Skip to content

Namespaced Validation⚓︎

Namespaced validation allows restricting validation to specific namespaces. Connaisseur will only verify trust of images deployed to the configured namespaces. This can greatly support initial rollout by stepwise extending the validated namespaces or excluding specific namespaces for which signatures are unfeasible.

⚠ Enabling namespaced validation, allows roles with edit permissions on namespaces to disable validation for those namespaces. ⚠

Namespaced validation offers two modes:

  • ignore: ignore all namespaces with label securesystemsengineering.connaisseur/webhook: ignore
  • validate: only validate namespaces with label securesystemsengineering.connaisseur/webhook: validate

The desired namespaces must be labelled accordingly, e.g. via:

# either
kubectl namespaces <namespace> securesystemsengineering.connaisseur/webhook=ignore
# or
kubectl namespaces <namespace> securesystemsengineering.connaisseur/webhook=validate

Configure namespaced validation via the namespacedValidation in helm/values.yaml.

Configuration options⚓︎

namespacedValidation in helm/values.yaml supports the following keys:

Key Default Required Description
enabled false true or false; enable namespaced validation otherwise images in all namespaces will be validated.
mode ignore ignore or validate; configure mode of exclusion to either ignore all namespaces with label securesystemsengineering.connaisseur/webhook set to ignore or only validate namespaces with the label set to validate.

Example⚓︎

In helm/values.yaml:

namespacedValidation:
  enabled: true
  mode: validate

Labelling target namespace to be validated:

kubectl namespaces validateme securesystemsengineering.connaisseur/webhook=validate
Back to top