Parameters
The parent key for all of the following parameters is sigstore_policy_controller.
namespace
| type |
string |
| default |
|
The namespace in which to deploy this component.
The component configures appropriate labels to ensure OpenShift 4’s cluster monitoring or component-prometheus monitoring stacks pick up the policy controller’s metrics.
charts
| type |
dict |
| default |
This parameter contains the Helm chart source and version for the policy controller.
cluster_policies
| type |
dict |
| default |
|
This parameter allows users to configure ClusterImagePolicy resources that should be deployed.
Each key-value pair in this parameter is translated into a ClusterImagePolicy resource.
The key is used as metadata.name of the resulting resource.
The value is used verbatim as a partial ClusterImagePolicy resource.
The component doesn’t perform any validation on the provided configuration.
Setting a key-value pair’s value to null allows users to remove policies from the configuration.
When defining multiple policies, pods must satisfy all policies to be admitted to the cluster.
NOTE: By default, policies are only applied to namespaces which are labeled policy.sigstore.dev/include=true.
|
See the policy controller documentation for details on supported configurations.
Example
Below we show an example component configuration and the resulting ClusterImagePolicy resource:
parameters:
sigstore_policy_controller:
cluster_policies:
image-policy:
metadata:
annotations:
sigstore-policy-controller.syn.tools/description: |
Example policy
spec:
images:
- glob: "**"
authorities:
- key:
hashAlgorithm: sha256
data: |-
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----ClusterImagePolicyapiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
annotations:
sigstore-policy-controller.syn.tools/description: |
Example policy
labels:
name: image-policy
name: image-policy
spec:
authorities:
- data: |-
-----BEGIN PUBLIC KEY-----
....
-----END PUBLIC KEY-----
hashAlgorithm: sha256
key: null
images:
- glob: '**'