Skip to content

Commit

Permalink
Merge pull request #14 from viccuad/artifacthub-v2
Browse files Browse the repository at this point in the history
feat: Update `artifacthub-pkg.yml` automatically from now
  • Loading branch information
viccuad authored Mar 24, 2023
2 parents c5d2232 + 3414904 commit ce6bbea
Showing 5 changed files with 61 additions and 71 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -11,7 +11,7 @@ jobs:

test:
name: run tests and linters
uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-go.yml@v1
uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-go.yml@v3.1.0

release:
needs: test
@@ -23,6 +23,6 @@ jobs:
# Required by cosign keyless signing
id-token: write

uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-go.yml@v1
uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-go.yml@v3.1.0
with:
oci-target: ghcr.io/${{ github.repository_owner }}/policies/hostpaths-psp
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -3,4 +3,4 @@ name: Continuous integration
jobs:
test:
name: run tests and linters
uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-go.yml@v1
uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-go.yml@v3.1.0
25 changes: 21 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,11 +1,28 @@
SOURCE_FILES := $(shell find . -type f -name '*.go')
# It's necessary to call cut because kwctl command does not handle version
# starting with v.
VERSION ?= $(shell git describe | cut -c2-)

policy.wasm: $(SOURCE_FILES) go.mod go.sum
docker run --rm -v ${PWD}:/src -w /src tinygo/tinygo:0.18.0 tinygo build \
-o policy.wasm -target=wasi -no-debug .
docker run \
--rm \
-e GOFLAGS="-buildvcs=false" \
-v ${PWD}:/src \
-w /src tinygo/tinygo:0.23.0 \
tinygo build -o policy.wasm -target=wasi -no-debug .

annotated-policy.wasm: policy.wasm metadata.yml
kwctl annotate -m metadata.yml -o annotated-policy.wasm policy.wasm

artifacthub-pkg.yml: metadata.yml go.mod
$(warning If you are updating the artifacthub-pkg.yml file for a release, \
remember to set the VERSION variable with the proper value. \
To use the latest tag, use the following command: \
make VERSION=$$(git describe --tags --abbrev=0 | cut -c2-) annotated-policy.wasm)
kwctl scaffold artifacthub \
--metadata-path metadata.yml --version $(VERSION) \
--questions-path questions-ui.yml --output artifacthub-pkg.yml

annotated-policy.wasm: policy.wasm metadata.yml artifacthub-pkg.yml
kwctl annotate -m metadata.yml -u README.md -o annotated-policy.wasm policy.wasm

.PHONY: test
test:
49 changes: 29 additions & 20 deletions artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -1,43 +1,42 @@
---
version: 0.1.7
# Kubewarden Artifacthub Package config
#
# Use this config to submit the policy to https://artifacthub.io.
#
# This config can be saved to its default location with:
# kwctl scaffold artifacthub > artifacthub-pkg.yml
version: 0.1.8
name: hostpaths-psp
displayName: Hostpaths PSP
createdAt: '2023-02-17T16:26:40+00:00'
createdAt: 2023-03-24T15:15:54.209442298Z
description: A Pod Security Policy that controls usage of hostPath volumes
license: Apache-2.0
homeURL: https://github.com/kubewarden/hostpaths-psp-policy
containersImages:
- name: policy
image: ghcr.io/kubewarden/policies/hostpaths-psp:v0.1.7
install: |
The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl/):
```console
kwctl pull ghcr.io/kubewarden/policies/hostpaths-psp:v0.1.7
```
image: ghcr.io/kubewarden/policies/hostpaths-psp:v0.1.8
keywords:
- psp
- hostpaths
- pod
links:
- name: policy
url: https://github.com/kubewarden/hostpaths-psp-policy/releases/download/v0.1.7/policy.wasm
url: https://github.com/kubewarden/hostpaths-psp-policy/releases/download/v0.1.8/policy.wasm
- name: source
url: https://github.com/kubewarden/hostpaths-psp-policy
install: |
The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
```console
kwctl pull ghcr.io/kubewarden/policies/hostpaths-psp:v0.1.8
```
maintainers:
- name: Kubewarden developers
email: cncf-kubewarden-maintainers@lists.cncf.io
provider:
name: kubewarden
recommendations:
- url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
annotations:
kubewarden/resources: Pod
kubewarden/mutation: false
kubewarden/contextAware: false
kubewarden/rules: |
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE"]
kubewarden/mutation: 'false'
kubewarden/questions-ui: |
questions:
- default: []
@@ -72,3 +71,13 @@ annotations:
label: Read only
type: boolean
variable: readOnly
kubewarden/resources: Pod
kubewarden/rules: |
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
52 changes: 8 additions & 44 deletions metadata.yml
Original file line number Diff line number Diff line change
@@ -6,51 +6,15 @@ rules:
mutating: false
contextAware: false
annotations:
io.kubewarden.policy.title: psp-hostpaths
# artifacthub specific:
io.artifacthub.displayName: Hostpaths PSP
io.artifacthub.resources: Pod
io.artifacthub.keywords: psp, hostpaths, pod
io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/hostpaths-psp
# kubewarden specific:
io.kubewarden.policy.title: hostpaths-psp
io.kubewarden.policy.description: A Pod Security Policy that controls usage of hostPath volumes
io.kubewarden.policy.author: Kubewarden devs
io.kubewarden.policy.author: Kubewarden developers <cncf-kubewarden-maintainers@lists.cncf.io>
io.kubewarden.policy.url: https://github.com/kubewarden/hostpaths-psp-policy
io.kubewarden.policy.source: https://github.com/kubewarden/hostpaths-psp-policy
io.kubewarden.policy.license: Apache-2.0
io.kubewarden.policy.usage: |
Replacement for the Kubernetes Pod Security Policy that controls the usage of
`hostPath` volumes. The policy inspects both the containers and the init
containers that are using `hostPath` volumes.
## Settings
```yaml
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: true
- pathPrefix: "/bar"
readOnly: false
```
`allowedHostPaths` is a list of host paths that are allowed to be used by
hostPath volumes.
An empty `allowedHostPaths` list means there is no restriction on host paths
used.
Each entry of `allowedHostPaths` must have:
- A `pathPrefix` field, which allows hostPath volumes to mount a path that
begins with an allowed prefix.
- a `readOnly` field indicating it must be mounted read-only.
### Special behaviour
It's possible to have host paths sharing part of the prefix. In that case, the
`readOnly` attribute of the most specific path takes precedence.
For example, given the following configuration:
```yaml
allowedHostPaths:
- pathPrefix: "/foo"
readOnly: false
- pathPrefix: "/foo/bar"
readOnly: true
```
Paths such as `/foo/bar/dir1`, `/foo/bar` must be read only.

0 comments on commit ce6bbea

Please sign in to comment.