►
Description
Join Pushkar with Christoph from SSE - Secure Systems Engineering GmbH, as we explore, why having signed images only is not enough. But having a way to verify them for each workload, is equally important. In this episode we will explore Connaisseur project that acts as an admission controller to verify signed images at deployment time.
A
A
A
It's
called
connoisseur
and
it's
going
to
help
act
like
an
admission
controller
for
all
the
images
that
are
signed
and
then
you
can
use
them
to
verify
so
now
the
idea
is
what
it
is
and
how
can
I
use
it
and
I'm
going
to
use
it
as
a
beginner,
and
for
that
I
thought
it
would
be
great
if
we
could
get
one
of
the
creators
of
connoisseur
to
join
us,
so
I'm
lucky
and
excited
to
welcome
christoph
who
is
one
of
the
creators
of
connoisseur
christoph.
Why
don't
you
quickly
introduce
yourself.
B
Hi
everyone
super
happy
to
be
here,
thank
you
for
the
invitation
pushkar
very
exciting,
also
exciting,
to
see
bandy
somebody
using
it
without
having
it
tested.
First,
that's
certainly
going
to
be
interesting
from
a
support
perspective
and
very
worrying
from
a
show
perspective,
but
let's
see
yeah
quickly
about
myself,
I'm
a
security
expert
from
secure
systems,
engineering
and
one
of
the
maintainers
of
connoisseur,
secure
systems.
Engineering
is
a
security
company
actually
from
berlin,
and
we
obviously
do
offensive
security
and
defensive
security
and
we
have
an
engineering
section.
B
Actually,
we
do
also
host
a
dns
service,
a
secure,
dns
service
and
also
we
built
connoisseur
in
that
realm.
It
actually
very
much
came
out
of
our
defensive
security
work
for
companies
where
we
ran
into
the
problem
that
we
needed
to
verify
signatures
in
the
kubernetes
cluster,
and
that
was
more
than
maybe
roughly
one
and
a
half
years
ago
and
back
then
there
was
no
solution,
so
yeah
we
kind
of
got
into
it.
That
way,
and
now
we're
sitting
here
talking
about
it.
So
I'm
excited
how
it's
going
to
go.
A
Wow,
that's
that's
amazing.
I
love
to
always
understand
the
history
behind
how
this
came
about,
and
people
have
already
started
asking
some
questions
about
like
hey.
Why
are
we
having
two
tgi
guys
today?
What
what
are
what
is
going
on
really?
So
I
just
wanted
to
give
some
idea
about
why
this
is
happening
and
what
we
are
trying
to
do
so.
A
A
The
1pm
slot
is
really
probably
the
worst
time
for
everyone,
except
people
in
pacific
time
zone,
so
the
idea
was
could
potentially,
we
have
episodes
in
future
where
we
have
an
episode
that
is
friendlier
to
other
time
zones,
especially
apac
time
zones
and
emea
time
zones.
So
this
is
why
we
are
trying
this
out.
We
will
have
two
episodes
today.
This
is
the
one
that
hopefully
is
more
convenient
for
people
in
apec
anemia.
A
I
know
christoph
you
yourself
are
joining
from
europe,
so
it
would
have
been
very
hard
to
join
on
the
regularly
scheduled
time
for
you
as
well.
So
so
that's
that's
why
we
are
here
they.
I
j.
I
also
posted
a
link
to
the
overall
schedule
for
the
upcoming
weeks
on
for
tgik
what
it
is
going
to
look
like
and
where
we
are
really
going
to
go.
So
let
me
do
that
first
and
then
we'll
go
to
all
the
week.
We
can
review
announcements
so
I'll
start
sharing.
My
screen.
A
What
basically
you're
seeing
is
today's
episode,
so
we
have
one
from
that
is
going
on
now,
and
one
ricardo
is
doing
later
on
a
regularly
scheduled
time.
We
have
another
one
for
during
thanksgiving
and
then
few
more
in
december,
so
it's
it's
gonna
be
packed
week
and
packed
month,
and
I'm
excited
to
see
how
this
goes.
We'll
probably
make
a
make
a
few
mistakes,
we'll
probably
do
a
bit
more
of
exploration,
of
how
the
time
zones
look
like
how
the
timelines
are
going
to
look
like
and
any
feedback
related
to.
A
We
also
have
kubernetes
patch
releases
that
were
out
this
week
for
all
the
supported
releases
and
we
had
some
in
very
interesting
salsa
stuff
digged
into
it.
So
take
a
look
at
that
tweet
thread
there
are.
There
is
also
a
new
golang
version
coming
in
which
is
1.18,
and
there
is
a
very
cool
twitter
thread
covering
about
the
new
stuff
that's
coming
in,
so
we
have
fuzz
fuzzing
generics,
even
a
new
net
net
ip
package
and
a
new
strings
bytes
dot
cut.
A
A
The
mutation
looks
like
move
to
beta
and
there
is
a
new
cli.
There
are
test
constraints
and
constraint
templates
without
kubernetes,
and
the
most
popular
announcement
of
potentially
last
year
was
docker
shim
deprecation.
So
now
that
it's
been
deprecated
for
a
bit
and
again
just
to
emphasize
it's
docker
shim,
that
is
being
deprecated,
it's
going
to
be
marked
for
removal
in
version
124.
A
So
for
that
purpose,
one
of
our
six
in
kubernetes
signature
is
collecting
some
feedback.
So
there
is
a
link
to
the
blog
and
they
want
to
basically
know.
Are
you
using
docker
shim?
How
are
you
using
docker
shim
for
in
your
clusters?
Does
this
impact?
You?
Are
you
aware
of
this
deprecation
and
removal,
so
any
feedback
that
you
can
share
there
will
be
really
appreciated,
and
then
my
favorite
announcement
for
the
week
is
port
security.
A
Admission
is
going
to
move
to
beta
in
version
123
and
by
moving
to
beta
it
means
it
will
be
enabled
by
default
the
tweet
tag.
There
also
has
some
very
interesting
details
and
some
history
behind
it.
So
take
a
look
at
that
and
some
very
exciting
documentation,
updates
and
blogs
are
also
coming
in
as
well.
A
So
let's
me
check
out
any
comments
with
some
wicked
review
from
everyone
else.
In
the
meantime,
all
right,
yay
people
are
excited
about
dual
tgi
case
is
the
image
signature
located
in
ocm
metadata.
I
think
that's
a
good
question
for
the
rest
of
the
episode
happy
friday
yusuf
happy
friday
engine.
Hopefully
I
pronounce
your
name
right:
hey
nestor
from
central,
california,
central
america
and
yusuf.
Finally,
we
will
maybe
change
timing
for
tgik
yup
and
then
hba
v2.
Yes,
that's
right.
A
B
A
Connoisseur
and
and
the
name
yes,
especially
the
name,
because
whenever
I've
used
the
name,
it's
always
like
the
spell
checkers
have
always
told
me:
hey.
Is
this
the
correct
name
and
I'm
like
I
know
the
github
repo
is
named.
That
so
tell
us
then
system
behind
the
name,
history
behind
the
tool
and
how
it's
all
started.
B
So
I
make
both
statements
here
that
I
haven't
checked,
but
I
can
tell
you
how
it
happened.
It
turns
out
when
we
built
the
tool
we
first
at
some
point.
You
need
a
name
right
and
we
did
it
in
the
way
you
shouldn't
be
doing
it.
I
was
like
well,
our
company
initials
are
sse,
so
it
would
be
fun
to
have
a
name
where
sse
is
actually
in,
and
my
colleague
was
sitting
on
the
other
side
of
the
table
and
he's
like
well.
B
I
can
just
grab
something
from
the
dictionary
and
take
the
first
word
that
comes
up
and
that
was
actually
connoisseur
and
then
people
are
complaining.
We
actually
had
a
very
early
review
at
some
point
where
somebody
said
well,
but
that's
wrong,
english
and
it
actually
is,
and
it
turns
out
it's
very-
it's
actually
very
interesting.
It's
a
very
interesting
name,
connoisseur,
obviously
has
a
french
route,
and
it
turns
out
that
originally
the
name
was
the
connoisseur,
as
you
have
it.
B
In
the
english
version
and
split
of
then
and
later
it
was
changed
to
connect
from
connecticut
to
connoisseur,
and
that's
where
germany
or
german
language
has
it
from
so
connoisseurs.
Technically,
it's
the
german
french
version
of
the
english
connor.
Yes,
so
that's
how
we
got
into
this
mess?
Yes,
but
actually
internally,
I
I'm
not
allowed
to
like
people
always
complain
when
I
propose
that
internally
we
call
it
call
her
connie
to
keep
things
short.
So
there.
A
B
A
B
B
B
B
No,
let's
say
wildly
compatible
solution
out
there
to
to
achieve
this
right
now
and
then
we
felt
like
we
should
definitely
open
source
it
because
I
think
that's
also
the
the
spirit
of
the
whole
kubernetes
cloud
native
environment.
It's
it's
amazing.
It
actually
is
it's
it's
a
lot
of
fun.
If
there's
people
who've
never
worked
on
an
open
source
project,
it's
it's
exciting
to
do
and
yeah.
So
we
got
started
on
it
and
then
we
got
feedback
and
it
kept
growing
and
evolving.
A
All
right,
okay,
that's
definitely
that
definitely
makes
sense
like
so
there
was
a
clear,
legitimate
customer
requirement,
and
then
we
said:
okay,
this
makes
sense,
but
nothing
exists
right
now.
So
why
not
build
it
and
then
once
it
is
working,
why
not
open
source
it
so
be?
More
people
can
contribute
more
people
can
adopt
it
and
the
oral
community
and
the
project
gets
richer
because
of
it.
B
Yes,
absolutely,
and
I
think
it's
something.
On
the
other
hand,
I
think
it's
something
that
is
required.
I
mean
kubernetes
currently
doesn't
have
like
a
common
solution
that
is
being
used
to
verify
container
images
that
are
deployed
to
the
cluster,
and
I
think
that
that's
really
a
lacking
that
that
should
be.
That
should
be
improved
right
right
and
I'm
happy
there's
like
so
much
motion,
I
mean
when
we
started
there
wasn't
much
traction
on
the
topic,
it's
all
in
the
range
of
supply
chain
security,
but
nowadays
that's
certainly
different.
B
A
B
A
B
Okay,
so
I
mean
you
already
take
the
part
of
it
on
a
very
high
level.
Why
why?
Why
have
a
signature
at
all
right
and
that
accounts
for
any
any
situation
in
which
you
may
use
a
signature?
It's
it's
typically
used
to
ensure
one
authenticity
of
whatever
you're
getting
that
can
be
for
a
message,
source
code
or
a
binary
that
you're
trying
to
download
or
install,
and
the
second
thing
is
integrity,
making
sure
that
the
content
of
whatever
you're
deploying
installing
or
seeing
has
not
been
modified
after
creation.
B
That's
the
two
main
main
ideas.
Why
use
signatures
at
all
now
and
that's
been
widely
adopted
right
I
mean
we
all
know
that
apt
has
a
signature
solution.
All
mobile
phones
use
app
stores.
That's,
I
think,
a
major
improvement
from
mobile
phones.
They
have
like
one
app
store
that
has
signatures
and
so
on
and
so
forth.
That
already
mitigates
a
lot
of
problems
in
the
case
of
kubernetes,
as
you
said
you
could
have
you
could
say,
I
have
a
secure
registry.
B
I
think
that's
in
general,
not
how
it
works,
because
people
want
to
have
some
freedom
on
the
registry.
So
essentially,
what
you'll
be
doing
is
you'll,
be
building
your
image
in
some
ci
cd
on
your
local
computer
or
wherever
you'll
be
uploading
it
to
some
registry
or
directly
to
your
kubernetes
and
then
deploy
it
to
the
kubernetes
cluster,
to
run
your
image,
your
container
image
in
a
pot
and
and
there's
obviously
several
things
that
could
go
wrong
right.
If,
for
example,
you
upload
it
to
a
public
registry,
it
could
be.
B
B
Or
it
could
be
that
one
of
your
developers
loses
his
or
her
credentials,
and
that
makes
it
possible
for
an
attacker
to
push
new
images
to
the
container
registry.
Now
in
all
of
those
situations,
when
you
deploy
your
you,
you
start
up
your
pot.
It
will
kubernetes
will
pull
the
container
image
from
the
registry
and
there's
no
real
certainty
that
this
container
image
hasn't
been
modified
from
when
it
was
built
and
that
it's
actually
an
there's.
B
No
there's
no
adjective
for
integrity
that
it's
an
unmodified
container
image
and
that
it's
authentic,
like
the
container
image
you
want
to
deploy.
So
ultimately,
what
what
is
the
ideal
case
you'll
be
building
your
container
image,
then
upload
it
or
sign
and
upload
it
to
the
container
registry,
and
now,
when
you
deploy
it
just
before
deployment,
you'll
have
a
solution
say
connoisseur
as
an
admission
controller
that
will
check
whether
the
image
you
are
about
to
spin
up
in
your
cluster
has
actually
not
been
modified
and
comes
from.
A
Right
right,
okay,
that
that
makes
a
lot
of
sense.
I
mean
one
thing:
many,
maybe
smaller
projects
that
can't
really
host
their
own
registry
have
to
do
is
rely
on
a
public
one,
that's
either
easily
accessible
or
where
I
don't
have
to
worry
about
maintaining
that
registry,
and
in
that
case
it
shouldn't
be
a
boolean
decision
like
I
either
trust
the
entire
registry,
or
I
don't
trust
it
so
with
signatures,
you
can
at
least
say.
A
B
Right
and
then,
depending
on
the
solution
you're
using
there
comes
various
different
security
guarantees
that
you
can
include
in
such
a
solution.
There's,
for
example,
the
update
framework
which
really
tackles
this
question:
what
is
common
attacks
on
updating
systems
or
installation
systems
or
software
distribution
and
how
to
tackle
them?
It's
an
it's
a
very
exciting
read.
Actually,
I
can
only
recommend,
because
there's
so
many
things
so
many
more
things
to
to
learn
about
it.
Yeah.
B
That
that
would
be
it
and
actually
it's
to
be
to
spin
this
a
bit
wider.
I
think
this
even
holds
in
many
cases.
People
are
using
cloud
solutions
these
days
for
kubernetes
and
the
registry
itself,
so
that
would
mean
that
you're
always
sort
of
dependent
on
the
cloud
provider
and
you
could
mitigate
some
associated
risks
using
signatures,
not
all,
but
at
least
some
yeah.
A
Yeah
yeah,
that
makes
sense
hopefully
for
everyone
listening
in
this-
gives
kind
of
good
enough
context
about
why
we
are
doing
this
and
why
connoisseur
kind
of
makes
sense
for
some
use
cases,
if
feel
free
to
add
your
questions
there,
but
we'll
now
jump,
I
think
straight
to
the
demo.
So
I
will
open
the
link
that
shows
the
connoisseur
repo
and,
let's
start
sharing
that.
A
All
right,
okay,
so
here's
the
repo
where
connoisseur
project
exists.
Now
what
I
I
would
look
like
look
at
when
I'm
starting
with
a
project
is
okay.
Is
this
the
best
place
for
me
to
download
the
tool
right
and
one
of
the
common
things
I
look
at?
Is
okay
in
this
releases?
Okay,
when
is
it
last
release?
So
last
release
looks
like
is
almost
one
month
ago,
so
that
means
the
project
is
maintained
and
updated
regularly.
A
There
are
releases,
there
are
contributors
and
then
so
that
gives
me
some
confidence
that
about
the
health
of
the
project.
So
that's
good
to
know,
and
then
this
next
thing
I
start
looking
at
is
okay,
where
is
the
documentation?
So
looks
like
this?
Is
the
documentation
and
now
can
I
start
working
on
this.
So
this
looks
like
a
quick
start
with
the
helm,
and
then
I
have
to
clone
the
repo,
and
I
have
to
run
cube
ctl
so
from
prerequisites
perspective
christoph,
I
would
need
helm.
A
The
kubernetes
cluster
right,
okay,
all
right,
so
I'm
gonna
use
my
favorite
tool
to
spin
up
kubernetes
clusters,
which
is
kind
which
is
built
on
top
of
docker.
So
for
that,
let
me
start
docker,
while
we're
looking
at
this
and
now
I'll
switch
my
screen
to
the
terminal
where
we
can
actually
get
started
with
the
demo.
A
A
A
A
B
A
Yeah
exactly
and
then
we
can
go
into
the
source
code
also,
if
needed,
all
right
cool.
So
next
up,
I
think,
is
helm.
I
think
I
have
helm
installed.
So,
let's
see
so
what
is
this
doing?
Install
connoisseur
with
helm
atomic
create
namespace,
namespace
connoisseur.
Tell
tell
me
more
about
this
kristoff.
A
B
The
simple
home
install
to
set
up
connoisseur
as
an
admission
controller,
I'm
not
sure
if
people
are
aware
of
what
admission
controllers
are
essentially
any
request
that
goes
via
the
cube.
Api
will
pass
through
different
phases.
There's,
for
example,
authentication
authorization,
and
there
is
two
phases
of
admission.
B
I
see
one
is
validating
and
one
is
mutating
admission
and
connoisseur
will
be
implemented
as
a
mutating
admission
controller,
so
that
we'll
sort
of
install
the
admission
webhook
that
is
technically
just
it
will
make
a
call
to
a
service.
That
service
will
be
the
connoisseur
service,
which
then
responds
to
this
call
with
either
it's
valid,
or
it
has
to
be
changed
like
like
this
and
that
or
it's
invalid,
so
the
request
say
for
creating
a
resource.
Maybe
a
pot
would
be
either
accepted,
mutated
or
denied,
and
that
will
technically
install
it.
B
There's
this
atomic
option
in
it.
That's
a
bit
because
admission
control
is
a
bit
special
right.
If
you
deny
everything
to
a
cluster,
if
it
does
not
fulfill
a
certain
rule,
you
always
have
to
make
sure
you
don't
start
denying
before
the
tool
is
fully
spun
up.
So
that
means
the
connoisseur
service
with
the
connoisseur
pot
will
have
to
be
or
pots
actually
would
have
to
be
run
up
before
the
a
webhook
itself
is
is
switched
to
active.
Otherwise,
the
webhook
would
deny
deploying
the
service
itself.
A
B
That's
correct
and-
and
I
think
that's
it's
actually
a
way
in
which
one
could
do
it,
but
there's
a
specialty
in
kubernetes,
and
that
is,
you
can
refer
to
a
container
image.
The
image
that
you
want
to
use
via
the
tag
or
the
digest
right
and
what's
going
to
happen
here,
is
that
when
later
you
deploy
a
resource
that
has
a
pot
with
a
container
image
in
it
and
you
refer
to
it
by
tag
then
connoisseur
could
check
what
kind
of
digest
is
related
to
this
tag.
B
B
So
what's
nice
about
container
images,
if
you
read
refer
by
digest,
that's
sort
of
a
hash
of
the
image
content,
so
what
connoisseur
will
be
doing
for
an
image
that
is
called
by
tag?
It
will
resolve
to
the
correct
digest
check
whether
that
has
a
suitable
like
a
valid
signature
against
a
pre-configured
trust
route,
and
if
that
is
the
case,
it
will
exchange
the
tag
by
the
digest
and
by
doing
this
switch.
B
That
means
when
you
pass
on
this
image
reference
at
a
later
stage,
the
container
runtime
will
actually
verify
the
digest
against
the
content
of
the
image.
So
that
means
why
connoisseur
now
verifies
this
is
assigned
digest.
So
it's
authorized
to
be
run
by
us
on
the
container.
Runtime
will
later
actually
verify
that
the
digest
is,
in
fact,
like
agrees
to
the
content
of
your
image,
because
it's
just
the
hash
of
the
content
itself.
B
B
A
Oh
wow,
that's
a
very
nice
design.
I
really
like
it
because
that
was
one
of
the
threats
I
had
in
mind
where
my
admission
controller
says
yes,
you're
good
to
go
and
then
the
container
runtime
hasn't
actually
pulled
the
image
yet
and
by
then
I
could
really
say
my
admission
controllers
has
said
yes
good
to
go
and
I
switch
my
image
in
that
time,
which
is
kind
of
less
short
amount
of
time,
but
it
could
happen
and
then
suddenly
I
have
an
image
that
I
thought
I
trusted,
but
it's
not
really
the
same
image.
A
B
A
B
There's
a
very
lags
requirement,
it
should
be
version
16
or
above.
I
think.
One
thing
we
really
took
really
is
that
we
tried
to
make
it
as
easy
to
use
and
as
compatible
as
we
could,
because
we
felt
like
the
the
whole
range
of
clusters.
People
are
using
specifically
in
managed.
Kubernetes
often
versions
are
somewhat
older,
so
we
really
took
great
care
to
make
sure
it's
compatible
with
the
broadest
range.
A
Okay,
wow.
That's
that's
really
good
to
know,
so
it's
really
loosely
coupled
with
what
kubernetes
features
exist
or
not.
As
long
as
you
have
admission
controller
that
is
supported
in
the
kubernetes
release,
pretty
much.
At
least
you
have.
You
have
integration
test
from
116,
so
we
know
it
works
until
that
at
least.
B
Exactly
and
and
whenever
somebody
finds
a
problem,
we
have
a
discussion
board
on
github
and
hope
that
people
run
into
issues
reported
there
and
to
help
us,
because
you,
you
really
only
test
with
your
own
environments
and
then
you
try
some
things
around,
but
you
never
have
the
full
experience
and
so
in
the
past
has
been
enormously
helpful.
When
people
reported
oh
I'm
using
this
and
that
kubernetes
flavor
and
I
had
this
and
that
problem.
A
A
B
It's
absolutely
not
obvious.
I
I
still
think
it's
it's
really
hard
to
know.
What's
the
default
way
people
are
using,
and
whenever
we
have
these
discussions,
we
try
to
kind
of
understand
what
what
people
expect
to
be
doing
now
for
him.
We
thought
it's
nice
because
it
gives
you
some
templating,
yeah
and
you'd
be
able
to
build
normal
kubernetes
yeah
mods
from
helm
by
by
just
running
it
as
a
debug
and
then
using
the
output
so
rendering
your
templates
right
but
yeah
we're
always
like
that's
it's.
B
A
A
B
B
B
A
Yeah
yeah,
that
makes
sense.
It
reminds
me
of
one
of
the
features
in
port
security
admission
where
we
have
an
exemption
option
for
a
cluster
level
policy
and
in
that
also
one
of
the
common
ones
to
exempt
for
any
enforcement
of
port
security
is
a
cube
system,
so
that
that
is
very
obvious.
I
think
use
case
and
I'm
glad
connoisseur
is
supporting
it.
A
Okay,
so
we
looks
like
we
are
ready
with
connoisseur
deployed
now.
Next
step
seems
like
is
running
verification
for
for
an
image
that
already
has
signature,
so
I'm
gonna
copy
that
command
here
now
tell
me
if
I
understand
this
command
correctly,
so
we
are
saying
cube,
ctl
run
hello
world
with
image
hello
world.
A
So
the
assumption
is
this:
image
will
be
a
signed
image
and
when
I
run
my
pod,
it's
going
to
go
past
the
go
through
the
connoisseur
admission
controller
and
whether
it's,
if
it's
signed
or
not,
based
on
that
it
will
either
reject
the
pod
creation
or
it
will
accept
the
port
creation
and
then
continue
to
let
the
pod
start
up.
Is
that
fair.
B
A
Okay,
that
makes
sense
so
in
the
in
to
your
point
on
the
digest.
This
is
pointing
to
the
latest
tag
by
default
and
what
we
will
do
from
corner
source
side
is
look
at
the
latest
tags
say:
okay,
give
me
the
digest,
basically,
which
is,
would
be
the
sha
256
hash.
If
I'm
not
wrong,
and
then
I
will
switch
that
with
the
which
with
that
digest
and
then,
when
the
runtime
picks
it
up,
it
will
pull
the
image
with
that
digest.
Instead
of
the
tag
right.
B
B
No,
no,
I
mean
technically,
this
worked
right,
connoisseur,
let
the
container
image
pass.
So
maybe
I
should
explain
this
a
bit
more
connoisseur.
Let
the
container
image
pass
and
the
pot
was
created
at
that
point.
You
already
know,
like
connoisseur,
doesn't
have
a
problem
with
it.
The
only
thing
that
happened
is
now
that
we
created
a
pot
based
on
docker
hello
world,
which
is
a
container
image
that
fails
because
it's
not
in
a
suitable
container
image
to
run.
B
A
B
A
Okay,
so
now
this
is
running
a
demo
pod
with
image
from
connoisseur
team
looks
like,
and
it
has
a
tag
called
signed.
So
same
thing
will
happen
and
then
because
it
says
sign-
and
I
think
the
idea
is
like
this-
is
actually
a
signed
image.
This
should
create
a
pod
and
then
we'll
potentially
have
a
pod
running,
which
means
that
the
signature
verification
worked
exactly
okay,
let's
see
all
right
so
pod
created,
let's
see,
continue,
creating
and
running
okay,
perfect.
B
A
A
A
B
A
B
That's
essentially,
what
connoisseur
will
be
doing
it
will
be
accepting
the
resource
request.
Look
at
the
resource
configuration,
find
all
container
images
and
replace
all
tags
with
validated
digests
if
they
exist.
If
there's
any
case
in
which
there's
no
validated
or
valid
digest,
our
connoisseur
will
refuse
the
request
and
that's
probably,
what
we're
going
to
see
with
the
next
command.
A
A
I
know
the
verification
work
because
the
pod
has
created,
but
I
want
to
be
sure
whether
how
the
verification
actually
worked
and
whether
verification
just
happened,
or
am
I
just
looking
at
so
it
could
be
also
similar
to
like
a
policy
engine
right
where
I
say
if
I
see
an
image
which
says
the
demos
colon
signed,
and
I
have
a
database
of
hashes
where
I
know
I
trust
them.
I
can
just
use
that
as
an
admission
controller
and
say
these
are
allowed,
but
we
what
we
are
not
doing
just
that
right.
A
We
are
also
checking
for
the
authenticity
of
the
image
by
actually
cryptographically
verifying
this
signature
through
a
public
key
that
should
be
accessible
to
connoisseur.
So
where
do
I
find
that
public
key
and
is
there?
Are
there
any
kind
of
logs?
I
can
look
at
where
it
says
this.
This
image
was
verified
with
this
public
key
and
it
looks
good.
B
Yeah,
maybe
there's
a
third
example
just
to
demonstrate
that
what
happens
if
it,
because
we
have
now
seen
that
it
that
looks
like
it
always
works
right
and
now
to
prove
that
it
also
cannot
work.
You
could,
for
example,
use
this
unsigned
image.
It's
a
it's
also
an
image
provided
by
us.
It's
only
because
you
don't
want
to
instruct
people
to
run
any
random
images.
B
A
B
Since
this
is,
I
know
you
see,
actually
it's
denied
right.
It
says
unable
to
find
the
sign
digest
for
image.
Cryo
nice
there's
two
ways
to
actually
see
this.
One
is
to
look
into
the
configuration.
The
other
option.
This
there's
different,
something
we
should
explain,
is
there's
different
ways
to
sign
container
images.
These
days
when
we
started
there
was
only
notre
ev1
and
by
now
there's
a
cosine
from
zig
store
and
also
coming
up,
not
really
version
2..
B
B
A
B
And
there
you
can
see
it
says
no
signatures
for
test
image
unsigned,
and
you
can
see
that
in
general,
the
repository,
however,
that
works
now
not
3v1
has
two
valid
signers.
Here,
none
of
them
signed
that
image
and
if
you
were
to
use
the
signed
image,
you
would
actually
see
that
the
signed
image
has
a
valid
signature.
A
A
A
B
That's
the
thing
here
right
when
you
sign
you,
don't
really
care
about
about
the
actual
content
like
being
readable
and
obviously
making
a
signature
over
a
whole
image
that
has
100
megabytes,
and
you
just
want
to
attach
something
that
confirms
these
hundred
megabytes
would
again
be
100
megabytes,
so,
what's
really
being
signed
is
only
the
digest.
That
is
the
shah
256
of
the
image.
A
B
A
A
B
A
B
A
B
Okay,
even
in
force
which
person
has
to
have
signed
like
what
we're
having
here
is
technically
it's
it's
a
bit
intricate,
but
you
can
have
a
general
signing
key
and
you
can
have
delegations
of
that
key
and
now
here
we,
what
we
see
is
is
two
different
delegations
and
in
the
default
configuration
any
delegation
is
fine.
However,
in
connoisseur
you
could
specify
that
either
both
or
one
specific
delegation
is
required.
Yeah,
it's
just
a
matter
of
how
you
want
to
use
the
signature
solution.
A
Yeah,
I
I
want
to
come
to
that
like
because
I
can
imagine
multiple
teams
wanting
to
sign
images
before
they
go
in
production,
so
definitely
want
to
go
to
that.
Let
me
check
the
chat.
First
looks
like
some
more
activity
there.
So
okay
scrolling
back,
looks
like
this
tool
is
similar
to
cable
carville.
B
A
A
Basically,
the
whole
idea
brand
having
dji
kit
today
at
this
time
is
we
realized.
1Pm
pacific
is
pretty
bad
for
everybody
else,
except
maybe
people
who
are
in
pacific
time
zone
or
some
other
u.s
time
zone.
So
the
idea
was:
can
we
make
tgik
more
apac
anemia
time
zone
friendly,
and
this
is
our
first
real
experiment
to
have
two
episodes?
One
is
friendlier
to
apac
anemia,
which
is
this
episode
and
so
because
and
why
it's
friendlier?
A
A
Hopefully
the
this
experiment
works.
We
are
open
to
feedback
on
how
how
what
the
community
thinks
like,
but
that's
really
what
we're
doing.
There
are
some
more
similar
time
zone
friendly,
djik
scheduled
in
future.
So
let's
see
how
that
goes,
and
yeah
carecare4
clarified
this.
So
thank
you
so
much
then
we'll
have
engine
engine
also
clarified.
We'll
have
two
dgi
case.
B
That's
not
specifically
dependent
on
connoisseur
that
depends
on
the
actual
signing
solution
you're
using.
So
what
connoisseur
is
technically
doing
it
allows
you
know
it
implements
different
signing
schemes
or
types
of
schemes.
There
could
be
nutri
version,
one
or
a
cosine,
from
six
star
project
and
depending
on
the
signing
solution,
you
have
different
possibilities
to
sign
images
and
also
whether
images
expire
or
not,
so
that
that
differs
a
bit.
A
B
Right,
we're
not
ourselves
enforcing
how
you
sign
the
image,
we're
implementing
some
of
the
image
signing
solutions
and
allow
you
to
verify
the
associated
signatures.
What
we've
seen
here
now
is
a
notary
version.
1
signature,
not
reversion
1
was
introduced,
I
think,
mostly
by
docker
quite
some
time
ago,
but
you
could
use
a
cosine
from
six
star
to
sign
your
images.
Those
signatures
will
look
different.
A
A
B
There's
nothing
that
should
stop
it
from
air
gap
clusters.
I
have
to
admit
I
haven't
tested
that
I'd
be
excited.
If
somebody
says
it
doesn't.
I
wouldn't
see
why
I
mean.
Obviously
you
need
to
have
connection
to
the
kubernetes
cluster
you
need
to
have
connection
to
so
connoisseur
needs
to
run
in
the
kubernetes
clustering.
You
need
to
have
connection
to
the
image
registry
of
some
sort
and
the
source
of
the
signature,
but
other
than
that
connoisseur
doesn't
have
any
external
dependencies
yeah
only.
A
A
B
Yeah,
and
if
it
doesn't,
I
mean
there
would
be
something
we
definitely
I
mean
I
wouldn't
see
why
it
shouldn't
work,
and
I
would
actually
hope
that
it
does
and
and
if
there's
anything
right
now
that,
for
some
weird
reason
requires
an
internet
connection,
I
I
I
think
we
should
fix
that
yeah
yeah.
I
think
you
can
see
why
I
mean
you
need
access
to
the
signature
and
the
yeah
or
container
image
yeah.
A
And
my
my
t,
my
project
works
in
air
gap.
Cluster
is
one
of
like
almost
like
a
design
requirement
nowadays,
because
there
are,
there
are
always
so
many
use
cases
where
people
who
are
security,
focused
and
aligned
are
also
the
same
people
who
are
running
air
gap
clusters,
so
the
alignment
is
always
there
so
especially
for
security
projects.
If
it
works
in
air
gap,
that's
like
wow,
okay,
great.
I
can
actually
use
it
so
glad
to
hear
that
now.
A
Yeah
yeah
agree:
okay,
so
carlos
saying
yeah,
I
agree,
4
p.m.
Est
I
I
mean
I
would
be
very
have
to
be
really
motivated
to
watch
dji
gear
at
4,
00
pm
in
east
coast
time,
but
there
are
a
lot
of
people
who
join.
I
know
so
hoping
you
join
ricardo
session
in
the
regularly
scheduled
time
at
1
p.m.
Pacific
4,
p.m,
east!
A
B
Yeah,
I'm
not
aware
of
any
any
means.
I
mean
the
question
is
signing
technically
works,
but
the
signature
has
to
be
stored
somewhere
and
that's
why
you
sort
of
need
a
signing
solution
and
I
think,
there's
one
solution,
but
we
haven't
gotten
around
implementing
it
because
I
suspect
it
will
be
gone
soon.
Is.
A
A
A
There
is
a
session
for
tgik
if
I'm
not
wrong
on
december
17,
which
is
going
to
go
a
bit
deeper
on
this,
I
believe
jon
is
hosting
that
so
folks
who
liked
this
session.
There
is
a
good
chance.
You
like
that
one
too
now
yeah
does
then,
let's
see
more
questions,
I'm
using
cosine
six
store.
Why
would
I
use
connoisseur.
B
B
All
of
a
sudden.
There
is
no
signature
anymore
for
you
in
the
specific
scheme
you're
using
yourself,
and
thus
it
doesn't
work
anymore.
So
we
really,
I
mean
it's,
it's
obviously
a
question
how
things
will
evolve,
but
as
long
as
there
are
multiple
signing
solutions,
we
felt
like
it's
really
important
to
have
one
way
to
to
verify.
When
you
verify
you
have
to
be
able
to
to
do
all
of
them.
A
Yeah
yeah
exactly
okay.
Now,
let's
go
back
to
the
demo,
so
few
things
I
want
to
try
now
kristoff
with
you
is
look
at
the
configuration
of
the
admission
controller,
how
it
looks
like
how
is
the
public
key
pulled?
Is
it
cache
somewhere
locally,
so
I
don't
have
to
keep
pulling
for
every
image.
Verification,
so
tell
me:
where,
should
I
look
look
for
that
info.
B
B
That's
what
I
got
yeah,
I
got
what
you
mean
yeah,
all
right,
okay,
yeah!
Exactly
so
that's
the
configuration
now
the
upper
part.
Is
it
technically
has
like
three
sections.
The
upper
part
is
a
deployment
section
right
and
the
deployment
section
is
like
a
generic
kubernetes
things.
How
many
replicas
do
you
want
to
have?
B
What's
the
I
don't
know,
affinity
for
example,
obviously
connoisseur
you
wanted
anti-affinity,
it
should
run
on
distributed
nodes,
not
on
the
same
node,
so
it
doesn't
fail
the
moment.
One
node
goes
down.
There's
some
security
context.
Here
we
tend
to
choose
security
faults,
so
that's
been
a
bit
of
a
trouble
sometimes
because
then
you
I
mean
you're
very
involved
in
kubernetes
security,
and
you
know
these
things
change.
So
if
you
support
from
version
16
to
19
or
22
sorry
to
22,
then
some
of
these
fields,
like
the
second
profiles
and
so
on.
A
A
B
A
That's
terrific,
because
one
of
the
common
complaints
you
hear
is:
I
want
to
improve
my
security
of
kubernetes
and
you
are
asking
me
to
deploy
a
daemon
set
that
runs
as
privileged.
So
that's.
How
is
that
changing
my
security
posture?
So
now
I
have
a
security
product
project
here
which
improves
my
security,
but
also
doesn't
expect
itself
to
run
in
any
kind
of
privilege
mode.
So
that's
definitely
a
plus
okay
cool.
B
So
this
is
the
configuration
exactly
and
as
stated
there
there's
two
things
to
how
chronosome
works,
there's,
validators
and
there's
policy
or
image
policy.
The
validator
is
sort
of
a
configuration
for
how
validation
should
work.
So
you
can
see
here,
for
example,
the
first
two
validators
are
what
we
call
static
validators
whenever
they
will
be
called,
they
will
simply
say:
yes,
approve
or
simply
say:
no,
I
don't
approve,
they
don't
do
any
verification
of
anything.
If
a
request
comes
in,
they
will
just
say
yes
or
no.
B
The
next
one
is
one
that
is
being
used
for,
like
your
own
usage,
it's
a
dynamic
validator
of
sorts.
In
this
case,
for
example,
there
is
you,
give
it
a
name
such
as
could
be
could
be
default
could
be
a
more
specific
name,
and
then
there
is
a
type.
This
type
is
actually
which
defines
in
the
end
which
signing
solution
you've
been
using
such
that
you
can
validate
later.
B
A
B
Exactly
and
then,
if
you
go
further
down,
you
see
actually
that
for
this
validator
in
this
case
now,
you
can
see
if
you,
if
you
stop
there
for
a
moment,
you
see
this-
is
the
valley,
data
docker,
hub
basics,
right
as
you
can
see
in
the
like
fourth
line
from
top
it's
a
notary,
v1
valley
data,
the
notary
server
runs
on
not
read.docker
io
and
then
below
that
we
have
two
different
keys
specified.
One
is
the
docker
official
and
one
is
the
secure
systems,
engineering,
official.
A
A
A
Oh
okay,
I
see
right
so
now.
Maybe
question
is
we
had
two
images
signed
and
unsigned?
Does
connoisseur
first
check
if
signature
exists
and
then
verify
it
and
if
yes
like,
where
does
the
signature
typically
exist?
Is
it
another
artifact?
I
have
to
pull
when
I
pull
my
image
or
is
it
part
of
the
image
metadata.
B
That
again
depends
on
the
signing
solution.
Exactly
for
notary,
you
have
a
separate
server
that
contains
the
signature
data
and
then
we
actually
download
the
signature
data
and
then
there's
actually
many
steps.
We
have
to
do
to
very
fully
verify
the
signature
data
in
case
of
cosine
six
store.
The
signature
itself
is
written
as
an
artifact
into
the
registry.
A
A
If
I'm
not
wrong
christopher,
we
said
we
don't
really
look
for
the
tag
when
we
verify
we
look
for
the
digest
and
then
that
digest
is
the
one
that
actually
will
be
immutable
and
unique
for
that
image,
and
as
long
as
I
I
know,
I've
signed
that
digest
I'll
be
able
to
verify
it.
No
matter
what
the
tag
is,
no
matter
what
the
registry
is
or
no
matter
what
environment
I'm
deploying
it
in.
B
B
A
A
B
Exactly
now
we
see
the
validators
we
configured
above
are
now
applied
to
different
images
based
on
a
pattern.
The
first
pattern-
there's
a
wildcard
wildcard
means
anything
is
allowed.
The
second
pattern
is
a
bit
more
specific,
so
here
you
now
see
that
the
docker,
I
o
slash
library
images
are
supposed
to
be
validated
against
the
docker
hub
basics,
validator,
with
the
key
docker
official
that
we've
just
seen
above.
You
can
actually
remove
this
now
and
then
we
can
see
that
the
same
image
that
was
allowed
before
is
not
allowed
anymore.
A
B
Obviously
the
kubernetes
public
images
I
think
they
may
have
they
will
start
to
have
like
public
signatures
soon,
so
that
could
be
done.
So
this
shows
one
of
the
going
back
to
the
question
earlier.
It
shows
one
way
how
you
can,
for
example,
exclude
certain
images
from
validation
is
to
simply
allow
based
on
a
given
pattern.
So
that
would
mean,
like
all
images
that
come
from
this
source
are
to
be
trusted.
B
That's
often
not
ideal,
but
we
all
know
that,
for
example,
the
cube
system
there
could
be
several
pods
running
that
that
that
can't
be
easily
validated
or
that
may
not
have
a
signature
right.
If
an
image
doesn't
have
a
signature,
you
could
at
least
limit
it
to
to
a
scope
such
that,
because
of
that
it
doesn't
have
to
apply
to
all
images.
A
Right
right,
right,
yeah,
that
makes
sense.
I'm
almost
thinking
about
the
sort
of
next
few
months.
There
is
a
plan
to
sign
images
for
all,
basically,
all
kubernetes
container
images
soon.
So
the
reason
there
is
a
potential
where
somebody
who
is
running
kubernetes
and
wants
to
create
a
cluster
and
before
creating
a
cluster
doesn't
really
want
to
assume
trust
for
all
the
cuban.
This
container
images
and
wants
to
verify
it.
A
B
The
distro-less
images,
for
example,
have
a
public
key
that
could
be
used
to
that.
That
actually
works
for
verification
as
well,
but
then
then,
we'd
have
to
add
it
to
the
configuration
first
right
right
and
it's
again
not
running
a
distroless
image
in
a
kubernetes
cluster.
It
doesn't
it
also
crash
loops
because
there's
just
nothing
in
it
right,
it
doesn't
have
a
proper
entry
point.
A
Yeah
yeah,
that
makes
sense.
One
question
related
to
this.
I
had
was
now
in
this
case,
if
you're
looking
to
the
trusted
root,
secure
system,
engineering,
official,
secure
system,
engineering,
official-
and
this
is
the
key-
so
let's
say
I'm
I'm
a
team
of
developers,
engineers
and
maybe
product
managers,
and
I
want
to
make
sure
that
before
of
operations,
team
or
devops
team
deploy
something
in
production.
A
B
A
B
Root
key
so
essentially
there's
a
root
json
uploaded
to
the
public
notary
server,
and
that
has
that
specifies
the
allowed
delegations,
and
maybe
even
the
allowed
delegations
for
a
specific
target.
So
a
specific
image
and
connoisseur
does
allow
you
to
specify
you
could
specify
below
which
delegations
are
enforced
on
the
image.
So
you
could
say
the
security
team
has
to
have
signed
off
and
the
operations
manager
has
to
have
signed
off.
So
you
could
specify
a
delegation
just
under
this
there's
this
with
a
flag
and
under
the
width
like
beyond
the
trust
route.
B
B
For
the
cosine
world,
there
is
some
work
on
cosine
side
on
it,
but
then
we
got
this
question
several
times
so
the
moments
before
this
meeting.
I
was
actually
working
on
exactly
that
feature
nice
to
allow
you
specifying
multiple
keys
in
the
validator
section
above
and
then
say
how
you
want
to
handle
them
either.
I
want
to
enforce
all
of
them.
I
want
to
have
a
threshold,
at
least
I
don't
know
three
or
five.
A
B
A
B
Something
to
to
hold
to
your
heart
this,
yes,
you
want
it
secure,
but
security
also
means
that
things
remain
available.
Yeah,
the
detection
mode
is
set
up
in
a
way.
Even
if
an
image
doesn't
have
a
signature,
we'll
be
issuing
a
warning
but
will
not
block
deployment
and
then
below
there
like
a
little
bit
below
there's
an
a
a
way
to
configure
an
alerting.
B
B
Either
you
flag
specific
namespaces
that
you
want
to
have
ignored
or
you
flag,
namespaces
that
you
want
to
validate
so
either
allow
listing
or
deny
listing,
obviously
deny
listing
is
better,
which
is
why
it's
the
secure
default,
because
allow
listing
just
never
is
never
future
safe
and,
as
you
can
see
above
in
this
label
right,
that's
the
label.
You
would
have
to
attach
to
the
namespace,
secure
systems,
engineering,
dot,
connoisseur,
slash,
webhook
equals
validate.
B
A
I
see
okay,
wow
lots
of
good
information,
so
let
me
let's
take
it
a
bit.
Slow,
so
looks
like
we
are.
We
have
good
secure
defaults
already
in
this
project,
so
detection
mode
is
false
by
default.
If
I
understand
correctly
so
that
means
it
will.
Verification
is
always
enforced.
Unless
you
say
I
don't
want
to
verify.
I
just
want
to
get
warned
on
it.
B
A
B
B
B
B
Let
me
let
me
understand
this:
if
you
say
you,
may
you
turn
namespace
validation
on
by
making
enabling
true
right,
then
then
it's
a
question
of
the
mode
right.
If
the
mode
is
ignore,
you
have
to
provide
a
specific
ignore
label
to
a
namespace
as
a
namespace
label.
To
make
sure
this
namespace,
like
images
within
this
namespace,
will
not
be
validated.
B
B
B
So
a
common
configuration
could,
for
example,
right
now,
be
you
switch
this
to
you.
You
said
you
want
this
as
ignored,
so
you
say
enabled
true,
and
then
you
attach
the
secure
systems.
Engineering
connoisseur,
slash
web
hook
equals
ignore
label
to
the
cube
system
namespace,
and
that
means
all
all
the
resources
in
the
cube
system.
Namespaces
are
excluded
from
validation.
A
That
makes
sense:
okay,
wow,
then
that's
a
nice
way
to
kind
of
manage
things
at
name,
space
level
and
cluster
level.
Both
at
the
same
time
looks
like.
Another
question
was
curious
to
know,
is
cornosaur
equivalent
to
cosign
from
project
six
store,
or
it
has
some
extra
features.
Maybe
I'll
try
to
answer
it.
You
might
have
been
bored
answering
that
for
many
many
months.
So
tell
me
if
I'm
wrong,
my
understanding
is
connoisseur.
Is
a
sig
signer
agnostic,
image,
signature,
verification
tool,
whereas
cosine
and
six
store
are
signers
of
images.
A
B
Right
right,
currently,
it's
two
were
planning
to
extend
to,
depending
on
how
notary
version
two
seems
to
they
had
their
first
releases
now
and
they're
they're,
making
some
more
steps.
So
that's
probably
going
to
be
next
and
then
yes,
as
you
said,
there's
a
web
hope
even
by
six
store
or
by
the
co-sign
six
or
community
themselves.
That's
been
coming
up
recently,
there's
some
there's
some
differences
between
the
two,
how
they
work
and
what
they
support
and
so
on
and
so
forth.
But
that's
more
in
the
in
the
details.
A
A
B
A
A
And
also
at
run
time,
if
I
don't
have
a
public
key
for
that
particular
image,
let's
say
it's
something
coming
from
me
like
docker,
hub
dot,
io
pushkar,
and
there
is
an
image
related
to
that
and
I
haven't
configured
a
public
key
for
it.
Then,
depending
on
my
default
configuration
either
the
image
is
allowed
or
image
is
rejected.
B
B
B
Okay,
I
mean
you,
could
you
could
actually
change
that
if
you
that's
the
beauty
of
how
it's
being
built,
there's
different
types
of
validators
right,
there's,
dynamic
ones
where
you
configure
your
public
key,
then
there's
the
static
ones
allow
deny
and
and
then
obviously
the
dynamic
ones
and
you
can
have
as
many
as
you
like
of
those
right
now.
The
beauty
is,
you
have
the
you've
seen
the
policy
image
policy
section?
Maybe
you
can
show
that
again
because
that's
where
the
magic
happens,
it
always
goes
to
the
closest
matching
pattern.
B
B
So
in
the
in
the
case,
if
you
pull
the
secure
systems,
engineering
test
images
that
we
did
before
they
match
to
the
last
pattern
best,
they
do
not
match
at
all
the
pattern
above
the
for
the
kubernetes
images
and
they
also
do
not
match
at
all
the
docker.
I
o
slash
library
images,
but
they
would
match
the
uppermost
pattern,
but
only
the
most
specific
is
being
used.
That
means
when
you
say
I
want
the
test
image
un
signed
it's
going
to
be
validated
against
docker
hub
basics,
with
trustroot
from
us.
A
B
Right
we
try
to
keep
it
as
concise.
That's
why
we
have
this
separate
structure
of
validators
and
image
policy,
but
obviously
you
could
extend
this.
What
you
could
also
do,
for
example,
right
now
you
could
say,
with
this
uppermost
pattern,
the
wildcard
colon
wildcard.
You
could
actually
define
that
you
want
everything.
Every
image
that
doesn't
match
the
patterns
below
should
be
allowed.
If
you
were
to
just
add
a
line
below
and
say,
the
valley
data
is
the
allow
validator
that
will
always
say.
Okay,
I'm
fine.
B
A
Okay,
I
see
so
now.
I
wanted
to
maybe
I'll
stop
sharing
screen
for
a
bit
and
just
wanted
to
go
through
some
threads.
I
had
in
mind
and
kind
of
get
your
thoughts
on
it.
So
I
think
first
thing
we
looked
at
is
between
the
admission
controller,
checking
the
image
and
the
container
and
time
pulling
it.
That
part
is
clear,
it's
kind
of
resolved
because
you
are
verifying
and
pulling
the
same
digest.
A
So
as
a
result
of
that,
there
is
no
chance
of
timing
attack
where
I
can
change
my
swap
my
image
and
then
something
else
gets
pulled.
The
other
piece
I
was
wondering
is
in
a
kubernetes
cluster
right,
we'll,
as
we
assume
generally,
that
nobody
has
node
access
and
so,
as
a
result
of
that
only
way
the
images
are
going
to
get
into
a
node
are
when
I
deploy
a
pod
and
then
kubelet
picks
it
up,
and
then
I
have
to
pull
the
image,
but
there
it
could
be
an
attack
scenario.
A
I
can
think
of
where
some
through
some
remote
code
execution,
I
get
root
on
a
node
and
I
don't
really
have
cluster
access
right,
and
in
that
case
I
can
say.
Oh
I
see
this
image
is
being
used
by
this
part
on
my
note,
and
the
container
runtime
doesn't
have
any
public
key
to
verify
right.
So
I
could
decide
that.
A
Let
me
see
if
I
can
pull
some
other
image
that
is
malicious
and
then
I
can
use
that
image
to
do
all
sorts
of
different
things
like
I
can
take
over
cubelet
or
I
can
use
kubelet
credentials
to
take
over
the
cluster
eventually
so
that
piece
any
admission
controller.
That
is
doing
something
like
this,
whether
it's
connoisseur
or
something
else
wouldn't
be
able
to
solve.
B
A
Right
right
exactly
and
is
there
a
chance-
and
this
is
probably
somebody
from
kubernetes
who
has
really
wrote,
written
code
about
google,
cubelet
and
implemented
the
api
server
connection
is
between
the
time
when
cube
api
server.
With
the
admission
controller
accepts
an
image
says.
Yes,
this
is
good.
I
verified
the
signature
and
then
the
request
comes
to
cubelet
and
cubelet
is
now
going
to
say.
Okay,
I
receive
this
for
spec.
A
So
there
is,
there
is
a
potential
where
the
container
run
time
pulls
an
image
that
it
thinks
is
verified
by
kubernetes
right,
but
cubelet
is
actually
the
one
man
in
the
middle
in
a
way
where
it's
swapping
the
image,
and
there
is
no
way
of
anyone
knowing
that,
so
that
that
could
still
happen,
and
I
mean
because
of
the
way
admission
control
is
defined.
You
can't
really
do
anything
about
it,
but
just
some
threads.
B
It's
it's
true
sort
of.
I
mean
we
could
that's,
maybe
a
nice
feature
and
we're
doing
validation
already.
We
could
obviously
inquire
which
pods
or
which
resources
are
running
in
the
cluster
right
now
and
then
extract
whether
all
of
those
are
have
valid
signatures.
That'd
be
actually
a
very
nice
extension
of
connoisseur
to
not
only
do
the
admission
control
but
also
look
what
is
the
status
or
sort
of
what's
the
state
of
the
cluster?
B
A
I
almost
feel
like
this
is
an
opportunity
to
create
some
kind
of
a
cap
which
is
kubernetes
enhancement
proposal
where
either
either
we
do
this,
both
in
container
runtime
interface
as
well
as
cubelet,
or
at
least
in
one
of
them,
where
we
have
some
level
of
verification
that
you
can
add
on
top
of
what
is
verified
at
admission,
controller,
place
or
stage.
So
that
way
I
know
now.
A
I
can
verify
it
in
two
places,
not
just
when
it
is
using
cube
api,
but
also
when
I'm
actually
pulling
the
image
and
that
way
when
I'm
actually
pulling
the
image,
I'm
almost
sure
that
once
I've
pulled
it,
there
is
really
no
chance.
Like
only
way
you
can
really
tamper
with
the
image
is
basically
locally
changing
the
image
and
then
again,
if
you
have
image,
always
full
set,
then
that
image
can
be
ephemeral
and
it
will
replace
get
replaced
by
a
newer
one,
which
is
probably
a
valid
one.
A
A
So
ricardo,
who
is
my
favorite
one
of
the
favorite
colleagues
to
work
with,
is
hosting
that
it's
it's
going
to
be
on
curie
fence,
which
is
looks
like
a
vaf
for
kubernetes,
so
definitely
interesting,
problem,
space
and
interesting
topic
to
explore,
but
yeah.
If
take
a
look
at
that,
you
have
a
few
more
hours
to
go
about
two
two
and
a
half
hours
three
hours
plus
to
go
so
take
a
break,
relax
and
then
joining
in
when
ricardo
comes
in
at
1
pm.
But
just
to
summarize
what
we
discussed
today.
A
Basically,
we
went
through
connoisseur
as
a
tool.
What
it
does
went
through
the
configuration
got
the
basic
demo
working
on
pretty
much
the
first
attempt,
which
is
great.
So
that
means
the
docs
are
pretty
good
in
terms
of
what
they
are
expected
to
do,
and
the
experience
was
good.
We
learned
about
some
history.
We
learned
about
what
are
still
open
threats
coming
in
and
what
is
going
on
and
we
went
through
questions
from
all
the
viewers
looks
like
there
is
one
more.
A
B
There
is
whether
that's
in
that's
in
general
possible.
I
think
there
has
been
some
hooks,
I'm
not
sure
if
that
ever
got
really
like.
I
haven't
tried
it
myself.
My
impression
was
always
that
it's
still
complicated
to
do
it
because
it
does
doesn't
work
like
smoothly
out
of
the
box.
It
needs
some
additional
additional
work.
It's
yeah,
it's
not
sort
of
natively
supported.
I
would
I
would
say,
but
I
think
there's
work
on
it.
B
So
people
are,
I
mean,
that's
that's,
hopefully
also
to
understand
right,
we're
not
the
only
ones
out
there
who
are
doing
this.
I
think
we're
one
of
the
first
who
started
doing
this.
There
was
another
project
by
ibm,
pateras
actually,
but
obviously
there's
like
so
much
traction
on
this
topic
right
now.