-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add sigstore policy for k8s deprecated registry #301
Conversation
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
b97f7fb
to
37b0a3c
Compare
I share the list of commands I used to validate your example. I feel we can add an additional README.md within the sigstore directory with this example, if you want:
|
Thanks @hectorj2f but my config-policy-controller was already set to warn. It was added when I installed the chart. See https://github.com/sigstore/helm-charts/blob/a5e67c104bb9bf0b51969f5b569a40489587c535/charts/policy-controller/templates/policy-webhook/configmap-policy-controller.yaml#L28. |
@hectorj2f and @jicowan I have this working, I think. First, I had to opt the namespace into image policy processing with: Then I used this test pod with 1 good and 1 bad container image:
Finally, I had to write two policies, 1 to warn, 1 to allow all others.
The outcome is:
|
@jimmyraywv Yes, that is another option. Otherwise you just need to patch the policy-controller configMap to allow images that do not match any policy, as mentioned above. So you don't need to create an additional policy to allow all the rest of images. |
@hectorj2f Yes, please remove the sample policy from the helm chart or comment it out with a '#' mark. It's confusing. |
@hectorj2f that is already there.
|
@jimmyraywv No, it is the same mistake we faced with @jicowan :). The _example block is just a placeholder isn't taken into account. We'll fix it today because it is confusing. |
Just use my patch command and will work.
|
Ok, I have it working, as I think it is supposed to, without the secondary allow-all policy.
Yes, I think there needs to be a correction in your docs as this is very confusing. What's the default settings? Given my experience with other PaC engines, I would expect that namespaces are automatically included and must opt-out to be ignored. Secondly, I would expect that the no matching image-policy warning setting of If not, then at a minimum, the PR should address both of these to get policy-controller to a default level, similar to other PaC solutions, for this use case. |
@jimmyraywv Awesome 🎉 ! Thanks for your feedback 👏🏻. I'll highlight these default settings in our documentation, some of these details are already present but might not be easy to find (e.g. https://docs.sigstore.dev/policy-controller/overview#admission-of-images, https://docs.sigstore.dev/policy-controller/overview#enable-policy-controller-admission-controller-for-namespaces). Generally we decided to request users to set a label to enforce signed images to avoid any potential downtimes that could be caused by enforcing all the namespaces. Nowadays it is still very rare to see signed images on Kubernetes clusters, therefore if we apply this enforcement on all namespaces (by default), that might block users or the system itself to deploy any existing (rescheduled) or new pods. I'll add the required steps to achieve the requested behavior from the policy-controller here. Would it be okay to add a new README or you prefer I include the steps in the main one ? |
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
Thanks for contributing to the best practices! |
Thanks @jicowan and @jimmyraywv for your reviews ❤️ ! |
Issue #, if available:
closes #300
Description of changes:
Add a Sigstore image policy to reject any creation of Pods using the k8s deprecated registry.
I share some links where anyone can find more information to better understand the purpose of sigstore/policy-controller:
https://github.com/sigstore/policy-controller/blob/main/docs/api-types/index.md
https://docs.sigstore.dev/policy-controller/overview/
https://github.com/sigstore/helm-charts/tree/main/charts/policy-controller
https://blog.sigstore.dev/cosign-and-policy-controller-with-gke-artifact-registry-and-cloud-kms/