feature: integrate policy CRD into admission webhook #1419
Assignees
Labels
enhancement
New feature or request
Comments
This was referenced Feb 7, 2022
|
Once we have things in a There is also a "config store" that supports watching a set of configs through the configmap watch, e.g. https://github.com/tektoncd/pipeline/blob/6cb0f4ccfce095495ca2f0aa20e5db8a791a1afe/cmd/webhook/main.go#L66-L68 ... and snapshotting a copy of those configs onto the context that is passed down into webhooks, e.g. https://github.com/tektoncd/pipeline/blob/6cb0f4ccfce095495ca2f0aa20e5db8a791a1afe/cmd/webhook/main.go#L83 Controllers can also be configured with a config store, which is automatically snapshotted onto the |
vaikas
added a commit
to vaikas/cosign
that referenced
this issue
Mar 8, 2022
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
vaikas
added a commit
to vaikas/cosign
that referenced
this issue
Mar 8, 2022
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
vaikas
added a commit
to vaikas/cosign
that referenced
this issue
Mar 9, 2022
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
vaikas
added a commit
to vaikas/cosign
that referenced
this issue
Mar 9, 2022
…gstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mattmoor
pushed a commit
that referenced
this issue
Mar 9, 2022
* This is the start of the necessary pieces to get #1418 and #1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add placeholder configmap with an example. Rename to be consistent with the other cm. image-policies => config-image-policies Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address lint. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use namespaced sharedinformerfactory so that we have the right permissions. Ran manual tests validating that things are working, when I remove things from the configmap, things are patched back in (after the global resync is triggered). Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Check error, duh. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Just trying to remove the files that verify-codegen is complaining. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this issue
May 6, 2022
…implemented (sigstore#1562) * This is the start of the necessary pieces to get sigstore#1418 and sigstore#1419 implemented ClusterImagePolicy reconciler will now create a configmap (no secret support yet) and update it on changes (not on deletions yet). Also put up most necessary testing pieces so that we can start unit testing the reconciler and make sure it updates the resulting configmap. There's also a ConfigStore that we can then inject into the admission webhook that I have wired in there (nop for now, but demonstrating how it could work). Idea being that you could then for a given image ask for all the authorities that need to be validated. You can see what that config looks like in the /pkg/apis/config/testdata/image-policies.yaml and the accompanying tests in /pkg/apis/config/image_policies_test I made sure that it works with both yaml/json. While playing with this there's some questions that came to mind, so I'll take those to the document. Hope is that we get enough pieces in place so that we can agree on the major moving pieces and how they fit together and enough testing in place that we can start sharding up the work more efficiently and in more focused areas. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add placeholder configmap with an example. Rename to be consistent with the other cm. image-policies => config-image-policies Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Address lint. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Use namespaced sharedinformerfactory so that we have the right permissions. Ran manual tests validating that things are working, when I remove things from the configmap, things are patched back in (after the global resync is triggered). Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Check error, duh. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Just trying to remove the files that verify-codegen is complaining. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use the created policy/configmaps created in #1417 and #1418 in the webhook to enforce policy
@mattmoor @coyote240 @hectorj2f
The text was updated successfully, but these errors were encountered: