Coverage Matrix

Chkk Curated Release Notesv2.5.0 to latest
Private RegistrySupported
Custom Built ImagesSupported
Safety, Health, and Readiness Checksv2.8.1 to latest
Supported PackagesHelm, Kustomize, Kube
EOL InformationAvailable
Version Incompatibility InformationAvailable
Upgrade TemplatesIn-Place, Blue-Green
PreverificationAvailable

Connaisseur Overview

Connaisseur is a Kubernetes admission controller designed to ensure that only container images signed by trusted sources are deployed. It intercepts pod creation requests, verifies digital signatures against pre-defined trust keys, and enforces strict container provenance by pinning images to immutable digests. Compatible with Docker Content Trust (Notary v1) and Sigstore Cosign, Connaisseur integrates seamlessly with various CI/CD pipelines. Platform teams can centrally enforce container image security policies without requiring modifications to application workloads, significantly strengthening supply chain security and compliance.

Chkk Coverage

Curated Release Notes

Chkk tracks official Connaisseur releases, highlighting critical features, breaking changes, and key updates relevant to your operational environment. Important items like changes in supported signing backends, webhook configurations, or mandatory Helm chart parameters are clearly identified. Chkk’s targeted summaries help platform teams rapidly assess and address operational impacts of updates, reducing upgrade-related risks. Additionally, security patches and vulnerability mitigations are emphasized to maintain the integrity of container image validation.

Preflight & Postflight Checks

Chkk runs comprehensive pre-flight checks to confirm cluster compatibility and to verify that the admission webhook, policy definitions, validator configuration, and all associated ConfigMaps, Secrets, and trusted signing keys are present and valid. These checks prevent compatibility issues like deprecated API versions or skipped intermediate upgrades. Post-upgrade, the postflight checks validate the admission webhook health, proper digest enforcement, and operational logging for verification failures. This proactive approach significantly reduces operational disruption by identifying potential issues before they impact your cluster.

Version Recommendations

Chkk monitors Connaisseur’s release cadence, notifying teams when their deployed version falls behind or becomes vulnerable. Chkk aligns Connaisseur versions with Kubernetes compatibility, community feedback, and known issues to recommend stable upgrade targets. This helps avoid operational pitfalls associated with outdated Connaisseur instances, including potential security vulnerabilities and compatibility breakages. Custom or forked deployments with specific support timelines are fully accommodated within Chkk’s recommendations.

Upgrade Templates

Chkk offers structured Upgrade Templates covering both in-place and blue-green upgrade strategies using Helm or raw Kubernetes YAML. These templates detail precise steps for safely transitioning webhook configurations, minimizing operational risk during upgrades. Templates include rollback points and contingency steps for high-availability environments, such as temporarily switching webhook admission policy modes. Integration-friendly, they support standard GitOps and CI/CD workflows, ensuring repeatable and reliable Connaisseur upgrades.

Preverification

Chkk’s preverification feature simulates Connaisseur upgrades within an isolated replica of your production environment. It proactively detects potential problems like schema mismatches, missing or misconfigured keys, or resource allocation issues. This digital twin approach ensures operational readiness by verifying successful signature validation and webhook admission policies before actual production deployment. Preverification significantly reduces the likelihood of encountering unexpected issues during live upgrades.

Supported Packages

Chkk supports Connaisseur deployments through Helm, Kustomize, or plain YAML manifests, ensuring flexibility in package management approaches. It respects customized forks, private registries, and specialized deployment configurations, preserving consistency during upgrades. Chkk can directly parse and adjust GitOps-managed deployments, accurately mapping existing configurations to new releases. This comprehensive package support simplifies operational maintenance across diverse deployment methodologies.

Common Operational Considerations

  • Admission Webhook Availability: Run multiple replicas for high availability; temporarily set webhook policy to fail-open only during planned maintenance to balance security with uptime.
  • Network Access to Trust Sources: Ensure clusters have reliable connectivity to external signature repositories or configure internal mirrors to avoid admission delays or failures.
  • Key & Certificate Rotation: Regularly rotate trust keys and webhook TLS certificates proactively; schedule updates during maintenance windows to prevent unexpected deployment blocks.
  • Digest vs Tag Visibility: Connaisseur pins images to digests, altering tag visibility in Kubernetes resources; ensure operational tooling and debugging processes accommodate digest identification.
  • Gradual Enforcement and Namespaces: Initially deploy Connaisseur in audit mode or limited namespaces to identify unsigned workloads, then progressively enforce policies to avoid broad deployment disruptions.
  • Performance and Caching: Enable Redis caching in high-deployment-frequency environments to reduce verification latency; scale webhook instances appropriately to maintain operational responsiveness.

Additional Resources