Namespaced Validation⚓︎
Warning
Enabling namespaced validation, allows roles with edit permissions on namespaces to disable validation for those namespaces.
Namespaced validation allows restricting validation to specific namespaces. Connaisseur will only verify trust of images deployed to the configured namespaces. This can greatly support initial rollout by stepwise extending the validated namespaces or excluding specific namespaces for which signatures are unfeasible.
Namespaced validation offers two modes:
ignore: ignore all namespaces with labelsecuresystemsengineering.connaisseur/webhook: ignorevalidate: only validate namespaces with labelsecuresystemsengineering.connaisseur/webhook: validate
The desired namespaces must be labelled accordingly, e.g. via:
# either
kubectl namespaces <namespace> securesystemsengineering.connaisseur/webhook=ignore
# or
kubectl namespaces <namespace> securesystemsengineering.connaisseur/webhook=validate
Configure namespaced validation via the namespacedValidation in charts/connaisseur/values.yaml under application.features.
Configuration options⚓︎
namespacedValidation in charts/connaisseur/values.yaml supports the following keys:
| Key | Default | Required | Description |
|---|---|---|---|
mode |
- | - | ignore or validate; configure mode of exclusion to either ignore all namespaces with label securesystemsengineering.connaisseur/webhook set to ignore or only validate namespaces with the label set to validate. |
If the namespacedValidation key is not set, all namespaces are validated.
Example⚓︎
In charts/connaisseur/values.yaml:
application:
features:
namespacedValidation:
mode: validate
Labelling target namespace to be validated:
kubectl namespaces validateme securesystemsengineering.connaisseur/webhook=validate