Skip to content
Snippets Groups Projects

[PLATFORM-2185] Configure Image Provenance admission control with Gatekeeper

Merged [PLATFORM-2185] Configure Image Provenance admission control with Gatekeeper
PLATFORM-2207-aatemnke2 into master
Merged Alain Atemnkeng requested to merge PLATFORM-2207-aatemnke2 into master
Viewing commit 7930e42f
Prev Next
Show latest version
5 files
+ 28
8
Compare changes
  • Side-by-side
  • Inline
Files
5
rego/allow_rollout_restart_deployment/policy.rego
+ 3
2
package allow_rollout_restart
package allow_rollout_restart_deployment
# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
# Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
violation[{"msg": msg}] {
not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
not input.review.userInfo.username == flux_username
not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")