With all the recent supply chain attacks in services like npm, new age gating features have been created to ensure only packages that are over a certain age can be pulled into applications.
This could be useful to have in flux image automation. Many images could be compromised by supply chain attacks and delaying the updates by a configurable time window could allow developers to manage this behaviour in flux in a similar way to npm.
This wouldn't be a panacea as image publishers ideally should have scanning in place and consumers could use tools like neuvector to scan images for vulnerabilities but it could be a helpful tool to have in the arsenal against such attacks.
I have a working controller that I've been testing but I'm opening this issue first as per the guidance.
What I've got so far is a configurable minAge and maxAge value that sits under filterTags that can be set in hours.
Here is an example policy:
apiVersion: image.toolkit.fluxcd.io/v1
kind: ImagePolicy
metadata:
name: tautulli
namespace: flux-system
spec:
imageRepositoryRef:
name: tautulli
policy:
semver:
range: x.xx.x
filterTags:
minAge: 168h
Here is the output at the time of writing of kubectl get imagepolicy tautulli:
NAME IMAGE TAG READY STATUS AGE
tautulli ghcr.io/home-operations/tautulli 2.17.1 True Latest image tag for ghcr.io/home-operations/tautulli resolved to 2.17.1 4h44m
The absolute latest image at time of writing is 2.17.2 but this was released 5 days ago so it is filtered out.
With all the recent supply chain attacks in services like npm, new age gating features have been created to ensure only packages that are over a certain age can be pulled into applications.
This could be useful to have in flux image automation. Many images could be compromised by supply chain attacks and delaying the updates by a configurable time window could allow developers to manage this behaviour in flux in a similar way to npm.
This wouldn't be a panacea as image publishers ideally should have scanning in place and consumers could use tools like neuvector to scan images for vulnerabilities but it could be a helpful tool to have in the arsenal against such attacks.
I have a working controller that I've been testing but I'm opening this issue first as per the guidance.
What I've got so far is a configurable
minAgeandmaxAgevalue that sits underfilterTagsthat can be set in hours.Here is an example policy:
Here is the output at the time of writing of
kubectl get imagepolicy tautulli:The absolute latest image at time of writing is
2.17.2but this was released 5 days ago so it is filtered out.