Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
enhancements/security/openshift-image-policy: Propose new enhancement
Increasing the security of OpenShift release images from the current
"check GPG signatures before initiating an update" to "check Sigstore
signatures on every Pod launch".
Like the (Cluster)ImagePolicy enhancement I'm building on, this
enhancement mostly belongs to the Node component. But the node
component doesn't seem to have its own subdirectory, so I'm dropping
this into the enhancements/security directory for now.
I've tried to lay out context for most things in the enhancement text
itself, but the:
--sort-by='{.lastTimestamp}{.metadata.creationTimestamp}'
event filtering seems peripheral enough to be worth punting to here in
the commit message. The logic Kubernetes uses to populate the LAST
SEEN column is complicated [1]. While lastTimestamp seems to be what
these particular Pod events most commonly use, that property is
optional [2]. By prefering lastTimestamp, and falling back to
creationTimestamp if lastTimestamp is unset, I'll hopefully fairly
reliably deliver a descending LAST SEEN column.
[1]: https://github.com/kubernetes/kubernetes/blob/9c8c61aee4966d153fba0b9c365c7d03c602b4fc/staging/src/k8s.io/kubectl/pkg/cmd/events/event_printer.go#L66-L99
[2]: https://github.com/kubernetes/kubernetes/blame/9c8c61aee4966d153fba0b9c365c7d03c602b4fc/pkg/apis/core/types.go#L5607-L5609- Loading branch information
