Skip to content

elfotografo007/policy-controller

This branch is 12 commits ahead of, 1136 commits behind sigstore/policy-controller:main.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

93ed0c1 · May 17, 2023
May 10, 2023
May 10, 2023
May 10, 2023
Apr 11, 2023
Jan 29, 2023
Dec 9, 2022
Feb 3, 2022
May 10, 2023
Jan 30, 2023
May 10, 2023
May 3, 2023
Oct 4, 2021
Sep 1, 2022
Dec 8, 2022
Jan 30, 2023
Feb 20, 2023
Jul 18, 2022
Jun 8, 2022
Jul 28, 2021
Apr 9, 2021
Feb 4, 2021
Jan 30, 2023
Apr 17, 2023
May 9, 2023
May 9, 2023

Repository files navigation

Cosign logo

Policy Controller

The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.

Go Report Card e2e-tests OpenSSF Scorecard

policy-controller also resolves the image tags to ensure the image being ran is not different from when it was admitted.

See the installation instructions for more information.

Today, policy-controller can automatically validate signatures and attestations on container images. Enforcement is configured on a per-namespace basis, and multiple keys are supported.

We're actively working on more features here.

For more information about the policy-controller, have a look at our documentation website here.

Examples

Please see the examples/ directory for example policies etc.

Policy Testing

This repo includes a policy-tester tool which enables checking a policy against various images.

In the root of this repo, run the following to build:

make policy-tester

Then run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:

(set -o pipefail && \
    ./policy-tester \
        --policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \
        --image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)

Support Policy

This policy-controller's versions are able to run in the following versions of Kubernetes:

policy-controller > 0.2.x
Kubernetes 1.22
Kubernetes 1.23
Kubernetes 1.24
Kubernetes 1.25

note: not fully tested yet, but can be installed

Release Cadence

We are intending to move to a monthly cadence for minor releases. Minor releases will be published around the beginning of the month. We may cut a patch release instead, if the changes are small enough not to warrant a minor release. We will also cut patch releases periodically as needed to address bugs.

Security

Should you discover any security issues, please refer to sigstores security process

About

No description, website, or topics provided.

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 84.5%
  • Shell 14.6%
  • Makefile 0.9%