make detectionMode configurable per namespace

[xopham]

Discussed in #691

^{Originally posted by albertovmware June 17, 2022}
I think that it could be good to block unsigned images in a specific namespace and use detection mode on other namespaces.
When i use the namespace validation I can select ignore & validate, maybe adding another tag in the validate mode, like "validate_warm" could solve it.
Other option can be allowing detectionMode per namespace using tags.

Maybe it's possible to do it and I'm missing something...

If anyone can suggest anyway to do that, it will be appreciated

Thanks

[Starkteetje]

My idea would be to allow for all features (namespace, detection, unchanged, child, maybe alerting(?)) to enable them for certain namespaces. I see two options

• an array of namespaces (matching them by name)
• a namespace label like detection mode does it currently

Both have the problem of only working in those namespace that are within the namespace validation set, which may be unclear.
The former has the disadvantage of being static at config time and requiring redeployment when the set of namespaces to en/disable the feature in changes. It'd have the advantage of being explicit. If we changed namespace validation to that syntax (or as an option and it was chosen by the user), we'd have the advantage of being able to verify that namespaces configured for other features will actually be validated
The latter has the disadvantage of being implicit and can be circumvented by an attacker with permission to change ns labels. It'd have the advantage of being a single way to configure Connaisseur and not mixing two ways.

I think I tend slightly toward the former solution since I personally dislike the idea of many labels on resources, but that preference is only very weak. I could also implement both methods, and allow the user to choose. Any thoughts @xopham @phbelitz ?