From 6455d93cb369610cd3a6e400620c795570de574b Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sun, 12 Apr 2026 09:59:37 -0700 Subject: [PATCH] Review local-registry control: fix inaccurate description, enumerate exceptions The control claimed all images came from the private registry, but 12+ services pull from external public registries. Updated description to reflect reality and catalogued external-image categories in notes. Co-Authored-By: Claude Opus 4.6 (1M context) --- compensating-controls.yaml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/compensating-controls.yaml b/compensating-controls.yaml index 6b0af70..ae4865b 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -39,15 +39,23 @@ controls: - id: local-registry description: >- - All container images are pulled from private zot registry - (registry.ops.eblu.me). No shared external registry credentials - are cached on cluster nodes. + Operator-built services use a private zot registry + (registry.ops.eblu.me) for supply-chain control. Remaining + images are pulled from public registries without stored + credentials. No shared registry secrets are cached on cluster + nodes. created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-04-12 notes: >- Verify by checking image prefixes in kustomization.yaml files. - Upstream images (immich, ollama) are exceptions — track in - service-versions.yaml. + Known external-image categories: (1) upstream apps not yet + mirrored — immich, ollama, frigate, frigate-notify, valkey; + (2) infrastructure components — tailscale operator/proxy, + external-secrets, 1password-connect, forgejo-runner, docker + DinD, nvidia-device-plugin; (3) utility base images — busybox, + alpine (grafana init containers). Track upstream versions in + service-versions.yaml. Goal is to progressively mirror these + into zot. - id: sso-gated-admin-tools description: >-