enable immutable tags on production artifact registries #8010
Labels
area/infra/gcp
Issues or PRs related to Kubernetes GCP infrastructure
area/release-eng
Issues or PRs related to the Release Engineering subproject
priority/important-longterm
Important over the long term, but may not be staffed and/or may need multiple releases to complete.
sig/k8s-infra
Categorizes an issue or PR as relevant to SIG K8s Infra.
Milestone
Comments
|
/sig k8s-infra |
k8s-ci-robot
added
sig/k8s-infra
|
Probably start by converting our bash tooling handling the prod registries to HCL. |
well, again, as mentioned in #8008, I'm wary of granting many things access to manipulate these, and I'm pretty happy with rarely having a small number of humans modify settings for these particular resources the risk to compromise is great |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I don't think we've done this yet, we can gain a little more peace of mind if we know the promoter jobs don't have access to this, only the terraform automation (and ideally not even that, we should really only let a handful of infra leads and the CNCF have access to manipulate the GCP project hosting release images).
note: immutable tags are incompatible with cleanup policies, for this and other reasons we should only enable them for production registries and not staging
note: deleting untagged images is still permitted in this mode, so this mode is not a complete "append-only" option xref #8008
https://cloud.google.com/artifact-registry/docs/docker/names#versions
The text was updated successfully, but these errors were encountered: