-
Notifications
You must be signed in to change notification settings - Fork 719
7 ‐ SLSA compliant charts
All projects that became SLSA compliant based on the SLSA guidance will automatically push their images directly to both DockerHub and Rancher Prime registries.
It is of the utmost importance that no background processes are trying to sync those DockerHub images back into Rancher Prime, as the digests between the two images may be different, which may result on the Prime image getting overwritten and its cosign signature no longer being discoverable.
The image sync process within Rancher Prime now only copies missing images, as to avoid this problem. However, Rancher charts also have a sync process, and projects must opt-out of it using the following process:
There is a new file on the root of the repository called:
slsa.yaml
All charts with image dependencies with SLSA compliance must define the image names there.
The first chart to adhere to the SLSA standards is:
rancher-cis-benchmark
When this was written, it had only 1 image dependency with SLSA compliance:
rancher/cis-operator
Once the image is defined there, it will no longer be synced to the prime registry from the charts repository.
The images with SLSA compliance must sync with the prime registry from the upstream repository. Therefore, we can not overwrite it once the chart is released.
More information on SLSA compliance: SLSA Guidance Doc
PR implementing this sync bypass: https://github.com/rancher/charts-build-scripts/pull/153