From 0d550f6690d10b7d4603cd5b1a7ecacd92f25894 Mon Sep 17 00:00:00 2001 From: Carlos Panato Date: Wed, 3 Nov 2021 09:44:55 +0100 Subject: [PATCH 1/2] cosigned: update to release v1.3.0 Signed-off-by: Carlos Panato --- charts/cosigned/Chart.yaml | 6 +++--- charts/cosigned/README.md | 6 +++--- charts/cosigned/values.yaml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml index 2243eb6c..aa6b16cb 100644 --- a/charts/cosigned/Chart.yaml +++ b/charts/cosigned/Chart.yaml @@ -8,8 +8,8 @@ sources: type: application name: cosigned -version: v0.0.6 -appVersion: v1.2.1 +version: v0.1.0 +appVersion: v1.3.0 maintainers: - name: dlorenc @@ -19,4 +19,4 @@ annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/images: | - name: cosigned - image: gcr.io/projectsigstore/cosigned:v1.2.1@sha256:44c89910a4a480fe3d9ab1733d09a357e7fd681cfc1d964752ffe1b83600cb9f + image: gcr.io/projectsigstore/cosigned:1.3.0@sha256:9fe107b183d6c6badaca52e380720c0549db09b645d055f00601797f48060aa2 diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md index df393877..c059d4c8 100644 --- a/charts/cosigned/README.md +++ b/charts/cosigned/README.md @@ -33,7 +33,7 @@ helm repo update helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret ``` -### Enabling Admission control +### Enabling Admission control To enable the `cosigned admission webhook` to check for signed images, you will need to add the following annotation in each namespace that you would want the webhook triggered: @@ -52,9 +52,9 @@ spec: - kubernetes ``` -### Testing the webhook +### Testing the webhook -1. Using Unsigned Images: +1. Using Unsigned Images: Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: ```shell diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index 5eec9067..72ba1c00 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -8,8 +8,8 @@ webhook: name: webhook image: repository: gcr.io/projectsigstore/cosigned - # crane digest gcr.io/projectsigstore/cosigned:v1.2.1 - version: sha256:44c89910a4a480fe3d9ab1733d09a357e7fd681cfc1d964752ffe1b83600cb9f + # crane digest gcr.io/projectsigstore/cosigned:1.3.0 + version: sha256:9fe107b183d6c6badaca52e380720c0549db09b645d055f00601797f48060aa2 pullPolicy: IfNotPresent env: {} extraArgs: {} From ee32cd4d5f15ab8369ad937123d9baa54f0f120a Mon Sep 17 00:00:00 2001 From: Carlos Panato Date: Wed, 10 Nov 2021 14:01:40 +0100 Subject: [PATCH 2/2] add ValidatingWebhookConfiguration Signed-off-by: Carlos Panato --- .../webhook/clusterrole_webhook.yaml | 4 ++-- .../templates/webhook/webhook_mutating.yaml | 19 +++++++++++++++++++ charts/cosigned/values.yaml | 2 +- 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 charts/cosigned/templates/webhook/webhook_mutating.yaml diff --git a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml index dcc6cb02..b19b0aac 100644 --- a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml +++ b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml @@ -11,11 +11,11 @@ rules: verbs: ["create"] # Allow the reconciliation of exactly our validating webhook. - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "update"] resourceNames: ["cosigned.sigstore.dev"] diff --git a/charts/cosigned/templates/webhook/webhook_mutating.yaml b/charts/cosigned/templates/webhook/webhook_mutating.yaml new file mode 100644 index 00000000..e8ed8737 --- /dev/null +++ b/charts/cosigned/templates/webhook/webhook_mutating.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cosigned.sigstore.dev +webhooks: +- name: cosigned.sigstore.dev + namespaceSelector: + # The webhook should only apply to things that opt-in + matchExpressions: + - key: cosigned.sigstore.dev/include + operator: In + values: ["true"] + admissionReviewVersions: [v1] + clientConfig: + service: + name: webhook + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index 72ba1c00..27f87f96 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -26,7 +26,7 @@ webhook: podSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - all