Add ability to disable opt-in

- add the ability to disable opt-in support for namespace validation
and enforce on across the entire cluster

Signed-off-by: Brian Davis <[email protected]>
Signed-off-by: slimm609 <[email protected]>

Author: slimm609

charts/policy-controller/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-description: The Helm chart for Policy  Controller
+description: The Helm chart for Policy Controller
 home: https://github.com/sigstore/policy-controller
 
 sources:
@@ -8,8 +8,8 @@ sources:
 type: application
 
 name: policy-controller
-version: 0.2.1
-appVersion: 0.2.1
+version: 0.2.2
+appVersion: 0.2.2
 
 maintainers:
   - name: dlorenc

charts/policy-controller/README.md

@@ -1,33 +1,37 @@
-# Policy Controller
+# policy-controller
 
-## Requirements
+The Helm chart for Policy Controller
+
+![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.2](https://img.shields.io/badge/AppVersion-0.2.2-informational?style=flat-square)
 
+## Requirements
 * Kubernetes cluster with rights to install admission webhooks
 * Helm
 
-## Parameters
-
 The following table lists the configurable parameters of the policy-controller chart and their default values.
 
+## Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commonNodeSelector | object | `{}` |  |
 | commonTolerations | list | `[]` |  |
-| imagePullSecrets | string | `nil` |  |
 | cosign.cosignPub | string | `""` |  |
 | cosign.secretKeyRef.name | string | `""` |  |
 | cosign.webhookName | string | `"policy.sigstore.dev"` |  |
+| imagePullSecrets | list | `[]` |  |
 | policywebhook.env | object | `{}` |  |
 | policywebhook.extraArgs | object | `{}` |  |
 | policywebhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | policywebhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-webhook"` |  |
-| policywebhook.image.version | string | `"sha256:63cd54b877bcd8b3d6d6b7110955e3f773bd8ad5b16d1b6133d4009c26c6da18"` |  |
-| policywebhook.replicaCount | int | `1` |  |
+| policywebhook.image.version | string | `"sha256:2d8ec2534e903a722a89efd6fe04a52a8a420ca3f8be1703aa697bf5faf418eb"` |  |
+| policywebhook.namespaceOptIn | bool | `true` |  |
 | policywebhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | policywebhook.podSecurityContext.capabilities.drop[0] | string | `"all"` |  |
 | policywebhook.podSecurityContext.enabled | bool | `true` |  |
 | policywebhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
 | policywebhook.podSecurityContext.runAsNonRoot | bool | `true` |  |
+| policywebhook.replicaCount | int | `1` |  |
 | policywebhook.resources.limits.cpu | string | `"100m"` |  |
 | policywebhook.resources.limits.memory | string | `"256Mi"` |  |
 | policywebhook.resources.requests.cpu | string | `"100m"` |  |
@@ -43,16 +47,16 @@ The following table lists the configurable parameters of the policy-controller c
 | serviceMonitor.enabled | bool | `false` |  |
 | webhook.env | object | `{}` |  |
 | webhook.extraArgs | object | `{}` |  |
-| webhook.replicaCount | int | `1` |  |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` |  |
-| webhook.image.version | string | `"sha256:63cd54b877bcd8b3d6d6b7110955e3f773bd8ad5b16d1b6133d4009c26c6da18"` |  |
+| webhook.image.version | string | `"sha256:9b8fe4bcc058de060294f7ccb375c288010cd5e36cc3938393baef3c893d0106"` |  |
 | webhook.name | string | `"webhook"` |  |
 | webhook.podSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | webhook.podSecurityContext.capabilities.drop[0] | string | `"all"` |  |
 | webhook.podSecurityContext.enabled | bool | `true` |  |
 | webhook.podSecurityContext.readOnlyRootFilesystem | bool | `true` |  |
 | webhook.podSecurityContext.runAsUser | int | `1000` |  |
+| webhook.replicaCount | int | `1` |  |
 | webhook.resources.limits.cpu | string | `"100m"` |  |
 | webhook.resources.limits.memory | string | `"256Mi"` |  |
 | webhook.resources.requests.cpu | string | `"100m"` |  |
@@ -64,8 +68,6 @@ The following table lists the configurable parameters of the policy-controller c
 | webhook.service.type | string | `"ClusterIP"` |  |
 | webhook.serviceAccount.annotations | object | `{}` |  |
 
-----------------------------------------------
-
 ### Deploy `policy-controller` Helm Chart
 
 ```shell
@@ -127,3 +129,6 @@ Creating a deployment referencing images that are not signed will yield the foll
    kubectl run pod1-signed  --image=< REGISTRY_USER >/nginx:signed -n testns
    pod/pod1-signed created
    ```
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/policy-controller/README.md.gotmpl

@@ -0,0 +1,79 @@
+{{ template "chart.header" . }}
+{{ template "chart.description" . }}
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+## Requirements
+* Kubernetes cluster with rights to install admission webhooks
+* Helm
+
+The following table lists the configurable parameters of the policy-controller chart and their default values.
+
+
+{{ template "chart.requirementsSection" . }}
+
+{{ template "chart.valuesSection" . }}
+
+### Deploy `policy-controller` Helm Chart
+
+```shell
+export COSIGN_PASSWORD=<my_cosign_password>
+cosign generate-key-pair
+```
+
+The previous command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:
+
+```shell
+kubectl create namespace cosign-system
+
+kubectl create secret generic mysecret -n \
+cosign-system --from-file=cosign.pub=./cosign.pub
+```
+
+Install `policy-controller` using Helm and setting the value of the secret key reference to `mysecret` that you created above:
+
+```shell
+helm repo add sigstore https://sigstore.github.io/helm-charts
+
+helm repo update
+
+helm install policy-controller -n cosign-system sigstore/policy-controller --devel --set cosign.secretKeyRef.name=mysecret
+```
+
+### Enabling Admission control
+
+To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered:
+
+Label: `policy.sigstore.dev/include: "true"`
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    policy.sigstore.dev/include: "true"
+    kubernetes.io/metadata.name: my-namespace
+  name: my-namespace
+spec:
+  finalizers:
+  - kubernetes
+```
+
+### Testing the webhook
+
+1. Using Unsigned Images:
+Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:
+
+    ```shell
+    kubectl apply -f my-deployment.yaml
+    Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
+    ```
+
+2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created.
+
+   ```shell
+   kubectl run pod1-signed  --image=< REGISTRY_USER >/nginx:signed -n testns
+   pod/pod1-signed created
+   ```
+
+{{ template "helm-docs.versionFooter" . }}

charts/policy-controller/templates/webhook/webhook_mutating.yaml

@@ -4,12 +4,14 @@ metadata:
   name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }}
 webhooks:
 - name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }}
+  {{- if .Values.policywebhook.namespaceOptIn }}
   namespaceSelector:
     # The webhook should only apply to things that opt-in
     matchExpressions:
     - key: policy.sigstore.dev/include
       operator: In
       values: ["true"]
+  {{- end }}
   admissionReviewVersions: [v1]
   clientConfig:
     service:

charts/policy-controller/templates/webhook/webhook_validating.yaml

@@ -4,12 +4,14 @@ metadata:
   name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }}
 webhooks:
 - name: {{ required "A valid cosign.webhookName is required" .Values.cosign.webhookName }}
+  {{- if .Values.policywebhook.namespaceOptIn }}
   namespaceSelector:
     # The webhook should only apply to things that opt-in
     matchExpressions:
     - key: policy.sigstore.dev/include
       operator: In
       values: ["true"]
+  {{- end }}
   admissionReviewVersions: [v1]
   clientConfig:
     service:

charts/policy-controller/values.schema.json

@@ -144,6 +144,9 @@
                         }
                     }
                 },
+                "namespaceOptIn": {
+                    "type": "boolean"
+                },
                 "webhookNames": {
                     "type": "object",
                     "properties": {

charts/policy-controller/values.yaml

@@ -40,6 +40,8 @@ policywebhook:
     annotations: {}
     type: ClusterIP
     port: 443
+  # opt-in to validation with namespace annotation
+  namespaceOptIn: true
   webhookNames:
     defaulting: "defaulting.clusterimagepolicy.sigstore.dev"
     validating: "validating.clusterimagepolicy.sigstore.dev"