have
to
be
or
pots
actually
would
have
to
be
run
up
before
the
a
webhook
itself
is
is
switched
to
active.
Otherwise,
the
webhook
would
deny
deploying
the
service
itself.
A
B
That's
correct
and-
and
I
think
that's
it's
actually
a
way
in
which
one
could
do
it,
but
there's
a
specialty
in
kubernetes,
and
that
is,
you
can
refer
to
a
container
image.
The
image
that
you
want
to
use
via
the
tag
or
the
digest
right
and
what's
going
to
happen
here,
is
that
when
later
you
deploy
a
resource
that
has
a
pot
with
a
container
image
in
it
and
you
refer
to
it
by
tag
then
connoisseur
could
check
what
kind
of
digest
is
related
to
this
tag.
B
And
then,
if
that
is,
can
be
validated,
it
would
say
it's
okay,
you
can
move
on,
but
the
problem
is
that
the
that
the
tech
itself
is
something
like
maybe
version
or
whatever.
That
does
not
give
you
any
information
on
on
the
actual
image.
B
So
what's
nice
about
container
images,
if
you
read
refer
by
digest,
that's
sort
of
a
hash
of
the
image
content,
so
what
connoisseur
will
be
doing
for
an
image
that
is
called
by
tag?
It
will
resolve
to
the
correct
digest
check
whether
that
has
a
suitable
like
a
valid
signature
against
a
pre-configured
trust
route,
and
if
that
is
the
case,
it
will
exchange
the
tag
by
the
digest
and
by
doing
this
switch.
B
That
means
when
you
pass
on
this
image
reference
at
a
later
stage,
the
container
runtime
will
actually
verify
the
digest
against
the
content
of
the
image.
So
that
means
why
connoisseur
now
verifies
this
is
assigned
digest.
So
it's
authorized
to
be
run
by
us
on
the
container.
Runtime
will
later
actually
verify
that
the
digest
is,
in
fact,
like
agrees
to
the
content
of
your
image,
because
it's
just
the
hash
of
the
content
itself.
B
B
A
Oh
wow,
that's
a
very
nice
design.
I
really
like
it
because
that
was
one
of
the
threats
I
had
in
mind
where
my
admission
controller
says
yes,
you're
good
to
go
and
then
the
container
runtime
hasn't
actually
pulled
the
image
yet
and
by
then
I
could
really
say
my
admission
controllers
has
said
yes
good
to
go
and
I
switch
my
image
in
that
time,
which
is
kind
of
less
short
amount
of
time,
but
it
could
happen
and
then
suddenly
I
have
an
image
that
I
thought
I
trusted,
but
it's
not
really
the
same
image.
A
B
In
this
case,
it's
only
because
the
directory
is
called
helm,
so
in
the,
if
you,
if
you
show
the
folders
right
now,
you
can
see
there's
a
helm
directory
which
contains
the
helm
templates
and
the
values
yeah
for
configuration.
B
A
A
Yes,
let's
see
and
is
there
a
requirement
on
any
like
you
should
only
use
this
kubernetes
version
for
connoisseur
to
work
or
not
really.
B
There's
a
very
lags
requirement,
it
should
be
version
16
or
above.
I
think.
One
thing
we
really
took
really
is
that
we
tried
to
make
it
as
easy
to
use
and
as
compatible
as
we
could,
because
we
felt
like
the
the
whole
range
of
clusters.
People
are
using
specifically
in
managed.
Kubernetes
often
versions
are
somewhat
older,
so
we
really
took
great
care
to
make
sure
it's
compatible
with
the
broadest
range.
A
Okay,
wow.
That's
that's
really
good
to
know,
so
it's
really
loosely
coupled
with
what
kubernetes
features
exist
or
not.
As
long
as
you
have
admission
controller
that
is
supported
in
the
kubernetes
release,
pretty
much.
At
least
you
have.
You
have
integration
test
from
116,
so
we
know
it
works
until
that
at
least.
B
Exactly
and
and
whenever
somebody
finds
a
problem,
we
have
a
discussion
board
on
github
and
hope
that
people
run
into
issues
reported
there
and
to
help
us,
because
you,
you
really
only
test
with
your
own
environments
and
then
you
try
some
things
around,
but
you
never
have
the
full
experience
and
so
in
the
past
has
been
enormously
helpful.
When
people
reported
oh
I'm
using
this
and
that
kubernetes
flavor
and
I
had
this
and
that
problem.
A
A
B
It's
absolutely
not
obvious.
I
I
still
think
it's
it's
really
hard
to
know.
What's
the
default
way
people
are
using,
and
whenever
we
have
these
discussions,
we
try
to
kind
of
understand
what
what
people
expect
to
be
doing
now
for
him.
We
thought
it's
nice
because
it
gives
you
some
templating,
yeah
and
you'd
be
able
to
build
normal
kubernetes
yeah
mods
from
helm
by
by
just
running
it
as
a
debug
and
then
using
the
output
so
rendering
your
templates
right
but
yeah
we're
always
like
that's
it's.
B
A
A
B
B
B
Restrict,
for
example,
to
only
use
your
own
registry
right.
B
A
Yeah
yeah,
that
makes
sense.
It
reminds
me
of
one
of
the
features
in
port
security
admission
where
we
have
an
exemption
option
for
a
cluster
level
policy
and
in
that
also
one
of
the
common
ones
to
exempt
for
any
enforcement
of
port
security
is
a
cube
system,
so
that
that
is
very
obvious.
I
think
use
case
and
I'm
glad
connoisseur
is
supporting
it.
A
Okay,
so
we
looks
like
we
are
ready
with
connoisseur
deployed
now.
Next
step
seems
like
is
running
verification
for
for
an
image
that
already
has
signature,
so
I'm
gonna
copy
that
command
here
now
tell
me
if
I
understand
this
command
correctly,
so
we
are
saying
cube,
ctl
run
hello
world
with
image
hello
world.
A
So
the
assumption
is
this:
image
will
be
a
signed
image
and
when
I
run
my
pod,
it's
going
to
go
past
the
go
through
the
connoisseur
admission
controller
and
whether
it's,
if
it's
signed
or
not,
based
on
that
it
will
either
reject
the
pod
creation
or
it
will
accept
the
port
creation
and
then
continue
to
let
the
pod
start
up.
Is
that
fair.
B
A
Okay,
that
makes
sense
so
in
the
in
to
your
point
on
the
digest.
This
is
pointing
to
the
latest
tag
by
default
and
what
we
will
do
from
corner
source
side
is
look
at
the
latest
tags
say:
okay,
give
me
the
digest,
basically,
which
is,
would
be
the
sha
256
hash.
If
I'm
not
wrong,
and
then
I
will
switch
that
with
the
which
with
that
digest
and
then,
when
the
runtime
picks
it
up,
it
will
pull
the
image
with
that
digest.
Instead
of
the
tag
right.
B
If
this
works,
so
you
could
even
typically
in
the
resources
when
they're
created,
you
should
see
that
the
digest
or
the
the
tag
has
been
modified
to
a
digest.
B
Let's
see,
but
that's
because
I
think
hello
world
isn't
isn't
suitable
for
full
pot,
I
mean,
if
you
could
use
redis,
for
example.
That
would
also
work
it's
in
this
case
only
that
the
docker
that's
the
standard,
docker
hello,
world
container
image
actually.
B
No,
no,
I
mean
technically,
this
worked
right,
connoisseur,
let
the
container
image
pass.
So
maybe
I
should
explain
this
a
bit
more
connoisseur.
Let
the
container
image
pass
and
the
pot
was
created
at
that
point.
You
already
know,
like
connoisseur,
doesn't
have
a
problem
with
it.
The
only
thing
that
happened
is
now
that
we
created
a
pot
based
on
docker
hello
world,
which
is
a
container
image
that
fails
because
it's
not
in
a
suitable
container
image
to
run.
B
Docker
hub
has
the
docker
official
images
and
those
are
all
assigned
by
the
docker
official
key
and
what
we
do
in
the
in
the
connoisseur
configuration
we
pre-configured
the
official
docker
key,
so
all
official
docker
images,
that
is
all
images
that
run
under
docker
io
library,
slash
whatever,
for
example,
redis,
hello,
world,
postgresql
and
so
on
and
so
forth.
B
All
of
those
can
directly
be
admitted
and
will
have
a
valid
signature.
Obviously
one
can
remove
the
official
docker
signature
and
and
and
make
this
a
bit
more
strict.
We
just
felt
it
would
be
nice
for
people
to
be
able
to
directly
use
docker
official
images.
A
B
B
No,
that
that
is
only
the
pot
creating.
A
Okay,
so
now
this
is
running
a
demo
pod
with
image
from
connoisseur
team
looks
like,
and
it
has
a
tag
called
signed.
So
same
thing
will
happen
and
then
because
it
says
sign-
and
I
think
the
idea
is
like
this-
is
actually
a
signed
image.
This
should
create
a
pod
and
then
we'll
potentially
have
a
pod
running,
which
means
that
the
signature
verification
worked
exactly
okay,
let's
see
all
right
so
pod
created,
let's
see,
continue,
creating
and
running
okay,
perfect.
B
Exactly
here,
you
can
see
actually
that
the
resource
was
modified
in
such
a
way
that
it's
not
anymore
by
tech.
When
you
said,
please
run
it,
it
was
the
signed
tag,
but
the
signed
tag
was
switched
to
the
digest
notation
of
the
image
yeah.
A
A
A
B
A
B
That's
essentially,
what
connoisseur
will
be
doing
it
will
be
accepting
the
resource
request.
Look
at
the
resource
configuration,
find
all
container
images
and
replace
all
tags
with
validated
digests
if
they
exist.
If
there's
any
case
in
which
there's
no
validated
or
valid
digest,
our
connoisseur
will
refuse
the
request
and
that's
probably,
what
we're
going
to
see
with
the
next
command.
A
A
I
know
the
verification
work
because
the
pod
has
created,
but
I
want
to
be
sure
whether
how
the
verification
actually
worked
and
whether
verification
just
happened,
or
am
I
just
looking
at
so
it
could
be
also
similar
to
like
a
policy
engine
right
where
I
say
if
I
see
an
image
which
says
the
demos
colon
signed,
and
I
have
a
database
of
hashes
where
I
know
I
trust
them.
I
can
just
use
that
as
an
admission
controller
and
say
these
are
allowed,
but
we
what
we
are
not
doing
just
that
right.
A
We
are
also
checking
for
the
authenticity
of
the
image
by
actually
cryptographically
verifying
this
signature
through
a
public
key
that
should
be
accessible
to
connoisseur.
So
where
do
I
find
that
public
key
and
is
there?
Are
there
any
kind
of
logs?
I
can
look
at
where
it
says
this.
This
image
was
verified
with
this
public
key
and
it
looks
good.
B
Yeah,
maybe
there's
a
third
example
just
to
demonstrate
that
what
happens
if
it,
because
we
have
now
seen
that
it
that
looks
like
it
always
works
right
and
now
to
prove
that
it
also
cannot
work.
You
could,
for
example,
use
this
unsigned
image.
It's
a
it's
also
an
image
provided
by
us.
It's
only
because
you
don't
want
to
instruct
people
to
run
any
random
images.
B
You
know
this
one's
gonna
be
denied,
and
only
then
we
really
know
that
it
works
right,
because
we
proved
that
it
works
and
we
proved
that
it
doesn't
work.
Yes,.
A
B
Since
this
is,
I
know
you
see,
actually
it's
denied
right.
It
says
unable
to
find
the
sign
digest
for
image.
Cryo
nice
there's
two
ways
to
actually
see
this.
One
is
to
look
into
the
configuration.
The
other
option.
This
there's
different,
something
we
should
explain,
is
there's
different
ways
to
sign
container
images.
These
days
when
we
started
there
was
only
notre
ev1
and
by
now
there's
a
cosine
from
zig
store
and
also
coming
up,
not
really
version
2..
B
B
Exactly
there's
a
pretty
prince
sort
of
photon.
B
If
you
do
minus
minus
pity,
okay
and
it's
better
readable.
B
A
B
And
there
you
can
see
it
says
no
signatures
for
test
image
unsigned,
and
you
can
see
that
in
general,
the
repository,
however,
that
works
now
not
3v1
has
two
valid
signers.
Here,
none
of
them
signed
that
image
and
if
you
were
to
use
the
signed
image,
you
would
actually
see
that
the
signed
image
has
a
valid
signature.
A
A
One
one
common
question
people
get
about
these
topic
is
this
topic
is:
what
am
I
signing?
Am
I
signing
the
digest?
Am
I
signing
the
entire
image
blob.
B
That's
the
thing
here
right
when
you
sign
you,
don't
really
care
about
about
the
actual
content
like
being
readable
and
obviously
making
a
signature
over
a
whole
image
that
has
100
megabytes,
and
you
just
want
to
attach
something
that
confirms
these
hundred
megabytes
would
again
be
100
megabytes,
so,
what's
really
being
signed
is
only
the
digest.
That
is
the
shah
256
of
the
image.
A
B
A
Could
absolutely.
B
Legitimately
legitimately
sign
the
same
same
image
and
then
you
would
have
two
signatures
attached
to
the
same
digest.
A
A
B
A
B
A
B
Okay,
even
in
force
which
person
has
to
have
signed
like
what
we're
having
here
is
technically
it's
it's
a
bit
intricate,
but
you
can
have
a
general
signing
key
and
you
can
have
delegations
of
that
key
and
now
here
we,
what
we
see
is
is
two
different
delegations
and
in
the
default
configuration
any
delegation
is
fine.
However,
in
connoisseur
you
could
specify
that
either
both
or
one
specific
delegation
is
required.
Yeah,
it's
just
a
matter
of
how
you
want
to
use
the
signature
solution.
A
Yeah,
I
I
want
to
come
to
that
like
because
I
can
imagine
multiple
teams
wanting
to
sign
images
before
they
go
in
production,
so
definitely
want
to
go
to
that.
Let
me
check
the
chat.
First
looks
like
some
more
activity
there.
So
okay
scrolling
back,
looks
like
this
tool
is
similar
to
cable
carville.
B
A
Yeah
so
yeah
so
krkr4.
Maybe
if
you
have
a
link
to
that,
we
can
look
at
cable
and
see
if
this
looks
similar
or
not.
Now,
let's
continue
with
the
rest
of
it.
Wait.
What
time
is
it?
Why
is
djik
this
early,
so
yeah,
so
carlos
if
you
joined
a
bit
late?
A
Basically,
the
whole
idea
brand
having
dji
kit
today
at
this
time
is
we
realized.
1Pm
pacific
is
pretty
bad
for
everybody
else,
except
maybe
people
who
are
in
pacific
time
zone
or
some
other
u.s
time
zone.
So
the
idea
was:
can
we
make
tgik
more
apac
anemia
time
zone
friendly,
and
this
is
our
first
real
experiment
to
have
two
episodes?
One
is
friendlier
to
apac
anemia,
which
is
this
episode
and
so
because
and
why
it's
friendlier?
A
A
Hopefully
the
this
experiment
works.
We
are
open
to
feedback
on
how
how
what
the
community
thinks
like,
but
that's
really
what
we're
doing.
There
are
some
more
similar
time
zone
friendly,
djik
scheduled
in
future.
So
let's
see
how
that
goes,
and
yeah
carecare4
clarified
this.
So
thank
you
so
much
then
we'll
have
engine
engine
also
clarified.
We'll
have
two
dgi
case.
B
That's
not
specifically
dependent
on
connoisseur
that
depends
on
the
actual
signing
solution
you're
using.
So
what
connoisseur
is
technically
doing
it
allows
you
know
it
implements
different
signing
schemes
or
types
of
schemes.
There
could
be
nutri
version,
one
or
a
cosine,
from
six
star
project
and
depending
on
the
signing
solution,
you
have
different
possibilities
to
sign
images
and
also
whether
images
expire
or
not,
so
that
that
differs
a
bit.
A
B
Right,
we're
not
ourselves
enforcing
how
you
sign
the
image,
we're
implementing
some
of
the
image
signing
solutions
and
allow
you
to
verify
the
associated
signatures.
What
we've
seen
here
now
is
a
notary
version.
1
signature,
not
reversion
1
was
introduced,
I
think,
mostly
by
docker
quite
some
time
ago,
but
you
could
use
a
cosine
from
six
star
to
sign
your
images.
Those
signatures
will
look
different.
A
B
It's
this,
this
question
is,
is
not
so
trivial
to
answer,
but
we
could
look
maybe
into
the
you
propose
to
look
into
the
configuration
and
that's
actually
a
great
way
to
understand
how
it
works.
A
B
There's
nothing
that
should
stop
it
from
air
gap
clusters.
I
have
to
admit
I
haven't
tested
that
I'd
be
excited.
If
somebody
says
it
doesn't.
I
wouldn't
see
why
I
mean.
Obviously
you
need
to
have
connection
to
the
kubernetes
cluster
you
need
to
have
connection
to
so
connoisseur
needs
to
run
in
the
kubernetes
clustering.
You
need
to
have
connection
to
the
image
registry
of
some
sort
and
the
source
of
the
signature,
but
other
than
that
connoisseur
doesn't
have
any
external
dependencies
yeah
only.
A
A
B
Yeah,
and
if
it
doesn't,
I
mean
there
would
be
something
we
definitely
I
mean
I
wouldn't
see
why
it
shouldn't
work,
and
I
would
actually
hope
that
it
does
and
and
if
there's
anything
right
now
that,
for
some
weird
reason
requires
an
internet
connection,
I
I
I
think
we
should
fix
that
yeah
yeah.
I
think
you
can
see
why
I
mean
you
need
access
to
the
signature
and
the
yeah
or
container
image
yeah.
A
And
my
my
t,
my
project
works
in
air
gap.
Cluster
is
one
of
like
almost
like
a
design
requirement
nowadays,
because
there
are,
there
are
always
so
many
use
cases
where
people
who
are
security,
focused
and
aligned
are
also
the
same
people
who
are
running
air
gap
clusters,
so
the
alignment
is
always
there
so
especially
for
security
projects.
If
it
works
in
air
gap,
that's
like
wow,
okay,
great.
I
can
actually
use
it
so
glad
to
hear
that
now.
A
Yeah
yeah
agree:
okay,
so
carlos
saying
yeah,
I
agree,
4
p.m.
Est
I
I
mean
I
would
be
very
have
to
be
really
motivated
to
watch
dji
gear
at
4,
00
pm
in
east
coast
time,
but
there
are
a
lot
of
people
who
join.
I
know
so
hoping
you
join
ricardo
session
in
the
regularly
scheduled
time
at
1
p.m.
Pacific
4,
p.m,
east!
A
B
Keys
are
used,
that's
seemingly
the
current
standard.
What
what
people
mostly
do.
B
Yeah,
I'm
not
aware
of
any
any
means.
I
mean
the
question
is
signing
technically
works,
but
the
signature
has
to
be
stored
somewhere
and
that's
why
you
sort
of
need
a
signing
solution
and
I
think,
there's
one
solution,
but
we
haven't
gotten
around
implementing
it
because
I
suspect
it
will
be
gone
soon.
Is.
B
But
mostly
if
you
use,
for
example,
as
carlos
below
he
mentions,
cosine
or
notary,
most
of
those
solutions
have
their
own
key
creation
and
key
management
included.
B
So
it
takes
away
a
part
of
the
pain
of
having
to
manage
keys
completely
separately
and
introduces
the
pain
of
having
to
think
how
it's,
how
keys
are
managed
in
a
completely
new
tool,
because
sometimes
I
feel
like
there's
just
no
really
great
way
to
manage
to
manage
keys.
A
Yeah
yeah,
true,
it's
it's
how
it's
a
tough
thing
to
do
for
that's
for
sure.
One
thing
I
want
to
call.
A
A
There
is
a
session
for
tgik
if
I'm
not
wrong
on
december
17,
which
is
going
to
go
a
bit
deeper
on
this,
I
believe
jon
is
hosting
that
so
folks
who
liked
this
session.
There
is
a
good
chance.
You
like
that
one
too
now
yeah
does
then,
let's
see
more
questions,
I'm
using
cosine
six
store.
Why
would
I
use
connoisseur.
B
That's
an
interesting
question.
I
don't
know
as
opposed
to
I
think
by
now.
Yes,
there's
some
alternatives
have
come
up.
That
would
also
support
cosign
six
star
based
signatures.
B
I
think
what
currently
is
the
main
distinguishing
feature
for
connoisseur
is
that
we
implemented
both
the
formerly
and
the
new
most
common
or
like
the
latest,
most
common
solutions
and
aim
to
continue
doing
so
like
to
keep
a
broad
compatibility
with
different
with
different
signing
solutions.
B
Exactly
exactly
that
was
really
important
to
us,
because
the
thought
behind
it
was
that
we're
working
in
in
a
federated
environment
right
people
are
pulling
more
and
more
container
images
and
and
open
source
code
into
their
final
environments,
and
that
means
one
may
not
always
have
the
choice
to
pick
how
the
developer,
how
the
maintainer
the
producer
of
the
code
decided
to
sign
the
code.
B
So
we
kind
of
tried
to
figure
out
what
is
the
most
common
solutions
and
and
make
sure
all
of
those
are
supported
at
the
same
time
such
that
you
don't
have
to
like
pick
one
solution
that
then
works
for
yourself,
but
now
the
moment
you
try
to
pull
readers
from
public
docker
hub
repository.
B
All
of
a
sudden.
There
is
no
signature
anymore
for
you
in
the
specific
scheme
you're
using
yourself,
and
thus
it
doesn't
work
anymore.
So
we
really,
I
mean
it's,
it's
obviously
a
question
how
things
will
evolve,
but
as
long
as
there
are
multiple
signing
solutions,
we
felt
like
it's
really
important
to
have
one
way
to
to
verify.
When
you
verify
you
have
to
be
able
to
to
do
all
of
them.
A
Yeah
yeah
exactly
okay.
Now,
let's
go
back
to
the
demo,
so
few
things
I
want
to
try
now
kristoff
with
you
is
look
at
the
configuration
of
the
admission
controller,
how
it
looks
like
how
is
the
public
key
pulled?
Is
it
cache
somewhere
locally,
so
I
don't
have
to
keep
pulling
for
every
image.
Verification,
so
tell
me:
where,
should
I
look
look
for
that
info.
B
You
should
look
into
the
helm,
values.
Yammer
connoisseur
is
built
in
such
a
way.
That
was
one
of
these
usability
decisions,
which
is
always
hard
so.
B
Yes,
there's
the
helm,
folder
and
then
there's
a
values
yeah
in
in
that
folder.
B
B
No
here
there's
on
the
on
the
right
right.
B
That's
what
I
got
yeah,
I
got
what
you
mean
yeah,
all
right,
okay,
yeah!
Exactly
so
that's
the
configuration
now
the
upper
part.
Is
it
technically
has
like
three
sections.
The
upper
part
is
a
deployment
section
right
and
the
deployment
section
is
like
a
generic
kubernetes
things.
How
many
replicas
do
you
want
to
have?
B
What's
the
I
don't
know,
affinity
for
example,
obviously
connoisseur
you
wanted
anti-affinity,
it
should
run
on
distributed
nodes,
not
on
the
same
node,
so
it
doesn't
fail
the
moment.
One
node
goes
down.
There's
some
security
context.
Here
we
tend
to
choose
security
faults,
so
that's
been
a
bit
of
a
trouble
sometimes
because
then
you
I
mean
you're
very
involved
in
kubernetes
security,
and
you
know
these
things
change.
So
if
you
support
from
version
16
to
19
or
22
sorry
to
22,
then
some
of
these
fields,
like
the
second
profiles
and
so
on.
A
A
B
Exactly
it's
it's
I
would,
I
would
think
so.
Yes,
connoisseur
is
built
in
such
a
way
that
it
needs
very
little
privileges.
A
That's
terrific,
because
one
of
the
common
complaints
you
hear
is:
I
want
to
improve
my
security
of
kubernetes
and
you
are
asking
me
to
deploy
a
daemon
set
that
runs
as
privileged.
So
that's.
How
is
that
changing
my
security
posture?
So
now
I
have
a
security
product
project
here
which
improves
my
security,
but
also
doesn't
expect
itself
to
run
in
any
kind
of
privilege
mode.
So
that's
definitely
a
plus
okay
cool.
B
So
this
is
the
configuration
exactly
and
as
stated
there
there's
two
things
to
how
chronosome
works,
there's,
validators
and
there's
policy
or
image
policy.
The
validator
is
sort
of
a
configuration
for
how
validation
should
work.
So
you
can
see
here,
for
example,
the
first
two
validators
are
what
we
call
static
validators
whenever
they
will
be
called,
they
will
simply
say:
yes,
approve
or
simply
say:
no,
I
don't
approve,
they
don't
do
any
verification
of
anything.
If
a
request
comes
in,
they
will
just
say
yes
or
no.
B
The
next
one
is
one
that
is
being
used
for,
like
your
own
usage,
it's
a
dynamic
validator
of
sorts.
In
this
case,
for
example,
there
is
you,
give
it
a
name
such
as
could
be
could
be
default
could
be
a
more
specific
name,
and
then
there
is
a
type.
This
type
is
actually
which
defines
in
the
end
which
signing
solution
you've
been
using
such
that
you
can
validate
later.
B
A
B
Exactly
and
then,
if
you
go
further
down,
you
see
actually
that
for
this
validator
in
this
case
now,
you
can
see
if
you,
if
you
stop
there
for
a
moment,
you
see
this-
is
the
valley,
data
docker,
hub
basics,
right
as
you
can
see
in
the
like
fourth
line
from
top
it's
a
notary,
v1
valley
data,
the
notary
server
runs
on
not
read.docker
io
and
then
below
that
we
have
two
different
keys
specified.
One
is
the
docker
official
and
one
is
the
secure
systems,
engineering,
official.
A
A
A
Oh
okay,
I
see
right
so
now.
Maybe
question
is
we
had
two
images
signed
and
unsigned?
Does
connoisseur
first
check
if
signature
exists
and
then
verify
it
and
if
yes
like,
where
does
the
signature
typically
exist?
Is
it
another
artifact?
I
have
to
pull
when
I
pull
my
image
or
is
it
part
of
the
image
metadata.
B
That
again
depends
on
the
signing
solution.
Exactly
for
notary,
you
have
a
separate
server
that
contains
the
signature
data
and
then
we
actually
download
the
signature
data
and
then
there's
actually
many
steps.
We
have
to
do
to
very
fully
verify
the
signature
data
in
case
of
cosine
six
store.
The
signature
itself
is
written
as
an
artifact
into
the
registry.
B
So
if
you
create,
if
you,
if
you
sign
your
image
with
with
a
cosign
you
can
you
actually
get
an
artifact
that
has
the
digests
name,
dot
sig
and
that
contains
the
signature
information.
A
Right,
okay,
makes
sense.
I
think
relevant
question
is
from
the
chat
how
to
ensure
we
use
same
image,
digest
for
a
particular
version
in
all
the
environments,
so
the
application
does
not
break
in
other
environments.
A
My
best
understanding
of
the
question-
and
you
can
correct
me
in
the
comments
and
tell
us
if
we're
wrong-
is
how
do
I
make
sure
that
my
image
digest
is
same
regardless
of
the
tag
I'm
using,
and
I
think
that
points
to
the
earlier
discussion.
A
If
I'm
not
wrong
christopher,
we
said
we
don't
really
look
for
the
tag
when
we
verify
we
look
for
the
digest
and
then
that
digest
is
the
one
that
actually
will
be
immutable
and
unique
for
that
image,
and
as
long
as
I
I
know,
I've
signed
that
digest
I'll
be
able
to
verify
it.
No
matter
what
the
tag
is,
no
matter
what
the
registry
is
or
no
matter
what
environment
I'm
deploying
it
in.
B
Exactly
I,
I
think,
that's
the
case,
I'm
not
sure
of
that
particular
question
I
mean.
Obviously
you
could
have
different
digests
under
the
same
tag.
B
But
that's
sort
of
I
mean
it's
obviously
problematic.
If,
if
the
same
tech
has
different
image
versions,
there
would
be
breaking
right
right,
actually
advice
against
doing
such
yeah.
I
think
point.
A
A
B
Exactly
now
we
see
the
validators
we
configured
above
are
now
applied
to
different
images
based
on
a
pattern.
The
first
pattern-
there's
a
wildcard
wildcard
means
anything
is
allowed.
The
second
pattern
is
a
bit
more
specific,
so
here
you
now
see
that
the
docker,
I
o
slash
library
images
are
supposed
to
be
validated
against
the
docker
hub
basics,
validator,
with
the
key
docker
official
that
we've
just
seen
above.
You
can
actually
remove
this
now
and
then
we
can
see
that
the
same
image
that
was
allowed
before
is
not
allowed
anymore.
B
If
you
remove
that
exact
pattern,
now,
oh
you
can't,
but
because
you're
using
less
but
yeah.
A
B
Obviously
the
kubernetes
public
images
I
think
they
may
have
they
will
start
to
have
like
public
signatures
soon,
so
that
could
be
done.
So
this
shows
one
of
the
going
back
to
the
question
earlier.
It
shows
one
way
how
you
can,
for
example,
exclude
certain
images
from
validation
is
to
simply
allow
based
on
a
given
pattern.
So
that
would
mean,
like
all
images
that
come
from
this
source
are
to
be
trusted.
B
That's
often
not
ideal,
but
we
all
know
that,
for
example,
the
cube
system
there
could
be
several
pods
running
that
that
that
can't
be
easily
validated
or
that
may
not
have
a
signature
right.
If
an
image
doesn't
have
a
signature,
you
could
at
least
limit
it
to
to
a
scope
such
that,
because
of
that
it
doesn't
have
to
apply
to
all
images.
A
Right
right,
right,
yeah,
that
makes
sense.
I'm
almost
thinking
about
the
sort
of
next
few
months.
There
is
a
plan
to
sign
images
for
all,
basically,
all
kubernetes
container
images
soon.
So
the
reason
there
is
a
potential
where
somebody
who
is
running
kubernetes
and
wants
to
create
a
cluster
and
before
creating
a
cluster
doesn't
really
want
to
assume
trust
for
all
the
cuban.
This
container
images
and
wants
to
verify
it.
A
B
The
distro-less
images,
for
example,
have
a
public
key
that
could
be
used
to
that.
That
actually
works
for
verification
as
well,
but
then
then,
we'd
have
to
add
it
to
the
configuration
first
right
right
and
it's
again
not
running
a
distroless
image
in
a
kubernetes
cluster.
It
doesn't
it
also
crash
loops
because
there's
just
nothing
in
it
right,
it
doesn't
have
a
proper
entry
point.
A
Yeah
yeah,
that
makes
sense.
One
question
related
to
this.
I
had
was
now
in
this
case,
if
you're
looking
to
the
trusted
root,
secure
system,
engineering,
official,
secure
system,
engineering,
official-
and
this
is
the
key-
so
let's
say
I'm
I'm
a
team
of
developers,
engineers
and
maybe
product
managers,
and
I
want
to
make
sure
that
before
of
operations,
team
or
devops
team
deploy
something
in
production.
A
B
A
B
Root
key
so
essentially
there's
a
root
json
uploaded
to
the
public
notary
server,
and
that
has
that
specifies
the
allowed
delegations,
and
maybe
even
the
allowed
delegations
for
a
specific
target.
So
a
specific
image
and
connoisseur
does
allow
you
to
specify
you
could
specify
below
which
delegations
are
enforced
on
the
image.
So
you
could
say
the
security
team
has
to
have
signed
off
and
the
operations
manager
has
to
have
signed
off.
So
you
could
specify
a
delegation
just
under
this
there's
this
with
a
flag
and
under
the
width
like
beyond
the
trust
route.
B
B
For
the
cosine
world,
there
is
some
work
on
cosine
side
on
it,
but
then
we
got
this
question
several
times
so
the
moments
before
this
meeting.
I
was
actually
working
on
exactly
that
feature
nice
to
allow
you
specifying
multiple
keys
in
the
validator
section
above
and
then
say
how
you
want
to
handle
them
either.
I
want
to
enforce
all
of
them.
I
want
to
have
a
threshold,
at
least
I
don't
know
three
or
five.
B
B
That
that's
something
we're
strongly
considering
and
we'll
be
rolling
out
in
one
of
the
next
releases,
because
there's
been
several
people
asking
for
it
and
that's
why
we
I
mean
we're
really
trying
to
drive
the
development
by
the
community
yeah
and
since
we
got
a
few
questions
in
that
direction,
we're
working
on
it
right
now.
A
Yeah
yeah,
okay,
that
makes
sense.
I'm
I'm
excited
to
see
that
feature
in
the
future.
Okay,
keep
going
on
the
config
anything
else
that
is
worth
looking
at.
B
Everything,
that's
there.
I
mean
on
the
top
of
the
screen.
Now
you
see,
detection
mode.
Detection
mode
is
something
we
edit
if
you
work
in
a
very
restricted
environment
but
you're
kind
of
worried
about
availability
right,
because
I
think.
A
B
Something
to
to
hold
to
your
heart
this,
yes,
you
want
it
secure,
but
security
also
means
that
things
remain
available.
Yeah,
the
detection
mode
is
set
up
in
a
way.
Even
if
an
image
doesn't
have
a
signature,
we'll
be
issuing
a
warning
but
will
not
block
deployment
and
then
below
there
like
a
little
bit
below
there's
an
a
a
way
to
configure
an
alerting.
B
B
That's
the
detection
mode,
there's
an
alerting
for
where
you
can
call
some
webhooks
there's
in
the
center
here
now
you
see
that's
the
namespace
validation
that
we've
been
talking
about
before
yeah
you
can,
if
you
turn
that
on
you
can
either
switch
it
to
ignore
or
validate
and
ignore
or
validate
means.
B
Either
you
flag
specific
namespaces
that
you
want
to
have
ignored
or
you
flag,
namespaces
that
you
want
to
validate
so
either
allow
listing
or
deny
listing,
obviously
deny
listing
is
better,
which
is
why
it's
the
secure
default,
because
allow
listing
just
never
is
never
future
safe
and,
as
you
can
see
above
in
this
label
right,
that's
the
label.
You
would
have
to
attach
to
the
namespace,
secure
systems,
engineering,
dot,
connoisseur,
slash,
webhook
equals
validate.
B
A
I
see
okay,
wow
lots
of
good
information,
so
let
me
let's
take
it
a
bit.
Slow,
so
looks
like
we
are.
We
have
good
secure
defaults
already
in
this
project,
so
detection
mode
is
false
by
default.
If
I
understand
correctly
so
that
means
it
will.
Verification
is
always
enforced.
Unless
you
say
I
don't
want
to
verify.
I
just
want
to
get
warned
on
it.
B
A
Okay,
that's
great,
I'm
so
happy
to
see
that
and
then
another
thing
looks
like
is
for
namespace
validation
same
thing
enable
false
and
mode
ignore.
So
unless
you
tell
me
that
ignore
for
this
particular
namespace,
I'm
going
to
verify
all
the
namespaces.
B
So
it's
like
exactly
as
long
as
enabled
is
false.
Connoisseur
will
will
validate
any
image
in
any
namespace
in
any
type
of
resource,
whether
it's
a
cron
job
or
deployment
or
whatever
you
have
connoisseur
will
be
looking
into
all
potential
kubernetes
resources
that
can
contain
pots.
B
Exactly
and
then
you
have
to
set
this
flag
to
to
true
then
enabled
flag.
B
A
Right
right,
that
makes
sense,
and
another
thing
you
just
realized
is:
if,
if
I
have
to
set
a
mode
at
cluster
level,
then
that
mode
is
something
I'm
setting
here.
B
B
Let
me
let
me
understand
this:
if
you
say
you,
may
you
turn
namespace
validation
on
by
making
enabling
true
right,
then
then
it's
a
question
of
the
mode
right.
If
the
mode
is
ignore,
you
have
to
provide
a
specific
ignore
label
to
a
namespace
as
a
namespace
label.
To
make
sure
this
namespace,
like
images
within
this
namespace,
will
not
be
validated.
B
B
B
So
a
common
configuration
could,
for
example,
right
now,
be
you
switch
this
to
you.
You
said
you
want
this
as
ignored,
so
you
say
enabled
true,
and
then
you
attach
the
secure
systems.
Engineering
connoisseur,
slash
web
hook
equals
ignore
label
to
the
cube
system
namespace,
and
that
means
all
all
the
resources
in
the
cube
system.
Namespaces
are
excluded
from
validation.
A
That
makes
sense:
okay,
wow,
then
that's
a
nice
way
to
kind
of
manage
things
at
name,
space
level
and
cluster
level.
Both
at
the
same
time
looks
like.
Another
question
was
curious
to
know,
is
cornosaur
equivalent
to
cosign
from
project
six
store,
or
it
has
some
extra
features.
Maybe
I'll
try
to
answer
it.
You
might
have
been
bored
answering
that
for
many
many
months.
So
tell
me
if
I'm
wrong,
my
understanding
is
connoisseur.
Is
a
sig
signer
agnostic,
image,
signature,
verification
tool,
whereas
cosine
and
six
store
are
signers
of
images.
A
B
Right
right,
currently,
it's
two
were
planning
to
extend
to,
depending
on
how
notary
version
two
seems
to
they
had
their
first
releases
now
and
they're
they're,
making
some
more
steps.
So
that's
probably
going
to
be
next
and
then
yes,
as
you
said,
there's
a
web
hope
even
by
six
store
or
by
the
co-sign
six
or
community
themselves.
That's
been
coming
up
recently,
there's
some
there's
some
differences
between
the
two,
how
they
work
and
what
they
support
and
so
on
and
so
forth.
But
that's
more
in
the
in
the
details.
A
A
A
B
A
A
And
also
at
run
time,
if
I
don't
have
a
public
key
for
that
particular
image,
let's
say
it's
something
coming
from
me
like
docker,
hub
dot,
io
pushkar,
and
there
is
an
image
related
to
that
and
I
haven't
configured
a
public
key
for
it.
Then,
depending
on
my
default
configuration
either
the
image
is
allowed
or
image
is
rejected.
B
B
B
Okay,
I
mean
you,
could
you
could
actually
change
that
if
you
that's
the
beauty
of
how
it's
being
built,
there's
different
types
of
validators
right,
there's,
dynamic
ones
where
you
configure
your
public
key,
then
there's
the
static
ones
allow
deny
and
and
then
obviously
the
dynamic
ones
and
you
can
have
as
many
as
you
like
of
those
right
now.
The
beauty
is,
you
have
the
you've
seen
the
policy
image
policy
section?
Maybe
you
can
show
that
again
because
that's
where
the
magic
happens,
it
always
goes
to
the
closest
matching
pattern.
B
B
So
in
the
in
the
case,
if
you
pull
the
secure
systems,
engineering
test
images
that
we
did
before
they
match
to
the
last
pattern
best,
they
do
not
match
at
all
the
pattern
above
the
for
the
kubernetes
images
and
they
also
do
not
match
at
all
the
docker.
I
o
slash
library
images,
but
they
would
match
the
uppermost
pattern,
but
only
the
most
specific
is
being
used.
That
means
when
you
say
I
want
the
test
image
un
signed
it's
going
to
be
validated
against
docker
hub
basics,
with
trustroot
from
us.
A
B
Right
we
try
to
keep
it
as
concise.
That's
why
we
have
this
separate
structure
of
validators
and
image
policy,
but
obviously
you
could
extend
this.
What
you
could
also
do,
for
example,
right
now
you
could
say,
with
this
uppermost
pattern,
the
wildcard
colon
wildcard.
You
could
actually
define
that
you
want
everything.
Every
image
that
doesn't
match
the
patterns
below
should
be
allowed.
If
you
were
to
just
add
a
line
below
and
say,
the
valley
data
is
the
allow
validator
that
will
always
say.
Okay,
I'm
fine.
B
A
Okay,
I
see
so
now.
I
wanted
to
maybe
I'll
stop
sharing
screen
for
a
bit
and
just
wanted
to
go
through
some
threads.
I
had
in
mind
and
kind
of
get
your
thoughts
on
it.
So
I
think
first
thing
we
looked
at
is
between
the
admission
controller,
checking
the
image
and
the
container
and
time
pulling
it.
That
part
is
clear,
it's
kind
of
resolved
because
you
are
verifying
and
pulling
the
same
digest.
A
So
as
a
result
of
that,
there
is
no
chance
of
timing
attack
where
I
can
change
my
swap
my
image
and
then
something
else
gets
pulled.
The
other
piece
I
was
wondering
is
in
a
kubernetes
cluster
right,
we'll,
as
we
assume
generally,
that
nobody
has
node
access
and
so,
as
a
result
of
that
only
way
the
images
are
going
to
get
into
a
node
are
when
I
deploy
a
pod
and
then
kubelet
picks
it
up,
and
then
I
have
to
pull
the
image,
but
there
it
could
be
an
attack
scenario.
A
I
can
think
of
where
some
through
some
remote
code
execution,
I
get
root
on
a
node
and
I
don't
really
have
cluster
access
right,
and
in
that
case
I
can
say.
Oh
I
see
this
image
is
being
used
by
this
part
on
my
note,
and
the
container
runtime
doesn't
have
any
public
key
to
verify
right.
So
I
could
decide
that.
A
Let
me
see
if
I
can
pull
some
other
image
that
is
malicious
and
then
I
can
use
that
image
to
do
all
sorts
of
different
things
like
I
can
take
over
cubelet
or
I
can
use
kubelet
credentials
to
take
over
the
cluster
eventually
so
that
piece
any
admission
controller.
That
is
doing
something
like
this,
whether
it's
connoisseur
or
something
else
wouldn't
be
able
to
solve.
B
That's
the
thing
right
as
long
as
it
goes
by
the
cube
api
right,
we'd
be
blocking
it
if
it's
not
going
via
the
cube
a
sorry.
If
it's
not
going
via
the
cube
api
anymore,
then
we
can't
do
anything
yeah
we're
not
checking
sort
of
the
running
images.
Container
images
in
the
in
the
in
the
cluster.
A
Right
right
exactly
and
is
there
a
chance-
and
this
is
probably
somebody
from
kubernetes
who
has
really
wrote,
written
code
about
google,
cubelet
and
implemented
the
api
server
connection
is
between
the
time
when
cube
api
server.
With
the
admission
controller
accepts
an
image
says.
Yes,
this
is
good.
I
verified
the
signature
and
then
the
request
comes
to
cubelet
and
cubelet
is
now
going
to
say.
Okay,
I
receive
this
for
spec.
A
I
know
what
image
to
pull,
but
now,
if
I
have
taken
over
cubelet,
I
can
swap
that
image
with
some
malicious
image,
and
then
the
container
runtime
will
pull
that
and
the
pod
spec
that
is
confirmed
from
api
server
side
is
actually
not
something
that
is
used.
A
So
there
is,
there
is
a
potential
where
the
container
run
time
pulls
an
image
that
it
thinks
is
verified
by
kubernetes
right,
but
cubelet
is
actually
the
one
man
in
the
middle
in
a
way
where
it's
swapping
the
image,
and
there
is
no
way
of
anyone
knowing
that,
so
that
that
could
still
happen,
and
I
mean
because
of
the
way
admission
control
is
defined.
You
can't
really
do
anything
about
it,
but
just
some
threads.
B
It's
it's
true
sort
of.
I
mean
we
could
that's,
maybe
a
nice
feature
and
we're
doing
validation
already.
We
could
obviously
inquire
which
pods
or
which
resources
are
running
in
the
cluster
right
now
and
then
extract
whether
all
of
those
are
have
valid
signatures.
That'd
be
actually
a
very
nice
extension
of
connoisseur
to
not
only
do
the
admission
control
but
also
look
what
is
the
status
or
sort
of
what's
the
state
of
the
cluster?
B
A
I
almost
feel
like
this
is
an
opportunity
to
create
some
kind
of
a
cap
which
is
kubernetes
enhancement
proposal
where
either
either
we
do
this,
both
in
container
runtime
interface
as
well
as
cubelet,
or
at
least
in
one
of
them,
where
we
have
some
level
of
verification
that
you
can
add
on
top
of
what
is
verified
at
admission,
controller,
place
or
stage.
So
that
way
I
know
now.
A
I
can
verify
it
in
two
places,
not
just
when
it
is
using
cube
api,
but
also
when
I'm
actually
pulling
the
image
and
that
way
when
I'm
actually
pulling
the
image,
I'm
almost
sure
that
once
I've
pulled
it,
there
is
really
no
chance.
Like
only
way
you
can
really
tamper
with
the
image
is
basically
locally
changing
the
image
and
then
again,
if
you
have
image,
always
full
set,
then
that
image
can
be
ephemeral
and
it
will
replace
get
replaced
by
a
newer
one,
which
is
probably
a
valid
one.
A
So
yeah,
I
think
that's
that's
something
I'll
probably
bring
up
with
some
of
the
six
security
folks
and
hopefully,
or
some
of
you
can
pitch
in
and
help
us
on
it.
A
All
right
cool
this
was
this
was
fun.
I
I
learned
a
lot
grace
of
I
see
people
are
still
joining
in
no
worries.
Martin
hi
he's
saying
hi
from
netherlands
we'll
have
obviously
the
recording
available,
and
we
have
another
tgik
coming
up
pretty
soon
at
regularly
scheduled
time
at
1
pm.
A
So
ricardo,
who
is
my
favorite
one
of
the
favorite
colleagues
to
work
with,
is
hosting
that
it's
it's
going
to
be
on
curie
fence,
which
is
looks
like
a
vaf
for
kubernetes,
so
definitely
interesting,
problem,
space
and
interesting
topic
to
explore,
but
yeah.
If
take
a
look
at
that,
you
have
a
few
more
hours
to
go
about
two
two
and
a
half
hours
three
hours
plus
to
go
so
take
a
break,
relax
and
then
joining
in
when
ricardo
comes
in
at
1
pm.
But
just
to
summarize
what
we
discussed
today.
A
Basically,
we
went
through
connoisseur
as
a
tool.
What
it
does
went
through
the
configuration
got
the
basic
demo
working
on
pretty
much
the
first
attempt,
which
is
great.
So
that
means
the
docs
are
pretty
good
in
terms
of
what
they
are
expected
to
do,
and
the
experience
was
good.
We
learned
about
some
history.
We
learned
about
what
are
still
open
threats
coming
in
and
what
is
going
on
and
we
went
through
questions
from
all
the
viewers
looks
like
there
is
one
more.
A
B
There
is
whether
that's
in
that's
in
general
possible.
I
think
there
has
been
some
hooks,
I'm
not
sure
if
that
ever
got
really
like.
I
haven't
tried
it
myself.
My
impression
was
always
that
it's
still
complicated
to
do
it
because
it
does
doesn't
work
like
smoothly
out
of
the
box.
It
needs
some
additional
additional
work.
It's
yeah,
it's
not
sort
of
natively
supported.
I
would
I
would
say,
but
I
think
there's
work
on
it.
B
So
people
are,
I
mean,
that's
that's,
hopefully
also
to
understand
right,
we're
not
the
only
ones
out
there
who
are
doing
this.
I
think
we're
one
of
the
first
who
started
doing
this.
There
was
another
project
by
ibm,
pateras
actually,
but
obviously
there's
like
so
much
traction
on
this
topic
right
now.
B
Many
different
ways
to
do
it
and
all
have
their
advantages
and
disadvantages,
and-
and
I
think
it's
just
yeah-
it's
a
crazy
space
right
now.
B
A
B
People
learned
a
bit
and
understood
how
it
works,
how
we
do
trust,
pinning
and
so
on,
and
I
actually
thought
when
we
got
started.
I
thought
wow.
This
is
going
to
be
a
very
long
time
for
such
a
for
our
small
tool,
but
then
right
now,
I
feel
like
we
could
have
spent
hours
playing
more
around
with
it.
A
A
Take
a
look
at
that
hope
to
see
you
there
and
take
some
rest
enjoy
your
weekend.
If
you're
wrapping
up
and
see
you
in
a
few
hours,
all
right.
Okay,
thanks
kristoff
see
you
later.