diff --git a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml index dcc6cb02..b19b0aac 100644 --- a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml +++ b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml @@ -11,11 +11,11 @@ rules: verbs: ["create"] # Allow the reconciliation of exactly our validating webhook. - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "update"] resourceNames: ["cosigned.sigstore.dev"] diff --git a/charts/cosigned/templates/webhook/webhook_mutating.yaml b/charts/cosigned/templates/webhook/webhook_mutating.yaml new file mode 100644 index 00000000..e8ed8737 --- /dev/null +++ b/charts/cosigned/templates/webhook/webhook_mutating.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cosigned.sigstore.dev +webhooks: +- name: cosigned.sigstore.dev + namespaceSelector: + # The webhook should only apply to things that opt-in + matchExpressions: + - key: cosigned.sigstore.dev/include + operator: In + values: ["true"] + admissionReviewVersions: [v1] + clientConfig: + service: + name: webhook + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index 72ba1c00..27f87f96 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -26,7 +26,7 @@ webhook: podSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - all