Add ability to disable namespace opt-in #268
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| {{ template "chart.header" . }} | ||
|
There was a problem hiding this comment. Q: Why do we need this file ? There was a problem hiding this comment. You don't have to do There was a problem hiding this comment. Also makes it easy to validate because if There was a problem hiding this comment. There was a problem hiding this comment. Sgtm, what do you think @cpanato ? There was a problem hiding this comment. As mentioned, let's revert this change and keep only the opt-in functionality. |
||
|
|
||
| {{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} | ||
|
|
||
| {{ template "chart.description" . }} | ||
|
|
||
| **Homepage:** <https://github.com/sigstore/policy-controller> | ||
|
|
||
|
|
||
| ## Maintainers | ||
|
|
||
| | Name | Email | Url | | ||
| | ---- | ------ | --- | | ||
| | dlorenc | | | | ||
| | hectorj2f | | | | ||
|
|
||
| ## Source Code | ||
|
|
||
| * <https://github.com/sigstore/policy-controller> | ||
|
|
||
|
|
||
| {{ template "chart.requirementsSection" . }} | ||
|
|
||
| {{ template "chart.valuesSection" . }} | ||
|
|
||
| ### Deploy `policy-controller` Helm Chart | ||
|
|
||
| Install `policy-controller` using Helm: | ||
|
|
||
| ```shell | ||
| helm repo add sigstore https://sigstore.github.io/helm-charts | ||
|
|
||
| helm repo update | ||
|
|
||
| kubectl create namespace cosign-system | ||
|
|
||
| helm install policy-controller -n cosign-system sigstore/policy-controller --devel | ||
| ``` | ||
|
|
||
| The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces. | ||
|
|
||
| Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`. | ||
| By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap. | ||
|
|
||
| As supported in previous versions, you could create your own key pair: | ||
|
|
||
| ```shell | ||
| export COSIGN_PASSWORD=<my_cosign_password> | ||
| cosign generate-key-pair | ||
| ``` | ||
|
|
||
| This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures: | ||
|
|
||
| ```shell | ||
| kubectl create secret generic mysecret -n \ | ||
| cosign-system --from-file=cosign.pub=./cosign.pub | ||
| ``` | ||
|
|
||
| **IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below. | ||
|
|
||
| ```yaml | ||
| apiVersion: policy.sigstore.dev/v1alpha1 | ||
| kind: ClusterImagePolicy | ||
| metadata: | ||
| name: cip-key-secret | ||
| spec: | ||
| images: | ||
| - glob: "**your-desired-value**" | ||
| authorities: | ||
| - key: | ||
| secretRef: | ||
| name: mysecret | ||
|
|
||
| ``` | ||
|
|
||
| ### Enabling Admission control | ||
|
|
||
| To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered: | ||
|
|
||
| Label: `policy.sigstore.dev/include: "true"` | ||
|
|
||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| labels: | ||
| policy.sigstore.dev/include: "true" | ||
| kubernetes.io/metadata.name: my-namespace | ||
| name: my-namespace | ||
| spec: | ||
| finalizers: | ||
| - kubernetes | ||
| ``` | ||
|
|
||
| ### Testing the webhook | ||
|
|
||
| 1. Using Unsigned Images: | ||
| Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: | ||
|
|
||
| ```shell | ||
| kubectl apply -f my-deployment.yaml | ||
| Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image | ||
| ``` | ||
|
|
||
| 2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created. | ||
|
|
||
| ```shell | ||
| kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns | ||
| pod/pod1-signed created | ||
| ``` | ||
|
|
||
| ## More info | ||
|
|
||
| You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). | ||
| {{ template "helm-docs.versionFooter" . }} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's move this change to a separate PR, so we can address the issue itself.