aaw [Epic] SAS Support

[x] StatCan/aaw-kubeflow-containers#330
[x] Implement Gatekeeper Policies
- Use employee-only feature & state label to block external users #922
- Use state.aaw.statcan.gc.ca/non-employee-users to block SAS Notebooks https://github.com/StatCan/daaas/issues/950
[x] Create Controllers e.g. state.statcan.gc.ca/has-employee-only-features
- Look for SAS images, set employee-only-features #951
- Look for RoleBindings, set non-employee-users#984
[ ] Use container image metadata instead of image names (OCI Annotations and API calls to the registry)
[x] #1107
[x] Don't let users see images they can't schedule (jupyter-apis) - https://github.com/StatCan/daaas/issues/1085
[x] Let users know they won't be able to add external contributors to employee-only namespaces (manage contributors UI) - https://github.com/StatCan/daaas/issues/1254

Under Add Annotation to a Signature

https://dev.to/n3wt0n/sign-your-container-images-with-cosign-github-actions-and-github-container-registry-3mni

You can add metadata to the image signature, and using this

https://github.com/sigstore/cosign-gatekeeper-provider

We could sign all kubeflow containers and decide whether they're "employee only" or not. The policy can apply to the images in user namespaces when they create new notebooks.

@saffaalvi you'll start by adding metadata into the image signature with cosign, then that gatekeeper plugin can use that data! Then just rewrite the "if image == sas" logic in the original gatekeeper policy you wrote

Aug 03 '22 15:08 blairdrummond

@blairdrummond Thanks for the info!

@chuckbelisle Whoever ends up taking this over, the only task left for SAS is the one above.

Aug 03 '22 15:08 saffaalvi

[Epic] SAS Support

See Also