-
Notifications
You must be signed in to change notification settings - Fork 501
/
webhook.yaml
112 lines (105 loc) · 3.26 KB
/
webhook.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webhook
namespace: cosign-system
spec:
selector:
matchLabels:
role: webhook
template:
metadata:
labels:
role: webhook
spec:
# To avoid node becoming SPOF, spread our replicas to different nodes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
role: webhook
topologyKey: kubernetes.io/hostname
weight: 100
serviceAccountName: webhook
containers:
- name: webhook
# This is the Go import path for the binary that is containerized
# and substituted here.
image: ko://github.com/sigstore/cosign/cmd/cosign/webhook
args: ["-secret-name=verification-key"]
resources:
requests:
cpu: 20m
memory: 20Mi
limits:
cpu: 200m
memory: 200Mi
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: METRICS_DOMAIN
value: sigstore.dev/policy
- name: WEBHOOK_NAME
value: webhook
# Since we need to validate against different Rekor clients based on
# differing policies, we fetch the Rekor public key during validation.
- name: SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
value: "true"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- all
volumeMounts:
# Failing to provide a writable $HOME can cause TUF client initialization to panic
- mountPath: /home/nonroot
name: writable-home-dir
readinessProbe: &probe
failureThreshold: 6
initialDelaySeconds: 20
periodSeconds: 1
httpGet:
scheme: HTTPS
port: 8443
httpHeaders:
- name: k-kubelet-probe
value: "webhook"
livenessProbe: *probe
# Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently
# high value that we respect whatever value it has configured for the lame duck grace period.
terminationGracePeriodSeconds: 300
volumes:
- emptyDir: {}
name: writable-home-dir
---
apiVersion: v1
kind: Secret
metadata:
name: verification-key
namespace: cosign-system
# stringData:
# cosign.pub: |
# <PEM encoded public key>
---