Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add policy-controller annotations #732

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
15 changes: 11 additions & 4 deletions cmd/webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,11 @@ func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher
}

func NewMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
store.WatchConfigs(cmw)
policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller"))
hectorj2f marked this conversation as resolved.
Show resolved Hide resolved
policyControllerConfigStore.WatchConfigs(cmw)

kc := kubeclient.Get(ctx)
validator := cwebhook.NewValidator(ctx)

Expand All @@ -218,10 +223,12 @@ func NewMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher)
// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
func(ctx context.Context) context.Context {
ctx = context.WithValue(ctx, kubeclient.Key{}, kc)
ctx = policyduckv1beta1.WithPodScalableDefaulter(ctx, validator.ResolvePodScalable)
ctx = duckv1.WithPodDefaulter(ctx, validator.ResolvePod)
ctx = duckv1.WithPodSpecDefaulter(ctx, validator.ResolvePodSpecable)
ctx = duckv1.WithCronJobDefaulter(ctx, validator.ResolveCronJob)
ctx = store.ToContext(ctx)
ctx = policyControllerConfigStore.ToContext(ctx)
ctx = policyduckv1beta1.WithPodScalableDefaulter(ctx, validator.PodScalableDefaulter)
ctx = duckv1.WithPodDefaulter(ctx, validator.PodDefaulter)
hectorj2f marked this conversation as resolved.
Show resolved Hide resolved
ctx = duckv1.WithPodSpecDefaulter(ctx, validator.PodSpecableDefaulter)
ctx = duckv1.WithCronJobDefaulter(ctx, validator.CronJobDefaulter)
return ctx
},

Expand Down
1 change: 1 addition & 0 deletions config/config-policy-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ data:
# #
################################
no-match-policy: warn
annotate-validation-results: false
15 changes: 14 additions & 1 deletion pkg/config/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ const (
NoMatchPolicyKey = "no-match-policy"

FailOnEmptyAuthorities = "fail-on-empty-authorities"

AnnotateResultsKey = "annotate-validation-results"
elfotografo007 marked this conversation as resolved.
Show resolved Hide resolved
)

// PolicyControllerConfig controls the behaviour of policy-controller that needs
Expand All @@ -56,10 +58,12 @@ type PolicyControllerConfig struct {
NoMatchPolicy string `json:"no-match-policy"`
// FailOnEmptyAuthorities configures the validating webhook to allow creating CIP without a list authorities
FailOnEmptyAuthorities bool `json:"fail-on-empty-authorities"`
// AnnotateResults configures writing the validation results as an annotation in the resource
AnnotateResults bool `json:"annotate-validation-results"`
elfotografo007 marked this conversation as resolved.
Show resolved Hide resolved
}

func NewPolicyControllerConfigFromMap(data map[string]string) (*PolicyControllerConfig, error) {
ret := &PolicyControllerConfig{NoMatchPolicy: "deny", FailOnEmptyAuthorities: true}
ret := &PolicyControllerConfig{NoMatchPolicy: "deny", FailOnEmptyAuthorities: true, AnnotateResults: false}
switch data[NoMatchPolicyKey] {
case DenyAll:
ret.NoMatchPolicy = DenyAll
Expand All @@ -76,6 +80,14 @@ func NewPolicyControllerConfigFromMap(data map[string]string) (*PolicyController
return ret, err
}
ret.FailOnEmptyAuthorities = true

if val, ok := data[AnnotateResultsKey]; ok {
var err error
ret.AnnotateResults, err = strconv.ParseBool(val)
return ret, err
}
ret.AnnotateResults = false

return ret, nil
}

Expand All @@ -102,6 +114,7 @@ func FromContextOrDefaults(ctx context.Context) *PolicyControllerConfig {
return &PolicyControllerConfig{
NoMatchPolicy: DenyAll,
FailOnEmptyAuthorities: true,
AnnotateResults: false,
}
}

Expand Down
8 changes: 8 additions & 0 deletions pkg/config/store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
type testData struct {
noMatchPolicy string
failOnEmptyAuthorities bool
AnnotateResults bool
}

var testfiles = map[string]testData{
Expand All @@ -35,6 +36,7 @@ var testfiles = map[string]testData{
"warn-all": {noMatchPolicy: WarnAll, failOnEmptyAuthorities: true},
"deny-all-default": {noMatchPolicy: DenyAll, failOnEmptyAuthorities: true},
"allow-empty-authorities": {noMatchPolicy: DenyAll, failOnEmptyAuthorities: false},
"annotate-results": {noMatchPolicy: AllowAll, failOnEmptyAuthorities: true, AnnotateResults: true},
}

func TestStoreLoadWithContext(t *testing.T) {
Expand All @@ -55,6 +57,9 @@ func TestStoreLoadWithContext(t *testing.T) {
if diff := cmp.Diff(want.failOnEmptyAuthorities, expected.FailOnEmptyAuthorities); diff != "" {
t.Error("Unexpected defaults config (-want, +got):", diff)
}
if diff := cmp.Diff(want.AnnotateResults, expected.AnnotateResults); diff != "" {
t.Error("Unexpected defaults config (-want, +got):", diff)
}
if diff := cmp.Diff(expected, config); diff != "" {
t.Error("Unexpected defaults config (-want, +got):", diff)
}
Expand All @@ -74,6 +79,9 @@ func TestStoreLoadWithContextOrDefaults(t *testing.T) {
if diff := cmp.Diff(DenyAll, expected.NoMatchPolicy); diff != "" {
t.Error("Unexpected defaults config (-want, +got):", diff)
}
if diff := cmp.Diff(false, expected.AnnotateResults); diff != "" {
t.Error("Unexpected defaults config (-want, +got):", diff)
}
if diff := cmp.Diff(expected, config); diff != "" {
t.Error("Unexpected defaults config (-want, +got):", diff)
}
Expand Down
26 changes: 26 additions & 0 deletions pkg/config/testdata/annotate-results.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: ConfigMap
metadata:
name: config-policy-controller
namespace: cosign-system
labels:
policy.sigstore.dev/release: devel

data:
_example: |
no-match-policy: allow
annotate-validation-results: true
Loading