policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Excluding custom resources via rules in Validating & Mutating web-hook configuration is getting overriden with default config

Open rnachire opened this issue 2 years ago • 7 comments

Excluding custom resources via rules in Validating & Mutating web-hook configuration is getting overriden with default config

we have tried to adding rules to apply the validating & mutating webhook of policy.sigstore.dev with namespaceselector policy.sigstore.dev/include label and rules were empty by default.

we tried to add the rules to go via admission controller only for well known k8s objects such as deployments, statefulsets, daemonsets, cronjobs, jobs, pods only but not for custom resources. But when we add these objects explicitly in the rules they are getting overriden with default ones. Is there a way to exclude few resources since the Objectselector is not sufficient for our usecases.

namespaceSelector: matchExpressions:

  • key: webhooks.knative.dev/exclude operator: DoesNotExist
  • key: policy.sigstore.dev/include operator: In values:
  • "true" objectSelector: {} rules:

apiGroups: "" apiVersions: v1 operations: CREATE UPDATE DELETE resources: pods pods/status scope: '' apiGroups: apps apiVersions: v1 operations: CREATE UPDATE DELETE resources: deployments deployments/status scope: '' ..... Main usecase is, we want to start with image sign verification only for well known objects mentioned above not for the custom resources. The problem with object selector is when we use matchexpressions NOT IN condition then also it is taken into effect for custom resources but it is considered for the deployments or pods. Could you please let us know if there is way to exclude the all the custom resources in someway. Let us know, if you need any further info required.

rnachire avatar Oct 26 '22 05:10 rnachire

@rnachire This is more a programatic knative question. If you really want to set some specific values without those been overwritten, you need to specify them here https://github.com/sigstore/policy-controller/blob/main/cmd/webhook/main.go#L144.

hectorj2f avatar Oct 26 '22 09:10 hectorj2f

@hectorj2f - Do you mean we need to override only via code not with k8s validating or mutatingwebhook configuration in k8s manifest ?

Why is the flexibility not given for end user to chose these rules like any other admission controllers ?

rnachire avatar Oct 26 '22 10:10 rnachire

The main reason comes because we are validating a fixed list of resource types. This could be configurable via our configMap, as long as it refers to the supported resource types. But this will need to be implemented.

hectorj2f avatar Oct 26 '22 10:10 hectorj2f

thank you, Could you consider this as feature request?

On Wed, 26 Oct 2022 at 3:40 PM, Hector Fernandez @.***> wrote:

The main reason comes because we are validating a fixed list of resource types. This could be configurable via our configMap, as long as it refers to the supported resource types. But this will need to be implemented.

— Reply to this email directly, view it on GitHub https://github.com/sigstore/policy-controller/issues/347#issuecomment-1291804675, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFP3STRJEEDYKILU5MAQCFTWFD7SHANCNFSM6AAAAAAROTT5E4 . You are receiving this because you were mentioned.Message ID: @.***>

rnachire avatar Oct 26 '22 11:10 rnachire

@rnachire If I understand your use case, you want to block certain resources. However you have custom resources that also create pods and deployments which you don't want to enforce. Is that correct ? Could you label these resources you want to enforce only ? It is hard to distinguish which pods/deployments you want to enforce from other pods/deployments. But we added a new field spec.match that matches labels for a list of resources.

hectorj2f avatar Oct 27 '22 10:10 hectorj2f

Yeah, we wanted to block the custom resources even though they are creaitng pods eventually. Could you elaborate on spec.match since we have already tried with matchexpressions with labels to ignore but didn't work with cosign0.4.0

On Thu, Oct 27, 2022 at 3:36 PM Hector Fernandez @.***> wrote:

@rnachire https://github.com/rnachire If I understand your use case, you want to block certain resources. However you have custom resources that also create pods and deployments which you don't want to enforce. Is that correct ? Could you label these resources you want to enforce only ? It is hard to distinguish which pods/deployments you want to enforce from other pods/deployments. But we added a new field spec.match that matches labels for a list of resources.

— Reply to this email directly, view it on GitHub https://github.com/sigstore/policy-controller/issues/347#issuecomment-1293295058, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFP3STVAFB7LJUZLD3PYIFDWFJH4DANCNFSM6AAAAAAROTT5E4 . You are receiving this because you were mentioned.Message ID: @.***>

rnachire avatar Oct 27 '22 12:10 rnachire

@rnachire You could label them and use spec.match.... to enforce deployment, or any other type including pods with label=yada. There is more information here: https://docs.sigstore.dev/policy-controller/overview#policies-matching-specific-resource-types-and-labels

hectorj2f avatar Oct 27 '22 12:10 hectorj2f