Skip to content

Commit

Permalink
Expose the deployment strategy values for the policy controller
Browse files Browse the repository at this point in the history
Prior to this change, the policy controller webhook was not able to have
its deployment strategy modified. If you only deployed a single replica,
it could not perform a rolling update due to the default `maxSurge:
25%` being rounded down to 0.

This change exposes those values, so that the `maxSurge` can be updated
and a single instance can be rolled.

Fixes sigstore#748.

Signed-off-by: Alex Shearn <[email protected]>
  • Loading branch information
shearn89 committed May 7, 2024
1 parent a9557ed commit 30f3e6e
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 116 deletions.
117 changes: 1 addition & 116 deletions charts/policy-controller/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ The Helm chart for Policy Controller
| webhook.failurePolicy | string | `"Fail"` | |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | |
| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | `"v0.8.2"` |
| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | |
| webhook.name | string | `"webhook"` | |
| webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | |
| webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | |
Expand Down Expand Up @@ -71,118 +71,3 @@ The Helm chart for Policy Controller
| webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | |
| webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | |


### Deploy `policy-controller` Helm Chart

Install `policy-controller` using Helm:

```shell
helm repo add sigstore https://sigstore.github.io/helm-charts
helm repo update
kubectl create namespace cosign-system
helm install policy-controller -n cosign-system sigstore/policy-controller --devel
```

The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces.

Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`.
By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap.

As supported in previous versions, you could create your own key pair:

```shell
export COSIGN_PASSWORD=<my_cosign_password>
cosign generate-key-pair
```

This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures:

```shell
kubectl create secret generic mysecret -n \
cosign-system --from-file=cosign.pub=./cosign.pub
```

**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below.

```yaml
apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
name: cip-key-secret
spec:
images:
- glob: "**your-desired-value**"
authorities:
- key:
secretRef:
name: mysecret
```
#### Configuring Custom Certificate Authorities (CA)
The `policy-controller` can be configured to use custom CAs to communicate to container registries, for example, when you have a private registry with a self-signed TLS certificate.

To configure `policy-controller` to use custom CAs, follow these steps:

1. Make sure the `policy-controller` namespace exists:

```shell
kubectl create namespace cosign-system
```

2. Create a bundle file with all the root and intermediate certificates and name it `ca-bundle.crt`.

3. Create a `ConfigMap` from the bundle:
```shell
kubectl -n cosign-system create cm ca-bundle-config \
--from-file=ca-bundle.crt="ca-bundle.crt"
```

4. Install the `policy-controller`:

```shell
helm install -n cosign-system \
--set webhook.registryCaBundle.name=ca-bundle-config \
--set webhook.registryCaBundle.key=ca-bundle.crt \
policy-controller sigstore/policy-controller
```

### Enabling Admission control

To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered:

Label: `policy.sigstore.dev/include: "true"`

```yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
policy.sigstore.dev/include: "true"
kubernetes.io/metadata.name: my-namespace
name: my-namespace
spec:
finalizers:
- kubernetes
```

### Testing the webhook

1. Using Unsigned Images:
Creating a deployment referencing images that are not signed will yield the following error and no resources will be created:

```shell
kubectl apply -f my-deployment.yaml
Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image
```

2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created.

```shell
kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns
pod/pod1-signed created
```


## More info

You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/).
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ spec:
matchLabels:
{{- include "policy-controller.selectorLabels" . | nindent 6 }}
control-plane: {{ template "policy-controller.fullname" . }}-webhook

{{- if .Values.deployment.strategy }}
strategy:
{{ toYaml .Values.deployment.strategy | trim | indent 4 }}
{{ if eq .Values.deployment.strategy.type "Recreate" }}rollingUpdate: null{{ end }}
{{- end }}

template:
metadata:
labels:
Expand Down

0 comments on commit 30f3e6e

Please sign in to comment.