-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathartifacthub-pkg.yml
149 lines (149 loc) · 3.94 KB
/
artifacthub-pkg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# Kubewarden Artifacthub Package config
#
# Use this config to submit the policy to https://artifacthub.io.
#
# This config can be saved to its default location with:
# kwctl scaffold artifacthub > artifacthub-pkg.yml
version: 0.2.0
name: trusted-repos
displayName: Trusted Repos
createdAt: 2024-09-30T07:10:07.419432459Z
description: Kubewarden policy that restricts what registries, tags and images can pods on your cluster refer to
license: Apache-2.0
homeURL: https://github.com/kubewarden/trusted-repos-policy
containersImages:
- name: policy
image: ghcr.io/kubewarden/policies/trusted-repos:v0.2.0
keywords:
- image
- registry
- tag
links:
- name: policy
url: https://github.com/kubewarden/trusted-repos-policy/releases/download/v0.2.0/policy.wasm
- name: source
url: https://github.com/kubewarden/trusted-repos-policy
install: |
The policy can be obtained using [`kwctl`](https://github.com/kubewarden/kwctl):
```console
kwctl pull ghcr.io/kubewarden/policies/trusted-repos:v0.2.0
```
Then, generate the policy manifest and tune it to your liking. For example:
```console
kwctl scaffold manifest -t ClusterAdmissionPolicy registry://ghcr.io/kubewarden/policies/trusted-repos:v0.2.0
```
maintainers:
- name: Kubewarden developers
email: [email protected]
provider:
name: kubewarden
recommendations:
- url: https://artifacthub.io/packages/helm/kubewarden/kubewarden-controller
annotations:
kubewarden/mutation: 'false'
kubewarden/questions-ui: |
questions:
- default: null
description: >-
This policy allows you to restrict what repositories, tags, and images pods
in your cluster can refer to. The configuration allows you to mix and match
several filters: registries, tags, and images. When both an allow list and a
reject list is supported, only one can be provided at the same time for that
specific filter.
group: Settings
label: Description
required: false
hide_input: true
type: string
variable: description
- default: {}
description: Allow or reject images coming from a specified registry.
group: Settings
label: Registries
hide_input: true
type: map[
variable: registries
subquestions:
- default: []
group: Settings
label: Allow
type: array[
variable: registries.allow
- default: []
group: Settings
label: Reject
type: array[
variable: registries.reject
- default: {}
description: Reject a specified tag for all images
group: Settings
label: Tags
hide_input: true
type: map[
variable: tags
subquestions:
- default: []
group: Settings
label: Reject
type: array[
variable: tags.reject
- default: {}
description: Accept or reject a specified image
group: Settings
label: Images
hide_input: true
type: map[
variable: images
subquestions:
- default: []
group: Settings
label: Allow
type: array[
variable: images.allow
- default: []
group: Settings
label: Reject
type: array[
variable: images.reject
kubewarden/resources: Pod
kubewarden/rules: |
- apiGroups:
- ''
apiVersions:
- v1
resources:
- pods
operations:
- CREATE
- UPDATE
- apiGroups:
- ''
apiVersions:
- v1
resources:
- replicationcontrollers
operations:
- CREATE
- UPDATE
- apiGroups:
- apps
apiVersions:
- v1
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
operations:
- CREATE
- UPDATE
- apiGroups:
- batch
apiVersions:
- v1
resources:
- jobs
- cronjobs
operations:
- CREATE
- UPDATE