From 30f3e6edd48f890a23c5940f924ed00ea5ab0695 Mon Sep 17 00:00:00 2001 From: Alex Shearn Date: Tue, 7 May 2024 14:18:12 +0100 Subject: [PATCH] Expose the deployment strategy values for the policy controller Prior to this change, the policy controller webhook was not able to have its deployment strategy modified. If you only deployed a single replica, it could not perform a rolling update due to the default `maxSurge: 25%` being rounded down to 0. This change exposes those values, so that the `maxSurge` can be updated and a single instance can be rolled. Fixes #748. Signed-off-by: Alex Shearn --- charts/policy-controller/README.md | 117 +----------------- .../templates/webhook/deployment_webhook.yaml | 7 ++ 2 files changed, 8 insertions(+), 116 deletions(-) diff --git a/charts/policy-controller/README.md b/charts/policy-controller/README.md index b9e1c651..9d3d9905 100644 --- a/charts/policy-controller/README.md +++ b/charts/policy-controller/README.md @@ -40,7 +40,7 @@ The Helm chart for Policy Controller | webhook.failurePolicy | string | `"Fail"` | | | webhook.image.pullPolicy | string | `"IfNotPresent"` | | | webhook.image.repository | string | `"ghcr.io/sigstore/policy-controller/policy-controller"` | | -| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | `"v0.8.2"` | +| webhook.image.version | string | `"sha256:f291fce5b9c1a69ba54990eda7e0fe4114043b1afefb0f4ee3e6f84ec9ef1605"` | | | webhook.name | string | `"webhook"` | | | webhook.namespaceSelector.matchExpressions[0].key | string | `"policy.sigstore.dev/include"` | | | webhook.namespaceSelector.matchExpressions[0].operator | string | `"In"` | | @@ -71,118 +71,3 @@ The Helm chart for Policy Controller | webhook.webhookNames.defaulting | string | `"defaulting.clusterimagepolicy.sigstore.dev"` | | | webhook.webhookNames.validating | string | `"validating.clusterimagepolicy.sigstore.dev"` | | - -### Deploy `policy-controller` Helm Chart - -Install `policy-controller` using Helm: - -```shell -helm repo add sigstore https://sigstore.github.io/helm-charts -helm repo update -kubectl create namespace cosign-system -helm install policy-controller -n cosign-system sigstore/policy-controller --devel -``` - -The `policy-controller` enforce images matching the defined list of `ClusterImagePolicy` for the labeled namespaces. - -Note that, by default, the `policy-controller` offers a configurable behavior defining whether to allow, deny or warn whenever an image does not match a policy in a specific namespace. This behavior can be configured using the `config-policy-controller` ConfigMap created under the release namespace, and by adding an entry with the property `no-match-policy` and its value `warn|allow|deny`. -By default, any image that does not match a policy is rejected whenever `no-match-policy` is not configured in the ConfigMap. - -As supported in previous versions, you could create your own key pair: - -```shell -export COSIGN_PASSWORD= -cosign generate-key-pair -``` - -This command generates two key files `cosign.key` and `cosign.pub`. Next, create a secret to validate the signatures: - -```shell -kubectl create secret generic mysecret -n \ -cosign-system --from-file=cosign.pub=./cosign.pub -``` - -**IMPORTANT:** The `cosign.secretKeyRef` flag is not supported anymore. Finally, you could reuse your secret `mysecret` by creating a `ClusterImagePolicy` that sets it as listed authorities, as shown below. - -```yaml -apiVersion: policy.sigstore.dev/v1alpha1 -kind: ClusterImagePolicy -metadata: - name: cip-key-secret -spec: - images: - - glob: "**your-desired-value**" - authorities: - - key: - secretRef: - name: mysecret -``` -#### Configuring Custom Certificate Authorities (CA) - -The `policy-controller` can be configured to use custom CAs to communicate to container registries, for example, when you have a private registry with a self-signed TLS certificate. - -To configure `policy-controller` to use custom CAs, follow these steps: - -1. Make sure the `policy-controller` namespace exists: - - ```shell - kubectl create namespace cosign-system - ``` - -2. Create a bundle file with all the root and intermediate certificates and name it `ca-bundle.crt`. - -3. Create a `ConfigMap` from the bundle: - ```shell - kubectl -n cosign-system create cm ca-bundle-config \ - --from-file=ca-bundle.crt="ca-bundle.crt" - ``` - -4. Install the `policy-controller`: - - ```shell - helm install -n cosign-system \ - --set webhook.registryCaBundle.name=ca-bundle-config \ - --set webhook.registryCaBundle.key=ca-bundle.crt \ - policy-controller sigstore/policy-controller - ``` - -### Enabling Admission control - -To enable the `policy admission webhook` to check for signed images, you will need to add the following label in each namespace that you would want the webhook triggered: - -Label: `policy.sigstore.dev/include: "true"` - -```yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - policy.sigstore.dev/include: "true" - kubernetes.io/metadata.name: my-namespace - name: my-namespace -spec: - finalizers: - - kubernetes -``` - -### Testing the webhook - -1. Using Unsigned Images: -Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: - - ```shell - kubectl apply -f my-deployment.yaml - Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image - ``` - -2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created. - - ```shell - kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns - pod/pod1-signed created - ``` - - -## More info - -You can find more information about the policy-controller in [here](https://docs.sigstore.dev/policy-controller/overview/). diff --git a/charts/policy-controller/templates/webhook/deployment_webhook.yaml b/charts/policy-controller/templates/webhook/deployment_webhook.yaml index 54fd36d6..c736e876 100644 --- a/charts/policy-controller/templates/webhook/deployment_webhook.yaml +++ b/charts/policy-controller/templates/webhook/deployment_webhook.yaml @@ -12,6 +12,13 @@ spec: matchLabels: {{- include "policy-controller.selectorLabels" . | nindent 6 }} control-plane: {{ template "policy-controller.fullname" . }}-webhook + +{{- if .Values.deployment.strategy }} + strategy: +{{ toYaml .Values.deployment.strategy | trim | indent 4 }} + {{ if eq .Values.deployment.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: metadata: labels: