Lakom uses warning instead of failure policy Ignore

.reuse/dep5

@@ -49,14 +49,6 @@ Copyright: Copyright 2021 The Sigstore Authors.
            Modifications Copyright 2022 SAP SE or an SAP affiliate company and Gardener contributors
 License: Apache-2.0
 
-Files:
-  pkg/admission/admission_suite_test.go
-  pkg/admission/http.go
-  pkg/admission/http_test.go
-Copyright: Copyright 2018 The Kubernetes Authors.
-           Modifications Copyright 2022 SAP SE or an SAP affiliate company and Gardener contributors
-License: Apache-2.0
-
 Files:
   hack/cherry-pick-pull.sh
 Copyright: Copyright 2015 The Kubernetes Authors.

charts/gardener-extension-shoot-lakom-service/templates/configmap-extension-config.yaml

@@ -14,10 +14,10 @@ data:
     kind: Configuration
     cosignPublicKeys:
 {{ toYaml .Values.controllers.cosignPublicKeys | indent 6 }}
-    failurePolicy: {{ .Values.controllers.failurePolicy }}
     seedBootstrap:
       ownerNamespace: {{ .Release.Namespace }}
     useOnlyImagePullSecrets: {{ .Values.controllers.useOnlyImagePullSecrets }}
+    allowUntrustedImages: {{ .Values.controllers.allowUntrustedImages }}
     debugConfig:
       enableProfiling: {{ .Values.controllers.debugConfig.enableProfiling | default false }}
       enableContentionProfiling: {{ .Values.controllers.debugConfig.enableContentionProfiling | default false }}

charts/gardener-extension-shoot-lakom-service/values.yaml

@@ -46,10 +46,10 @@ controllers:
     #   -----BEGIN PUBLIC KEY-----
     #   abcd
     #   -----END PUBLIC KEY-----
-  failurePolicy: Fail
   healthPort: 8080
   metricsPort: 8081
   useOnlyImagePullSecrets: false
+  allowUntrustedImages: false
   debugConfig:
     enableProfiling: false
     enableContentionProfiling: false

charts/lakom/templates/deployment.yaml

@@ -82,6 +82,7 @@ spec:
         - --kubeconfig=/etc/lakom/client/kubeconfig
         {{- end }}
         - --use-only-image-pull-secrets={{ .Values.useOnlyImagePullSecrets }}
+        - --insecure-allow-untrusted-images={{ .Values.allowUntrustedImages }}
         {{- if .Values.resources }}
         resources:
 {{ toYaml .Values.resources | trim | indent 10 }}

charts/lakom/templates/mutatingwebhookconfiguration.yaml

@@ -24,7 +24,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /lakom/resolve-tag-to-digest
 {{- end }}
-  failurePolicy: {{ .Values.admissionConfig.failurePolicy }}
+  failurePolicy: Fail
   matchPolicy: Equivalent
   name: resolve-tag.lakom.service.gardener.cloud
 {{- if .Values.admissionConfig.namespaceSelector }}

charts/lakom/templates/validatingwebhookconfiguration.yaml

@@ -24,7 +24,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /lakom/verify-cosign-signature
 {{- end }}
-  failurePolicy: {{ .Values.admissionConfig.failurePolicy }}
+  failurePolicy: Fail
   matchPolicy: Equivalent
   name: verify-signature.lakom.service.gardener.cloud
 {{- if .Values.admissionConfig.namespaceSelector }}

charts/lakom/values.yaml

@@ -31,6 +31,7 @@ cosign:
   #   abcd
   #   -----END PUBLIC KEY-----
 useOnlyImagePullSecrets: false
+allowUntrustedImages: false
 kubeconfig: {}
 admissionConfig:
   objectSelector: {}
@@ -41,7 +42,6 @@ admissionConfig:
       values:
       - "kube-system"
       - "lakom-system"
-  failurePolicy: Fail
   clientConfig:
     caBundle: foo
     urlHostname: ""

cmd/lakom/app/app.go

@@ -13,7 +13,6 @@ import (
 	goruntime "runtime"
 	"time"
 
-	"github.com/gardener/gardener-extension-shoot-lakom-service/pkg/admission"
 	"github.com/gardener/gardener-extension-shoot-lakom-service/pkg/constants"
 	"github.com/gardener/gardener-extension-shoot-lakom-service/pkg/lakom/resolvetag"
 	"github.com/gardener/gardener-extension-shoot-lakom-service/pkg/lakom/verifysignature"
@@ -99,6 +98,9 @@ type Options struct {
 	// UseOnlyImagePullSecrets sets only the image pull secrets of the pod to be used to access the OCI registry.
 	// Otherwise, also the node identity and docker config file are used.
 	UseOnlyImagePullSecrets bool
+	// AllowUntrustedImages configures the webhook to allow images without trusted signature.
+	// Instead to deny the request, the webhook will allow it with a warning.
+	AllowUntrustedImages bool
 }
 
 // AddFlags adds lakom admission controller's flags to the specified FlagSet.
@@ -114,6 +116,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.DurationVar(&o.CacheTTL, "cache-ttl", time.Minute*10, "TTL for the cached objects. Set to 0, if cache has to be disabled")
 	fs.DurationVar(&o.CacheRefreshInterval, "cache-refresh-interval", time.Second*30, "Refresh interval for the cached objects")
 	fs.BoolVar(&o.UseOnlyImagePullSecrets, "use-only-image-pull-secrets", false, "If set, only the credentials from the image pull secrets of the pod are used to access the OCI registry. Otherwise, the node identity and docker config are also used.")
+	fs.BoolVar(&o.AllowUntrustedImages, "insecure-allow-untrusted-images", false, "If set, the webhook will just return warning for the images without trusted signatures.")
 }
 
 // validate validates all the required options.
@@ -230,23 +233,22 @@ func (o *Options) Run(ctx context.Context) error {
 		WithCacheTTL(o.CacheTTL).
 		WithCacheRefreshInterval(o.CacheRefreshInterval).
 		WithUseOnlyImagePullSecrets(o.UseOnlyImagePullSecrets).
+		WithAllowUntrustedImages(o.AllowUntrustedImages).
 		Build()
 	if err != nil {
 		return err
 	}
 
 	server.Register(
 		constants.LakomResolveTagPath,
-		&admission.Server{
-			Webhook: webhook.Admission{Handler: imageTagResolverHandler},
-			Log:     imageTagResolverHandler.GetLogger(),
+		&webhook.Admission{
+			Handler: imageTagResolverHandler,
 		},
 	)
 	server.Register(
 		constants.LakomVerifyCosignSignaturePath,
-		&admission.Server{
-			Webhook: webhook.Admission{Handler: cosignSignatureVerifyHandler},
-			Log:     cosignSignatureVerifyHandler.GetLogger(),
+		&webhook.Admission{
+			Handler: cosignSignatureVerifyHandler,
 		},
 	)
 

example/00-config.yaml

@@ -10,10 +10,10 @@ cosignPublicKeys:
   MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyLVOS/TWANf6sZJPDzogodvDz8NT
   hjZVcW2ygAvImCAULGph2fqGkNUszl7ycJH/Dntw4wMLSbstUZomqPuIVQ==
   -----END PUBLIC KEY-----
-failurePolicy: Fail
 seedBootstrap:
   ownerNamespace: lakom-extension
 useOnlyImagePullSecrets: true
+allowUntrustedImages: false
 debugConfig:
   enableProfiling: false
   enableContentionProfiling: false

example/controller-registration.yaml

@@ -5,7 +5,7 @@ metadata:
   name: shoot-lakom-service
 type: helm
 providerConfig:
-  chart: H4sIAAAAAAAAA+0caW/bOLaf9Su46gymLUbynXQNdLFu4rZB28RIMt0dDBYBLTE2J5KoESWnnrb72/eRlGRdPpO66Y4eilSmeDyS7+ajJjiwiUcCg3wMiccp8ww+ZSw0HHzDXIOTYEYt0nh0F2gCHPZ68n+A4v/yudXpttq99sGBKG8dtru9R6h3p1E3hIiHOEDoUQCTXlVv3fvvFCab7b85JY5LJx4LyPZjiA0+6HaX7j9se37/261us/0INe9/umX4i+//YzTCYUgCj6OQIbXD6HZKPDSOqGNTb4J8bN3gCeGm9hhdTilHPPJ9FoTwAFThoInDxsjFoTWF2j+jgDg4pDMC7cJpphx7NnTgkQm8ZR564gfkmn4kNrqlUO9vT0105jlzxDzZUqCEfBIgh3rE1Mzji6uLEHCDLo6Y60IHH44ukE0DrpkTGjbkX4W+Zo7/DBryb1IwnTTEn+Qnn3mNRUdjmF/ko2vqEK49M/mtD3/H+Ab+hi48/xeqfsABZRFHJ8dDGNAP2O/ECjWT2gQ3VD0o0swZt5hNGtq33tXNYUP+P5riIDTn2HV2GGMd/7d73SL/tw47Nf/vA7BPP5BA7HsfzVoa9v30p94ym7pmE24F1A9l0QC9AT2ALEEN6JoFKJwS9DomIfROkAy6UCSDhglByYoXgqhAhHjYJX20GdVpswSVpgm4fEdc9f3AhvxvM8ucsB3HWMf/h0X7r93sdA5q/t8HNBroYnT8b+MVaL8j5s9BZU7DSyCGPmo32210MRihiyECDsae/IGvQVFSHBJkMdfH3lwo9oUMsJgXBnQcga7mWqOhJf2/AyryODFOoFpIrykJQJqAZTElRhtYG+pNWH8iuhBd8ykyLKSPMTz88On14Px4eDo8v3ozOHp7dXxy/qWR1DTkeMxxgIIDMqE8DKR5YULDCjpGJvrhiYVDZJoN+PdheH5xcnb6NP5JPmLXd0hjWZ9C/S3EWr+if11MBCwqaTDFYpJ4eAyWBcrNT1lQUjLGhcLSEtLUYkEAtgVaIIFySGh+tvc7y8QN+T8ksDKAOd/FE9za/2u32t1O7f/tA7be/yuw+cEu52bob2oLrvf/OoX97/QOerX83wd8+mQgZIMnBm6XTl0QLDoyvnzREBJv6DWaYj6SnhrS+RS3ewd9HZkfsBOBQyjrmyGeoLSFH1AvvEb6j/yfP/JizYD4jFNQDfNVXRCHk6oO+zt3CAoKfmQe5XMya4dgm4DXClIXyJ/aagFW8oOh2hhJo7Rv0fJbb+lWsDX/Ww5wDAnACIC/3HDYZAKqa6VruNb+6/YK/H9w0Kn9v73A469o/j3WHm9m/BmGoWUd0WvgZC8c09BUTyZljVkLOz4IIO2GenYfHSkyfCXJUHNJiG0c4j5wvIPHIEHEE8p0lNB5I5z74IDqnBBbhzrKH13D7OKXxn1iiV5jyhePIJ1wALXUYAjdkPmp7A+4Ii6KK2wygqHqxg0DIl6SYzErFAYRgXIZTOujm2hMAo8AN5rPVvb7TP56tkoi7cr/Ctf74f9e67DM/4c1/+8DvnP+HymWyfL/xhy94LdtREYiBn7ngKlsEVKXvCVz4FL+fel+AdvzP/Ou6cTFfqaFKlsqA9bwf6t30Crw/2GnV5//7AUeJP/PWgmXS8J6j/1tOdxUJBlX5jAWtPj0CZnnYLJjTszTpFi4A0nHGTruo8+SubNoyRHMdFweD5IKCtNyWGQnkqol22fnEakQjiy3wG+ZeKNo7FALhAcIH8AuZL+KEFPiyixCQOI5Xx99RtAzLCc6UI4OSC5MnSggIwZV5mq2FR3laiVNhWh7KQL0YYD9xJphtzCn0w2WT1SOOBHHdyfC+xpFjnNBrICEfCkaS+on3dlkHE3UqiXoqDjaKGCCAL3J0p4zTc1CG1g0cPpw5ISwWKmXuegcWoWCQpm3yzAVrSsG/NYMX4A7yH/pac/AAWaBwWYkuA1oSKqUwDr53zxo5+V/p9ltN2v5vw94MPI/DjflwjgfJHGdJbQl2HVrNVFB4BmOjulbiDPovZqkN1QieTMS+76Z8dPAgN0enSUdUQ9I1qvCJavL5FT4VZ4xhVYr65nKtU71S7cQO/vWFFvDfcLW8t8mvsPmrvDKNk0HWS3/W+12tyD/291Oq5b/e4EHI/+zgh1kHm+k0v04pbg7ivcNBXlRE8mksXPCWRRYJLZQseexUFrzsbwPkvdFb0A17yNdxPD0rCD9SgpDZGqafNqQ58N7UDhyTCAbA8/AtcBjII9wnoQEli6LiqksDOo0rhKQGRVYvqFcnOu8oy6FWfTkGx98Fpz3KeLCIxaBqpLYcHkow+KgrAyZvsus8z2u9C5rlQjSGLsMPcv+imQlQ8gBg3pTEmVwLXX+Gf0RsTCDWrGdyDdY6sxAvYBafCRyEtb2xC1wEhcUnVQCbrZueOSuiBDJ8alnOZFNRAIohT37wbyMl8R8CbMZiaRRfV2USX+KTEBUHUjCmAtkNzQjN0K60hrcZQ7LPaXVE0kFhQAnR8T3Ssa7Mb0AqH7LghtxAlBkcGYEwJPUJQaIdnmWAVIfOw67JfZm7W3ggu1a+DI+YsR1tm09dph1Q2zDonZQaJtIpwyJTUL0RGx+lSR6iloZIQEq0wOZmOFoZg9gaQalF0LI/RHRgNjHEVDW5ALo045EJOFEqpG4ePiRWJHMyMy0NBSFXOTE3wKkIBx+9EEi87x8SZrfiBh2NVUV6iLEfJGzBKOgE6/0ciYXpDiAGGIn2lyDX0Ko94XjKnIXEDKfOWwylyF/PY/LlPFQrJe+jIlBXjBg/vmRgzk/zfMrn3PQDsbfm824crweA8sSNHW6K3dzIBY5pohPgWWXzgb4c8BPmXcOpm16xqhA0v4ooDOwCydkyC3sYJUCLONYaT3oW9iBKuBFssupFPy5EgHHKggWvxaaB1MvPkRVq34H2SWla04sJ4ksZqmaCDVWBEhV0oifvsypCOa6YOMu5magxob5y4sWRqy9XjRIaDXyvlVGr+VaOPSaWHPLIYaLP4r2sI0BWMFGQMQPcV3hxRJ9njY1F80u5p7FsxMTY0wJdsKp1ILbj5JpvG4cZQUbiiXFci0snWW9qyZnSYtB2qDYdyEXx6D2iywtlNN7zIpVCMIxwaGR+gcvVka7yw1h5uTWAH0Am4od2FuYir1q5VQ7U7Y7iZtdqFbVm2SMwRsysG0LCf6iv3JPpCFX6CW28TbrJmsQZg1Bce0nywkpK482NS9z0lRxffw6Uw4GZ8gs5vTR5dEoLXfoDFaLc5A245ysmYah/5qEeWkurh/1UUMtyJ/5V6uQrV5BARxIXeD75vJylHkhdDjFzjFx8DzewT5qNRdiFgiQbo23aDXfO9q9tALxZtmNVjv1bjg4Hp5fDd8Njy5Pzk6vTgfvhxejwdEw06/UrK/AY8hPC7x+xz4n10WVK8tHcs6JN2SmXJjW3dKsT/A9eT94PfwAyJ6dX519GJ7/6/zksoQrLLb0lTPB0kZl9DSHTU6tlxAM8uGChBDiwqrDvkWLz6CKqbsIwLaaxYEKY8+YE7nkvTASeHnP8pkP6bloAq5opta/rJtyhim2xYldwVDYcWPWOFlL8Ctt02b45ZZLLVbJ8li5SlZyvpAl3q1OoRMApN2C1RkbtlVWgAIlEMrvt1r6bRd+xZTv5UQlgfh49D2zoeduu5mZW33esAfYOv4PvqtNeRDJG4HjyJ6QtQcB685/O51i/v9Bu13n/+8FHmT835dO2OIEYMTs45TmXkqa289RwAM5002iT+Ch/eLFYXbwtlHrgYe7Yw3FiQuS/0jQSwAO2T9eoJbZPjCa4IkdYV+dGFDo7y10HdOA+ZqG8aMaPvKUgTsHWhgCZjLNJnbkB84tnvOBCFnUB9VbwtbyPxhja8sPAayR/51et5j/3Wl26/zvvcCDkP+P0eXZ8dmTme+JstnTPjonLliLwPUeITaxxZdAXKoC14iBvImvyqZXZCmXDsC8rEskveIonLKA/qmu0N485yqjPJ9Lfs4csirPtHiG2V8lLh+E3ggiR3g6hshifR2wyI9vrYjzdS3nj4rSRWaHeAkSexy/EOpWni9Qrh5uhZYpd7t0pcpjxbdIdhxo2alyeRwXe+B/2Glpfjz9mV7uXNfL3aS2wtdfmUXVws8G7HQYbYaAupqUPEU+UDTZbKbpoaUanqu0XIXKrEwalStoMRbY1MsyW3kgSamF3mAsLL3D9Su63RhJuTTu1LuNQsSVJ1Zp8DaPfLzKya7cTQ69hALqTf7PxBFMLI4AJru5Yl20NHk+I57vsgo8GouvNkmBqHq+yB2wfU1H4lur+aWwtf2XhLa2MAHX2H/tVrOY/9fpHdT3f/YCK+2/zre+/xMz6F3TusX1lo09/lIOViZnZGk623UAzIIdRw5lqAwpAwgLNAE34kQSQ52eoZ9++6SLR32zw7ef9eQ0TO/rl0cj/ct/ftoYr3TKRhIniBHIBAoAj0IaQ+4gBkZVnepfthnZZ7YhtU468uJwFVaEijy+nK3zIFRUEmlR2Qux5jkZleIs3wzBzBmsUXF8unGWXzx8+aBVEe0Wx7nfWoLVcBfYVf9jZTNtZAasu/9/cFj8/kev1evW+n8f8CDiP+v0f2Kg/5Vi/uASMXn2nV+DS3ZD0iy8e9j/rfl/5uNtvwO79v5/6fsf7cN2q+b/fcCD4f9CNoMgM3Wt2i7c+tQFZ4iEVGF+piEUPZYYUC2k8HLE7EFcr/L7IF9BcCS2Y8VMEis5m12aL1PSJpNOB4U0SVPJ5NntnAXsUm+g/JBFRodLXBaoTNgk7xzpy/E2F32YqqmKu6uW+ooZV7Qsfp0tsTzTFLGqC2GivHQpbLfMFHGmKCN22fVXJSoZJdNSTChb2VzU+94vx24o/1W6/I4fAF8X/2n3ivK/1a2//7sfeBDyP8OZ/arP9mrZuzV91NE0lfMvvOFMQv/J9SkLR+LDaVIqhHgi8vrAaAmluE0+FdlHJAqYTwxbXPcJTP9mYtpktkjqjz/v31C3idLyRvYspgJJrSoDD+SIEDWP4/v4fflcSDuMy/I4XjNmjnFQOXq+lZznrGW2zY5WuKyaGIpa7mBESGxYlFi5WH7UR72mq2U1Qqv9/D3VQO6JOrEeTjMrqzRXWb0kXR10oad1wlYXylrXtEyYQX7EYNkdgMU9lPSqQ6pBs/cQBBlr4k5selNhTTV1spPc6S3n5gP1iZqlz/eg3/4j2zyGrf0cP8E2C3g5fH1yika/vHx3coTeDn+VhWmVVrvTzdcfnh4vqb1l13hs2Zt0Xfhw0Cv4ma6ZCgQ9bz4Xs84EfmSZUMhLP/yTbFDpUz6lD/ksrhSt+AzPvXk8NdRQQw011FBDDTXUUEMNNdTw14P/AZrn0hkAeAAA
+  chart: H4sIAAAAAAAAA+0caXPbNraf+SuwTDtNMiV1y1nNZGcVW008SWyN7Wa309nJQCQsoSYJliDlqEn2t+8DQFK8dNpRnC3fZBwKxPEAvBsPnOLAJh4JDPIhJB6nzDP4jLHQcPANcw1Ogjm1SOO7u0AT4KjXk/8DFP+Xz61Ot9Xutft9Ud46and736HenUbdEiIe4gCh7wKY9Lp6m95/ozDdbv/NGXFcOvVYQHYfQ2xwv9tduf+w7fn9b7e6zfZ3qHn/0y3DX3z/H6ExDkMSeByFDKkdRrcz4qFJRB2belPkY+sGTwk3tUfoakY54pHvsyCEB6AKB00dNkEuDq0Z1P4JBcTBIZ0TaBfOMuXYs6EDj0zhLfPQYz8g1/QDsdEthXp/e2Kic89ZIObJlgIl5JMAOdQjpmaeXL6/DAE36OKYuS508O74Etk04Jo5pWFD/lXoa+bkz6Ah/yYFs2lD/El+8rnXWHY0gflFPrqmDuHaU5Pf+vB3gm/gb+jC83+h6jscUBZxdHoyggH9gP1OrFAzqU1wQ9WDIs2cc4vZpKF97V3dHrbk/+MZDkJzgV1njzE28X+71y3yf+uoU/P/IQD79B0JxL4P0LylYd9Pf+ots6lrNuFWQP1QFg3RK9ADyBLUgK5ZgMIZQS9jEkJvBMmgS0UyaJQQlKx4KYgKRIiHXTJA21GdNk9QaZqAyzfEVd8ObMn/NrPMKdtzjE38f1S0/9rNTqdf8/8hoNFAl+OTfxs/g/Y7Zv4CVOYsvAJiGKB2s91Gl8Mxuhwh4GDsyR/4GhQlxSFBFnN97C2EYl/KAIt5YUAnEehqrjUaWtL/G6AijxPjFKqF9JqSAKQJWBYzYrSBtaHelA2mogvRNZ8hw0L6BMPD9x9fDi9ORmeji/evhsev35+cXnxuJDUNOR5zHKDggEwpDwNpXpjQsIKOkYm+f2zhEJlmA/69G11cnp6fPYl/kg/Y9R3SWNWnUH9LsTao6F8XEwGLShpMsZgkHp6AZYFy81MWlJSMcaGwtIQ0tVgQgG2BlkigHBKan+39zjJxS/4PCawMYM738QR39v/arXa3U/t/h4Cd9/892Pxgl3Mz9Le1BTf7f53C/nd6/V4t/w8BHz8aCNngiYHbpVMXBIuOjM+fNYTEG3qNZpiPpaeGdD7D7V5/oCPzHXYicAhlfTPEU5S28APqhddI/4H/8wderBkQn3EKqmGxrgvicFLV4WDvDkFBwY/Mo3xOZu0QbBPwWkHqAvlTWy3AWn4wVBsjaZT2LVp+7S3dCXbmf8sBjiEBGAHwlxsOm05Bda11DTfaf91egf/7/U7t/x0EHn1B8++R9mg7488wDC3riF4DJ3vhhIamejIpa8xb2PFBAGk31LMH6FiR4c+SDDWXhNjGIR4Axzt4AhJEPKFMRwmdN8KFDw6ozgmxdaij/NENzC5+adwnlug1pnzxCNIJB1BLDYbQDVmcyf6AK+KiuMI2IxiqbtwwIOIlORGzQmEQESiXwbQBuokmJPAIcKP5dG2/T+Wvp+sk0r78r3C9H/7vtY7K/H9U8/8h4Bvn/7FimSz/b83RS37bRWQkYuB3DpjKFiF1yWuyAC7l35buF7A7/zPvmk5d7GdaqLKVMmAD/7d6R0X+P+r0WzX/HwIeJP/PWwmXS8J6i/1dOdxUJBlX5jAWtPj4EZkXYLJjTsyzpFi4A0nHGToeoE+SubNoyRHMdFweD5IKCtNyWGQnkqol22fnEakQjiy3wG+ZeuNo4lALhAcIH8AuZL+KEFPiyixDQOI5Xx99QtAzLCfqK0cHISGfXogoexhgPzFJ2C0gdrbFGojKESfiDO5UuFDjyHEuiRWQkKtWFUitqJ90hx2H3f4C1YWotmWt1X1VVU46sskkmqo1TOalomrjgAly9KYru800NQttYAnBBcSRE6JrnPqcy86hVSjolXn7DFPRumLAr83+d5H/0tOegwPMAoPNSXAb0JBUKYFN8r/Zb+flf6fZbTdr+X8IeDDyPw435cI47yRxnSe0JRh0ZzVRQeAZHo7pW0hC6L2apLdUInkzEvu+mfHTwIDdHZ0VHVEPSNarwiWry+RU+Ps8YwqtVtYzlWud6pduIXb2tSm2hvuEneW/TXyHLVzhlW2bDrJe/rfa7W5B/re7nVYt/w8CD0b+ZwU7yDzeSKX7SUpxdxTvWwryoiaSSWMXhLMosBKbFHseC6U1H8v7IHlf9AZU8wHSRQxPzwrSL6QwRKamyWcNeT58AIUjxwSyMfAcU5gRkEe4SEICK5dFxVSWJnQaVwnInAosX1EuznXeUJfCLHryjQ/OD867EHHhMYtAVUlsuDyUYXFQVoZM32TW+R5Xep+1SgRpjF2GnmV/RbKSIeSAQb0ZiTK4ljr/hP6IWJhBrdhO5BusdF+gXkAtPhY5CRt74hb4l0uKTioBN1s3PHLXRIjk+NSznMgmIgGUwp59b17FS2K+gNmMRdKovinKpD9BJiCqDiRhzCWyW5qRWyFdaQ3uM4fVntL6iaSCQoCTI+J7JeP9mF4AVL9lwY04ASgyODMC4EnqEgNEuzzLAKkvvXxib9feBi7YrYUv4yNGXGfX1hOHWTfENixqB4W2iXTKkNg0RI/F5ldJoieolRESoDI9kIkZjmb2EJZmWHohhNwfEQ2IfRIBZU0vgT7tSMQOTqUaiYtHH4gVyYzMTEtDUchlTvwtQQrC0QcfJDLPy5ek+Y2IYVdTVaEuQswXOUswCjr1Si/nckGKA4gh9qLNDfglhHpfOK4jdwEh85nDpgsZ8tfzuMwYD8V66auYGOQFA+ZfHDuY87M8v/IFB+1g/L3ZjCvH6zG0LEFTZ/tyNwdikWOKiBRYdulsgD+H/Ix5F2DapmeMCiTtjwM6B7twSkbcwg5WKcAycpXWg76FHahCXCS7nErBXygRcKLCXvFroXkw9eJDVLXqd5BdUrrmxHKSyGKWqoko5ZgBny5yulAljfjpy5yKYK4LNu5ybgZqbJm/vGxhxNrreYOEViPvW2X0Wq6FQ6+JtbAcYrj4g2gP2xiAFWwERPwQ1xWer9DnaVNz2exy4Vk8OzExxoxgJ5xJLbj7KJnGm8ZRVrChWFIs19LSWdW7anKetBimDYp9F3JxDGo/z9JCOb3HrFiFIJwQHBqpf/B8baC83BBmTm4N0AewqdiBvYWp2OtWTrUzZbvTuNmlalW9ScYEvCED27aQ4M8Ha/dEGnKFXmIbb7tusgZh1hAU136ynJCy8nhb8zInTRXXx68z5WBwhsxizgBdHY/TcofOYbU4B2kzycmaWRj6L0mYl+bi+tEANdSC/Jl/tQ7Z6hUUwIHUBb6vrq7GmRdCh1PsnBAHL+IdHKBWcylmgQDpzniLVouDo91LKxBvnt1otVNvRsOT0cX70ZvR8dXp+dn7s+Hb0eV4eDzK9Cs168/gMeSnBV6/Y1+Q66LKleVjOefEGzJTLkzr7mjWJ/ievh2+HL0DZM8v3p+/G1386+L0qoQrLLb0lTPB0kZl9DSHTU6tlxAM8uGChBDiwqrDvmWLT6CKqbsMwLaaxYEKY8+ZE7nkrTASeHnP8pkP6bloAq5opta/rJtyhim2xWFfwVDYc2M2OFkr8Ctt03b45ZZLLVbJ8li7SlZyvpAl3p1OoRMApN2C1RkbtlVWgAIlEMrvd1r6XRd+zZTv5UQlgfhA9C2zoeduu5mZW33ecADYOf4PvqtNeRDJG4GTyJ6SjQcBm85/O51i/n+/3a7z/w8CDzL+70snbHkCMGb2SUpzLyTNHeYo4IGc6SbRJ/DQfvHiMDt426j1wMPdsYbixAXJfyzoJQCH7B/PUcts940meGLH2FcnBhT6ew1dxzRgvqRh/KiGjzxl4C6AFkaAmUysiR35oXOLF3woQhb1QfWOsLP8DybY2vFDABvkf6fXLeZ/dprdOv/7IPAg5P8jdHV+cv547nuibP5kgC6IC9YicL1HiE1s8SUQl6rANWIgb+KrsukVWcqlA7Ao6xJJrzgKZyygf6ortDfPuMooz+eSXzCHrMszLZ5hDtaJywehN4LIEZ6OIbJYXwYs8uNbK+J8Xcv5o6J0mdkhXoLEnsQvhLqV5wuUq4dboWXK3a5cqfJY8S2SPQdadapcHsfFHvgfdlqaH09/qpc71/VyN6mt8OVXZlm18LMBOx1G2yGgriYlT5EPFE22m2l6aKmG5yqjV6EyL5NG5QpajAU29bLMVh5IUmqhNxgLS+9w84ruNkZSLo079W6rEHHliVUavM0jH69ysit3k0MvoIB60/8zcQQTiyOAyW6uWRctTZ7PiOe7rAKPJuKrTVIgqp4vcwdsX9KR+NpqfiXsbP8loa0dTMAN9l+71Szm/3V6/fr7bweBtfZf52vf/4kZ9K5p3eJmzNYefykHK5MzsjKd7ToAZsGOI4cyVIaUAYQFmoAbcSKJoU7P0I+/fdTFo77d4dtPenIapg/0q+Ox/vk/P26NVzplI4kTxAhkAgWARyGNIXcQA6OqTvXPu4zsM9uQWicdeXm4CitCRR5fztZ5ECoqibSo7IVY85yOS3GWr4Zg5gzWqDg+3TrLLx6+fNCqiHaH49yvLcFquAvsq/+xspm2MgM23f/vHxW//9Fr9bq1/j8EPIj4zyb9nxjof6WYP7hETJ5959fgit2QNAvvHvZ/Z/6f+3jX78BuvP9f+v5H+6hd3/8/CDwY/i9kMwgyUxep7cKtT11whkhIFeZnGkLRY4kB1UIKL8fMHsb1Kr8P8gUER2I7VswksZKz2aX5MiVtMul0UEiTNJVMnt3eWcAu9YbKD1lmdLjEZYHKhE3yzpG+Gm9z2Yepmqq4u2qpr5lxRcvi19kSyzNNEau6ECbKS5fC9stMEWeKMmKXXX9VopJRMi3FhLKVzWW9b/1y7JbyX6XL7/kB8E3xn3a/KP9b3fr7T4eBByH/M5w5qPpsr5a9WzNAHU1TOf/CG84k9J9en7FwLD6cJqVCiKcirw+MllCK2+RTkQNEooD5xLDFdZ/A9G+mpk3my6T++PP+DXWbKC1vZM9iKpDUqjLwQI4IUfMovo8/kM+FtMO4LI/jNWPmBAeVo+dbyXnOW2bb7GiFy6qJoajlDkaExIZFiZWL5UcD1Gu6WlYjtNrP3lIN5J6oE+vhNLOySnOV1UvSVb8LPW0StrpQ1rqmZcIM8iMGq+4ALO+hpFcdUg2avYcgyFgTd2LTmwobqqmTneRObzk3H6hP1Cx9vgf99h/Z5hFs7af4CbZZwIvRy9MzNP7lxZvTY/R69KssTKu02p1uvv7o7GRF7R27xhPL3qbrZer4AD1rPhPzy4R4ZJlQvSu/DpRsRfX3fpK3pY/4lD7hs7xatOYDPPfm+dRQQw011FBDDTXUUEMNNdRQw18H/gdOTLYjAHgAAA==
   values:
     image:
       tag: v0.12.0-dev

hack/api-reference/config.md

@@ -67,18 +67,6 @@ github.com/gardener/gardener/extensions/pkg/apis/config/v1alpha1.HealthCheckConf
 </tr>
 <tr>
 <td>
-<code>failurePolicy</code></br>
-<em>
-string
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>FailurePolicy is the failure policy used to configure the failurePolicy of the lakom admission webhooks.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>debugConfig</code></br>
 <em>
 <a href="#lakom.extensions.config.gardener.cloud/v1alpha1.DebugConfig">
@@ -116,6 +104,18 @@ bool
 Otherwise, also the node identity and docker config file are used.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>allowUntrustedImages</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>AllowUntrustedImages sets lakom webhook to allow images without trusted signature.
+Instead to deny the request, the webhook will allow it with a warning.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="lakom.extensions.config.gardener.cloud/v1alpha1.DebugConfig">DebugConfig