Support mutating multi-arch images #710
Comments
|
Here's an exploration doc I had written explaining the issue and potential solutions. https://hackmd.io/@akashsinghal/r1gOTxOgo |
|
As you mentioned, implementation wise we would lean on ORAS go to the heavy lifting of the actual manifest selection however we would need to provide the manifest platform to ORAS. Adding a field to the ED request would work however I don't believe there's a good way for Gatekeeper to also provide this information since the Pod spec doesn't have the platform selected during this stage of the resource creation process. The user would somehow have to specify it in the policy. But this is kind of awkward and not flexible. Maybe we can get away with this option coupled with some smart defaults? Such as assuming by default the platform will match the one that the Ratify Pod is running on and then user has to override this in the policy if otherwsie... |
What would you like to be added?
The current mutating endpoint only supports resolving a tag which applies to a single platform. We probably need to support resolving multi-arch images in the future. There is an API in Oras-go that can do it: https://pkg.go.dev/oras.land/oras-go/[email protected]#Resolve which requires a platform option passed in.
Therefore, Ratify would need to get the platform from the GK external data request.
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this feature?
The text was updated successfully, but these errors were encountered: