Last active
October 28, 2021 21:52
-
-
Save mattmoor/7efb317d3ffedf697ba422f81de31d4e to your computer and use it in GitHub Desktop.
cosigned 2021-10-21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: cosign-system | |
labels: | |
cosigned.sigstore.dev/include: "false" | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: cosigned-rbac | |
rules: | |
- apiGroups: [""] | |
resources: ["events"] | |
verbs: ["create"] | |
# Allow the reconciliation of exactly our validating and mutating webhooks. | |
- apiGroups: ["admissionregistration.k8s.io"] | |
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] | |
verbs: ["list", "watch"] | |
- apiGroups: ["admissionregistration.k8s.io"] | |
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] | |
verbs: ["get", "update"] | |
resourceNames: ["cosigned.sigstore.dev"] | |
- apiGroups: [""] | |
resources: ["namespaces"] | |
verbs: ["get"] | |
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources, | |
# which requires we can Get the system namespace. | |
resourceNames: ["cosign-system"] | |
# This is needed by k8schain to support fetching pull secrets attached to pod specs | |
# or their service accounts. If pull secrets aren't used, the "secrets" below can | |
# be safely dropped, but the logic will fetch the service account to check for pull | |
# secrets. | |
- apiGroups: [""] | |
resources: ["serviceaccounts", "secrets"] | |
verbs: ["get"] | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
kind: Role | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: cosigned-namespace-rbac | |
namespace: cosign-system | |
rules: | |
# Needed to watch and load configuration and secret data. | |
- apiGroups: [""] | |
resources: ["configmaps", "secrets"] | |
verbs: ["get", "list", "update", "watch"] | |
# Needed for leader election | |
- apiGroups: ["coordination.k8s.io"] | |
resources: ["leases"] | |
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: webhook | |
namespace: cosign-system | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: cosigned-webhook | |
subjects: | |
- kind: ServiceAccount | |
name: webhook | |
namespace: cosign-system | |
roleRef: | |
kind: ClusterRole | |
name: cosigned-rbac | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: cosigned-webhook | |
namespace: cosign-system | |
subjects: | |
- kind: ServiceAccount | |
name: webhook | |
namespace: cosign-system | |
roleRef: | |
kind: Role | |
name: cosigned-namespace-rbac | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: webhook | |
namespace: cosign-system | |
spec: | |
ports: | |
- port: 443 | |
targetPort: 8443 | |
selector: | |
role: webhook | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: admissionregistration.k8s.io/v1 | |
kind: ValidatingWebhookConfiguration | |
metadata: | |
name: cosigned.sigstore.dev | |
webhooks: | |
- name: cosigned.sigstore.dev | |
namespaceSelector: | |
# The webhook should only apply to things that opt-in | |
matchExpressions: | |
- key: cosigned.sigstore.dev/include | |
operator: In | |
values: ["true"] | |
admissionReviewVersions: [v1] | |
clientConfig: | |
service: | |
name: webhook | |
namespace: cosign-system | |
failurePolicy: Fail | |
sideEffects: None | |
--- | |
apiVersion: admissionregistration.k8s.io/v1 | |
kind: MutatingWebhookConfiguration | |
metadata: | |
name: cosigned.sigstore.dev | |
webhooks: | |
- name: cosigned.sigstore.dev | |
namespaceSelector: | |
# The webhook should only apply to things that opt-in | |
matchExpressions: | |
- key: cosigned.sigstore.dev/include | |
operator: In | |
values: ["true"] | |
admissionReviewVersions: [v1] | |
clientConfig: | |
service: | |
name: webhook | |
namespace: cosign-system | |
failurePolicy: Fail | |
sideEffects: None | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: webhook-certs | |
namespace: cosign-system | |
# The data is populated at install time. | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: config-leader-election | |
namespace: cosign-system | |
data: | |
_example: | | |
################################ | |
# # | |
# EXAMPLE CONFIGURATION # | |
# # | |
################################ | |
# This block is not actually functional configuration, | |
# but serves to illustrate the available configuration | |
# options and document them in a way that is accessible | |
# to users that `kubectl edit` this config map. | |
# | |
# These sample configuration options may be copied out of | |
# this example block and unindented to be in the data block | |
# to actually change the configuration. | |
# leaseDuration is how long non-leaders will wait to try to acquire the | |
# lock; 15 seconds is the value used by core kubernetes controllers. | |
leaseDuration: "15s" | |
# renewDeadline is how long a leader will try to renew the lease before | |
# giving up; 10 seconds is the value used by core kubernetes controllers. | |
renewDeadline: "10s" | |
# retryPeriod is how long the leader election client waits between tries of | |
# actions; 2 seconds is the value used by core kubernetes controllers. | |
retryPeriod: "2s" | |
# buckets is the number of buckets used to partition key space of each | |
# Reconciler. If this number is M and the replica number of the controller | |
# is N, the N replicas will compete for the M buckets. The owner of a | |
# bucket will take care of the reconciling for the keys partitioned into | |
# that bucket. | |
buckets: "1" | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: config-logging | |
namespace: cosign-system | |
data: | |
_example: | | |
################################ | |
# # | |
# EXAMPLE CONFIGURATION # | |
# # | |
################################ | |
# This block is not actually functional configuration, | |
# but serves to illustrate the available configuration | |
# options and document them in a way that is accessible | |
# to users that `kubectl edit` this config map. | |
# | |
# These sample configuration options may be copied out of | |
# this example block and unindented to be in the data block | |
# to actually change the configuration. | |
zap-logger-config: | | |
{ | |
"level": "info", | |
"development": false, | |
"outputPaths": ["stdout"], | |
"errorOutputPaths": ["stderr"], | |
"encoding": "json", | |
"encoderConfig": { | |
"timeKey": "ts", | |
"levelKey": "level", | |
"nameKey": "logger", | |
"callerKey": "caller", | |
"messageKey": "msg", | |
"stacktraceKey": "stacktrace", | |
"lineEnding": "", | |
"levelEncoder": "", | |
"timeEncoder": "iso8601", | |
"durationEncoder": "", | |
"callerEncoder": "" | |
} | |
} | |
# Log level overrides | |
# Changes are be picked up immediately. | |
loglevel.controller: "info" | |
loglevel.webhook: "info" | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: config-observability | |
namespace: cosign-system | |
data: | |
_example: | | |
################################ | |
# # | |
# EXAMPLE CONFIGURATION # | |
# # | |
################################ | |
# This block is not actually functional configuration, | |
# but serves to illustrate the available configuration | |
# options and document them in a way that is accessible | |
# to users that `kubectl edit` this config map. | |
# | |
# These sample configuration options may be copied out of | |
# this example block and unindented to be in the data block | |
# to actually change the configuration. | |
# metrics.backend-destination field specifies the system metrics destination. | |
# It supports either prometheus (the default) or stackdriver. | |
# Note: Using stackdriver will incur additional charges | |
metrics.backend-destination: prometheus | |
# metrics.request-metrics-backend-destination specifies the request metrics | |
# destination. If non-empty, it enables queue proxy to send request metrics. | |
# Currently supported values: prometheus, stackdriver. | |
metrics.request-metrics-backend-destination: prometheus | |
# metrics.stackdriver-project-id field specifies the stackdriver project ID. This | |
# field is optional. When running on GCE, application default credentials will be | |
# used if this field is not provided. | |
metrics.stackdriver-project-id: "<your stackdriver project id>" | |
--- | |
# Copyright 2021 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# https://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: webhook | |
namespace: cosign-system | |
spec: | |
selector: | |
matchLabels: | |
role: webhook | |
template: | |
metadata: | |
labels: | |
role: webhook | |
spec: | |
# To avoid node becoming SPOF, spread our replicas to different nodes. | |
affinity: | |
podAntiAffinity: | |
preferredDuringSchedulingIgnoredDuringExecution: | |
- podAffinityTerm: | |
labelSelector: | |
matchLabels: | |
app: webhook | |
topologyKey: kubernetes.io/hostname | |
weight: 100 | |
serviceAccountName: webhook | |
containers: | |
- name: webhook | |
# This is the Go import path for the binary that is containerized | |
# and substituted here. | |
image: ghcr.io/mattmoor/webhook@sha256:18eb429c5e680405746c90653ad0a7ed67989e4a5773605b73ecf18d7086fa61 | |
args: ["-secret-name=verification-key"] | |
resources: | |
requests: | |
cpu: 20m | |
memory: 20Mi | |
limits: | |
cpu: 200m | |
memory: 200Mi | |
env: | |
- name: SYSTEM_NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: CONFIG_LOGGING_NAME | |
value: config-logging | |
- name: METRICS_DOMAIN | |
value: sigstore.dev/cosigned | |
- name: WEBHOOK_NAME | |
value: webhook | |
securityContext: | |
allowPrivilegeEscalation: false | |
readOnlyRootFilesystem: true | |
runAsNonRoot: true | |
capabilities: | |
drop: | |
- all | |
readinessProbe: &probe | |
failureThreshold: 6 | |
initialDelaySeconds: 20 | |
periodSeconds: 1 | |
httpGet: | |
scheme: HTTPS | |
port: 8443 | |
httpHeaders: | |
- name: k-kubelet-probe | |
value: "webhook" | |
livenessProbe: *probe | |
# Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently | |
# high value that we respect whatever value it has configured for the lame duck grace period. | |
terminationGracePeriodSeconds: 300 | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: verification-key | |
namespace: cosign-system | |
# stringData: | |
# cosign.pub: | | |
# <PEM encoded public key> | |
--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment