-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #48 from kubewarden/artifacthub
feat: Update artifacthub-pkg.yml automatically from now on
- Loading branch information
Showing
7 changed files
with
84 additions
and
165 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,59 +1,6 @@ | ||
| on: [push, pull_request] | ||
| name: Continuous integration | ||
| jobs: | ||
| check: | ||
| name: Check | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions-rs/toolchain@v1 | ||
| with: | ||
| profile: minimal | ||
| toolchain: stable | ||
| override: true | ||
| - uses: actions-rs/cargo@v1 | ||
| with: | ||
| command: check | ||
| test: | ||
| name: Test Suite | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions-rs/toolchain@v1 | ||
| with: | ||
| profile: minimal | ||
| toolchain: stable | ||
| override: true | ||
| - uses: actions-rs/cargo@v1 | ||
| with: | ||
| command: test | ||
| fmt: | ||
| name: Rustfmt | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions-rs/toolchain@v1 | ||
| with: | ||
| profile: minimal | ||
| toolchain: stable | ||
| override: true | ||
| - run: rustup component add rustfmt | ||
| - uses: actions-rs/cargo@v1 | ||
| with: | ||
| command: fmt | ||
| args: --all -- --check | ||
| clippy: | ||
| name: Clippy | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - uses: actions-rs/toolchain@v1 | ||
| with: | ||
| profile: minimal | ||
| toolchain: stable | ||
| override: true | ||
| - run: rustup component add clippy | ||
| - uses: actions-rs/cargo@v1 | ||
| with: | ||
| command: clippy | ||
| args: -- -D warnings | ||
| name: run tests and linters | ||
| uses: kubewarden/github-actions/.github/workflows/[email protected] |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| [package] | ||
| name = "pod-privileged-policy" | ||
| version = "0.2.4" | ||
| version = "0.2.5" | ||
| authors = ["José Guilherme Vanz <[email protected]>"] | ||
| edition = "2021" | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,47 +1,81 @@ | ||
| --- | ||
| version: 0.2.4 | ||
| # Kubewarden Artifacthub Package config | ||
| # | ||
| # Use this config to submit the policy to https://artifacthub.io. | ||
| # | ||
| # This config can be saved to its default location with: | ||
| # kwctl scaffold artifacthub > artifacthub-pkg.yml | ||
| version: 0.2.5 | ||
| name: pod-privileged-policy | ||
| displayName: Pod Privileged Policy | ||
| createdAt: '2023-02-06T14:46:21+02:00' | ||
| createdAt: 2023-03-21T11:39:45.702098839Z | ||
| description: Limit the ability to create privileged containers | ||
| license: Apache-2.0 | ||
| homeURL: https://github.com/kubewarden/pod-privileged-policy | ||
| containersImages: | ||
| - name: policy | ||
| image: ghcr.io/kubewarden/policies/pod-privileged:v0.2.4 | ||
| image: ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 | ||
| keywords: | ||
| - psp | ||
| - pod | ||
| - container | ||
| - privileged | ||
| links: | ||
| - name: policy | ||
| url: https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.2.4/policy.wasm | ||
| url: https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.2.5/policy.wasm | ||
| - name: source | ||
| url: https://github.com/kubewarden/pod-privileged-policy | ||
| install: | | ||
| The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl): | ||
| ```console | ||
| kwctl pull ghcr.io/kubewarden/policies/pod-privileged:v0.2.5 | ||
| ``` | ||
| maintainers: | ||
| - name: Kubewarden developers | ||
| email: [email protected] | ||
| provider: | ||
| name: kubewarden | ||
| recommendations: | ||
| - url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller | ||
| annotations: | ||
| kubewarden/mutation: 'false' | ||
| kubewarden/resources: Pod | ||
| kubewarden/mutation: false | ||
| kubewarden/contextAware: false | ||
| kubewarden/rules: | | ||
| rules: | ||
| - apiGroups: [""] | ||
| apiVersions: ["v1"] | ||
| resources: ["pods"] | ||
| operations: ["CREATE"] # kubernetes doesn't allow to add/remove privileged containers to an already running pod | ||
| - apiGroups: [""] | ||
| apiVersions: ["v1"] | ||
| resources: ["replicationcontrollers"] | ||
| operations: ["CREATE", "UPDATE"] | ||
| - apiGroups: ["apps"] | ||
| apiVersions: ["v1"] | ||
| resources: ["deployments","replicasets","statefulsets","daemonsets"] | ||
| operations: ["CREATE", "UPDATE"] | ||
| - apiGroups: ["batch"] | ||
| apiVersions: ["v1"] | ||
| resources: ["jobs","cronjobs"] | ||
| operations: ["CREATE", "UPDATE"] | ||
| - apiGroups: | ||
| - '' | ||
| apiVersions: | ||
| - v1 | ||
| resources: | ||
| - pods | ||
| operations: | ||
| - CREATE | ||
| - apiGroups: | ||
| - '' | ||
| apiVersions: | ||
| - v1 | ||
| resources: | ||
| - replicationcontrollers | ||
| operations: | ||
| - CREATE | ||
| - UPDATE | ||
| - apiGroups: | ||
| - apps | ||
| apiVersions: | ||
| - v1 | ||
| resources: | ||
| - deployments | ||
| - replicasets | ||
| - statefulsets | ||
| - daemonsets | ||
| operations: | ||
| - CREATE | ||
| - UPDATE | ||
| - apiGroups: | ||
| - batch | ||
| apiVersions: | ||
| - v1 | ||
| resources: | ||
| - jobs | ||
| - cronjobs | ||
| operations: | ||
| - CREATE | ||
| - UPDATE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,81 +18,16 @@ rules: | |
| mutating: false | ||
| contextAware: false | ||
| annotations: | ||
| io.kubewarden.policy.title: pod-privileged | ||
| # artifacthub specific | ||
| io.artifacthub.displayName: Pod Privileged Policy | ||
| io.artifacthub.resources: Pod | ||
| io.artifacthub.keywords: psp, pod, container, privileged | ||
| io.kubewarden.policy.ociUrl: ghcr.io/kubewarden/policies/pod-privileged | ||
| # io.kubewarden.hidden-ui: "true" | ||
| # rest | ||
| io.kubewarden.policy.title: pod-privileged-policy | ||
| io.kubewarden.policy.description: Limit the ability to create privileged containers | ||
| io.kubewarden.policy.author: Flavio Castelli | ||
| io.kubewarden.policy.author: "Kubewarden developers <[email protected]>" | ||
| io.kubewarden.policy.url: https://github.com/kubewarden/pod-privileged-policy | ||
| io.kubewarden.policy.source: https://github.com/kubewarden/pod-privileged-policy | ||
| io.kubewarden.policy.license: Apache-2.0 | ||
| io.kubewarden.policy.usage: | | ||
| Given the following scenario: | ||
| > As an operator of a Kubernetes cluster used by multiple users, | ||
| > I want to have tight control over who can schedule privileged containers. | ||
| Kubernetes containers can be run in privileged mode by providing a well crafted | ||
| [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). | ||
| Cluster administrators can prevent regular users to create privileged containers | ||
| by using a Kubernetes built-in feature called [Pod Security Policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). | ||
| However, Pod Security Polices are going to be [deprecated](https://github.com/kubernetes/enhancements/issues/5) | ||
| in the near future. | ||
| Pod Security Policies could be replaced by using policies provided by an | ||
| external Admission Controller, like Kubewarden. | ||
| This policy inspects the [AdmissionReview](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#request) | ||
| objects generated by the Kubernetes API server and either accept or reject them. | ||
| The policy can be used to inspect `CREATE` and `UPDATE` requests of `Pod` resources. | ||
| It will reject any pod with containers, init container or ephemeral containers | ||
| configured as privileged in their [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). | ||
| # Settings | ||
| This policy has no configurable settings. | ||
| The user is responsible to configure the policy defining the resources targeted | ||
| by the policy. Otherwise, the policy will not be able to run. The current supported | ||
| resources are listed in the metadata.yml file. See more information about how to | ||
| configure a policy in the [Kubewarden documentation](https://docs.kubewarden.io/). | ||
| # Examples | ||
| The following Pod specification doesn't have any security context defined: | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx | ||
| spec: | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| imagePullPolicy: IfNotPresent | ||
| ``` | ||
| This workload can be scheduled by all the users of the cluster. | ||
| This Pod specification has one of its containers running in | ||
| privileged mode and it will be rejected by the policy: | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| name: nginx | ||
| spec: | ||
| runtimeClassName: containerd-runc | ||
| containers: | ||
| - name: nginx | ||
| image: nginx | ||
| imagePullPolicy: IfNotPresent | ||
| securityContext: | ||
| privileged: true | ||
| - name: sleeping-sidecar | ||
| image: alpine | ||
| command: ["sleep", "1h"] | ||
| ``` | ||