From ee32cd4d5f15ab8369ad937123d9baa54f0f120a Mon Sep 17 00:00:00 2001 From: Carlos Panato Date: Wed, 10 Nov 2021 14:01:40 +0100 Subject: [PATCH] add ValidatingWebhookConfiguration Signed-off-by: Carlos Panato --- .../webhook/clusterrole_webhook.yaml | 4 ++-- .../templates/webhook/webhook_mutating.yaml | 19 +++++++++++++++++++ charts/cosigned/values.yaml | 2 +- 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 charts/cosigned/templates/webhook/webhook_mutating.yaml diff --git a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml index dcc6cb02..b19b0aac 100644 --- a/charts/cosigned/templates/webhook/clusterrole_webhook.yaml +++ b/charts/cosigned/templates/webhook/clusterrole_webhook.yaml @@ -11,11 +11,11 @@ rules: verbs: ["create"] # Allow the reconciliation of exactly our validating webhook. - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "update"] resourceNames: ["cosigned.sigstore.dev"] diff --git a/charts/cosigned/templates/webhook/webhook_mutating.yaml b/charts/cosigned/templates/webhook/webhook_mutating.yaml new file mode 100644 index 00000000..e8ed8737 --- /dev/null +++ b/charts/cosigned/templates/webhook/webhook_mutating.yaml @@ -0,0 +1,19 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: cosigned.sigstore.dev +webhooks: +- name: cosigned.sigstore.dev + namespaceSelector: + # The webhook should only apply to things that opt-in + matchExpressions: + - key: cosigned.sigstore.dev/include + operator: In + values: ["true"] + admissionReviewVersions: [v1] + clientConfig: + service: + name: webhook + namespace: {{ .Release.Namespace }} + failurePolicy: Fail + sideEffects: None diff --git a/charts/cosigned/values.yaml b/charts/cosigned/values.yaml index 72ba1c00..27f87f96 100644 --- a/charts/cosigned/values.yaml +++ b/charts/cosigned/values.yaml @@ -26,7 +26,7 @@ webhook: podSecurityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - runAsNonRoot: true + runAsUser: 1000 capabilities: drop: - all