Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📖 Add documentation on how to gate upgrades with kyverno #1135

Merged
merged 2 commits into from
Mar 15, 2023

Conversation

mudler
Copy link
Member

@mudler mudler commented Mar 14, 2023

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #564

@netlify
Copy link

netlify bot commented Mar 14, 2023

Deploy Preview for kairos-io ready!

Name Link
🔨 Latest commit 70f7fbd
🔍 Latest deploy log https://app.netlify.com/sites/kairos-io/deploys/6411882f70b4e30008966c35
😎 Deploy Preview https://deploy-preview-1135--kairos-io.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@mudler mudler requested a review from a team March 14, 2023 17:27
@mudler
Copy link
Member Author

mudler commented Mar 14, 2023

cc @jimmykarily , might be helpful as a baseline for the #1114 story

- [kairos](https://github.com/kairos-io/kairos) is the main repository, building the `kairos-agent` and containing the image definitions which runs on our CI pipelines.
- [immucore](https://github.com/kairos-io/immucore) is the immutability management interface.
- [AuroraBoot](https://github.com/kairos-io/AuroraBoot) is the Kairos Node bootstrapper
- [elemental-cli](https://github.com/kairos-io/elemental-cli) manages the installation, reset, and upgrade of the Kairos node.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We ened to rename this asap :D

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep indeed... we have #711 in the sprint :) , I would have waited for #711, but this list in the docs was not matching the truth since a long time already, so thought to updated it

- entries:
# See: https://kyverno.io/docs/writing-policies/verify-images/#keyless-signing-and-verification
- keyless:
subject: "https://github.com/kairos-io/provider-kairos/.github/workflows/release.yaml@refs/tags/*"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is kind of icky.

Hear me out, this is really good until cosign or the CI breaks and we need to sign the already published artifacts in a different way, maybe by a different workflows like we used to do in that other project. Then this doesnt match anymore so you either drop a release completely as it wont be signed, resign it and break this gating for users or run a new release and left the unsigned release there.

does this subject allows for regex? or for value.in so we can provide a list?

Copy link
Member Author

@mudler mudler Mar 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's a valid and good point the subject is a regex already indeed: https://github.com/kairos-io/provider-kairos/.github/workflows/release.yaml@refs/tags/* I think it's fine as a baseline example and nothing more, for instance, a policy can be applied also per-releases prior applying a plan, and so on so forth, it's up to you to which kinda of policy you want to set - this one is very greedy and assumes all provider-kairos repository are from that CI pipeline.

@mudler mudler merged commit b8b3bfb into master Mar 15, 2023
@mudler mudler deleted the docs/kyverno branch March 15, 2023 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

📖 Use kyverno to gate upgrades in Kubernetes
2 participants