cosign
policy-controller/pkg/webhook/validator.go at main · sigstore/policy-controller · GitHub
cosign webhook yaml
root@ubuntu:/home/test# k get ValidatingWebhookConfiguration cosigned.sigstore.dev -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: cosigned
meta.helm.sh/release-namespace: cosign-system
creationTimestamp: "2023-06-16T13:49:25Z"
generation: 2
labels:
app.kubernetes.io/managed-by: Helm
name: cosigned.sigstore.dev
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
controller: true
kind: Namespace
name: cosign-system
uid: f1d4b8ec-fbb6-40a3-93b9-525cc6ae09f2
resourceVersion: "628690"
uid: 0fe69228-54f3-4b95-b733-6e41e14adc4e
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNSVENDQWV1Z0F3SUJBZ0lSQUxieTJzaDdISUVPUzFDNHdxcHNCR1F3Q2dZSUtvWkl6ajBFQXdJd09qRVUKTUJJR0ExVUVDaE1MYTI1aGRHbDJaUzVrWlhZeElqQWdCZ05WQkFNVEdYZGxZbWh2YjJzdVkyOXphV2R1TFhONQpjM1JsYlM1emRtTXdIaGNOTWpNd05qRTNNVFV3TmpRMFdoY05Nak13TmpJME1UVXdOalEwV2pBNk1SUXdFZ1lEClZRUUtFd3RyYm1GMGFYWmxMbVJsZGpFaU1DQUdBMVVFQXhNWmQyVmlhRzl2YXk1amIzTnBaMjR0YzNsemRHVnQKTG5OMll6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBM1Z0TjdtcTBTbkkxcG9wMTNvcHVSaApHSTJuNUNrOHRtS1B2WDNJb0Z2bFMxUkgxWGoxOWVrRm8vRWpUcDZHMW8wRFZ3bnVzZkFaYkFMcHNaRzJPczZqCmdkRXdnYzR3RGdZRFZSMFBBUUgvQkFRREFnS0VNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUkZPOHBZcis1OW1jOHMyU2NERXJQdQpLZGczMVRCdEJnTlZIUkVFWmpCa2dnZDNaV0pvYjI5cmdoVjNaV0pvYjI5ckxtTnZjMmxuYmkxemVYTjBaVzJDCkdYZGxZbWh2YjJzdVkyOXphV2R1TFhONWMzUmxiUzV6ZG1PQ0ozZGxZbWh2YjJzdVkyOXphV2R1TFhONWMzUmwKYlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlBWWdQR251QkhZbG8vcgpnRWhZQkdGVExJUDRDcU9aejFKZWV6dHdzdVVjQ3dJaEFKM2pGcEVqNFBRcUJ1R3NTQW05L1ZQclFDUzlUd2YxCm5aZ2NFMkVqanZDSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: webhook
namespace: cosign-system
path: /validations
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: cosigned.sigstore.dev
namespaceSelector:
matchExpressions:
- key: webhooks.knative.dev/exclude
operator: DoesNotExist
- key: cosigned.sigstore.dev/include
operator: In
values:
- "true"
objectSelector: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- pods
- pods/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- daemonsets
- daemonsets/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- deployments
- deployments/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- replicasets
- replicasets/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- statefulsets
- statefulsets/status
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- cronjobs
- cronjobs/status
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- jobs
- jobs/status
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- cronjobs
- cronjobs/status
scope: '*'
sideEffects: None
timeoutSeconds: 10
root@ubuntu:/home/test# k get ValidatingWebhookConfiguration validating.clusterimagepolicy.sigstore.dev -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: cosigned
meta.helm.sh/release-namespace: cosign-system
creationTimestamp: "2023-06-16T13:49:25Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
name: validating.clusterimagepolicy.sigstore.dev
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
controller: true
kind: Namespace
name: cosign-system
uid: f1d4b8ec-fbb6-40a3-93b9-525cc6ae09f2
resourceVersion: "628706"
uid: cfa19e17-4aee-4337-bd9b-55dfdbcd02e0
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: policy-webhook
namespace: cosign-system
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: defaulting.clusterimagepolicy.sigstore.dev
namespaceSelector: {}
objectSelector: {}
sideEffects: None
timeoutSeconds: 10
Mutatingwebhook
root@ubuntu:/home/test# k get MutatingWebhookConfiguration cosigned.sigstore.dev -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: cosigned
meta.helm.sh/release-namespace: cosign-system
creationTimestamp: "2023-06-16T13:49:25Z"
generation: 2
labels:
app.kubernetes.io/managed-by: Helm
name: cosigned.sigstore.dev
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
controller: true
kind: Namespace
name: cosign-system
uid: f1d4b8ec-fbb6-40a3-93b9-525cc6ae09f2
resourceVersion: "628689"
uid: 7e069263-8b3e-4f4e-8e15-9c6ecbb1cef8
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNSVENDQWV1Z0F3SUJBZ0lSQUxieTJzaDdISUVPUzFDNHdxcHNCR1F3Q2dZSUtvWkl6ajBFQXdJd09qRVUKTUJJR0ExVUVDaE1MYTI1aGRHbDJaUzVrWlhZeElqQWdCZ05WQkFNVEdYZGxZbWh2YjJzdVkyOXphV2R1TFhONQpjM1JsYlM1emRtTXdIaGNOTWpNd05qRTNNVFV3TmpRMFdoY05Nak13TmpJME1UVXdOalEwV2pBNk1SUXdFZ1lEClZRUUtFd3RyYm1GMGFYWmxMbVJsZGpFaU1DQUdBMVVFQXhNWmQyVmlhRzl2YXk1amIzTnBaMjR0YzNsemRHVnQKTG5OMll6QlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBM1Z0TjdtcTBTbkkxcG9wMTNvcHVSaApHSTJuNUNrOHRtS1B2WDNJb0Z2bFMxUkgxWGoxOWVrRm8vRWpUcDZHMW8wRFZ3bnVzZkFaYkFMcHNaRzJPczZqCmdkRXdnYzR3RGdZRFZSMFBBUUgvQkFRREFnS0VNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUkZPOHBZcis1OW1jOHMyU2NERXJQdQpLZGczMVRCdEJnTlZIUkVFWmpCa2dnZDNaV0pvYjI5cmdoVjNaV0pvYjI5ckxtTnZjMmxuYmkxemVYTjBaVzJDCkdYZGxZbWh2YjJzdVkyOXphV2R1TFhONWMzUmxiUzV6ZG1PQ0ozZGxZbWh2YjJzdVkyOXphV2R1TFhONWMzUmwKYlM1emRtTXVZMngxYzNSbGNpNXNiMk5oYkRBS0JnZ3Foa2pPUFFRREFnTklBREJGQWlBWWdQR251QkhZbG8vcgpnRWhZQkdGVExJUDRDcU9aejFKZWV6dHdzdVVjQ3dJaEFKM2pGcEVqNFBRcUJ1R3NTQW05L1ZQclFDUzlUd2YxCm5aZ2NFMkVqanZDSgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
service:
name: webhook
namespace: cosign-system
path: /mutations
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: cosigned.sigstore.dev
namespaceSelector:
matchExpressions:
- key: webhooks.knative.dev/exclude
operator: DoesNotExist
- key: cosigned.sigstore.dev/include
operator: In
values:
- "true"
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
- pods/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- daemonsets
- daemonsets/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- deployments/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- replicasets
- replicasets/status
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- statefulsets
- statefulsets/status
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- cronjobs
- cronjobs/status
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- jobs
- jobs/status
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- cronjobs
- cronjobs/status
scope: '*'
sideEffects: None
timeoutSeconds: 10
root@ubuntu:/home/test# k get MutatingWebhookConfiguration defaulting.clusterimagepolicy.sigstore.dev -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
meta.helm.sh/release-name: cosigned
meta.helm.sh/release-namespace: cosign-system
creationTimestamp: "2023-06-16T13:49:25Z"
generation: 2
labels:
app.kubernetes.io/managed-by: Helm
name: defaulting.clusterimagepolicy.sigstore.dev
ownerReferences:
- apiVersion: v1
blockOwnerDeletion: true
controller: true
kind: Namespace
name: cosign-system
uid: f1d4b8ec-fbb6-40a3-93b9-525cc6ae09f2
resourceVersion: "628707"
uid: 759377fd-dbb6-4e98-9461-9de027694909
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNjVENDQWhpZ0F3SUJBZ0lSQUlPcytVMitSaFJxQ2JFZE8rRjFWakV3Q2dZSUtvWkl6ajBFQXdJd1FURVUKTUJJR0ExVUVDaE1MYTI1aGRHbDJaUzVrWlhZeEtUQW5CZ05WQkFNVElIQnZiR2xqZVMxM1pXSm9iMjlyTG1OdgpjMmxuYmkxemVYTjBaVzB1YzNaak1CNFhEVEl6TURZeE56RTFNRFkwTmxvWERUSXpNRFl5TkRFMU1EWTBObG93ClFURVVNQklHQTFVRUNoTUxhMjVoZEdsMlpTNWtaWFl4S1RBbkJnTlZCQU1USUhCdmJHbGplUzEzWldKb2IyOXIKTG1OdmMybG5iaTF6ZVhOMFpXMHVjM1pqTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSzNXcQptcFNqVGhrZDBoUTBDYnlIem1sbmxzZDhKUitIczl5M2tha3VXdVQ5aFh4K3Q4NVpPQ1ZISWJKYXBQbE1FVkNaClBOQ1pWZUphMnErQjh6cFlPNk9COERDQjdUQU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUkKS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk5zZAoxbHcrakUrU2pjc1U2dkxBYzhIa3JRRElNSUdMQmdOVkhSRUVnWU13Z1lDQ0RuQnZiR2xqZVMxM1pXSm9iMjlyCmdoeHdiMnhwWTNrdGQyVmlhRzl2YXk1amIzTnBaMjR0YzNsemRHVnRnaUJ3YjJ4cFkza3RkMlZpYUc5dmF5NWoKYjNOcFoyNHRjM2x6ZEdWdExuTjJZNEl1Y0c5c2FXTjVMWGRsWW1odmIyc3VZMjl6YVdkdUxYTjVjM1JsYlM1egpkbU11WTJ4MWMzUmxjaTVzYjJOaGJEQUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQTBIT2lFdVcrRGpZcG1zNWh3CktaWHp4Z2cxTXVTNGkwQ2doL1Zva2poMWFnSWdMYWVvVDIvenNNUm4wU2NwU2trZ3RvSDJnTTkyeGltU2xsQ2MKcHNnQWE1MD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
service:
name: policy-webhook
namespace: cosign-system
path: /defaulting
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: defaulting.clusterimagepolicy.sigstore.dev
namespaceSelector:
matchExpressions:
- key: webhooks.knative.dev/exclude
operator: DoesNotExist
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- cosigned.sigstore.dev
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- clusterimagepolicies
- clusterimagepolicies/status
scope: '*'
sideEffects: None
timeoutSeconds: 10