Update to v0.2.0 of the controller with new config to support it.

Default values.yaml is not intended to work out of the box since endpoint config is necessary. Signed-off-by: Zach Hill <[email protected]>
anchore · Jan 31, 2019 · e80cfa3 · e80cfa3
1 parent df426fd
commit e80cfa3
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 48 deletions.
diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml
@@ -1,8 +1,8 @@
 name: anchore-admission-controller
 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations
 apiVersion: v1
-appVersion: 0.1.0
-version: 0.1.0
+appVersion: 0.2.0
+version: 0.2.0
 maintainers:
   - name: zhill
     email: [email protected]

diff --git a/stable/anchore-admission-controller/templates/anchore-admission-controller.yaml b/stable/anchore-admission-controller/templates/anchore-admission-controller.yaml
@@ -15,15 +15,10 @@ items:
     config.json: |-
       {
         "validator": {
-          "requireimaganalyzed": {{ .Values.enableAnalysisGating }},
-          "requirepasspolicy": {{ .Values.enableStrictGating }},
           "requestanalysis": {{ .Values.requestAnalysis }}
         },
-
-        "client": {
-          "endpoint": "{{ .Values.anchore.endpoint }}",
-          "policybundle": "{{ .Values.anchore.policybundle }}"
-        }
+        "AnchoreEndpoint": "{{ .Values.anchoreEndpoint }}",
+        "PolicySelectors": {{ toJson .Values.policySelectors }}
       }
 
 - apiVersion: v1
@@ -72,10 +67,13 @@ items:
         - name: controller-config
           configMap:
             name: {{.Release.Name}}-controller-config
+        - name: anchore-auth
+          secret:
+            secretName: {{ .Values.credentialsSecret }}
         containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: "{{ .Values.image }}"
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
           command:
           - "/anchore-kubernetes-admission-controller"
           - "--audit-log-path=-"
@@ -95,28 +93,13 @@ items:
             readOnly: true
           - mountPath: /config
             name: controller-config
+          - mountPath: /credentials
+            name: anchore-auth
           env:
           - name: CONFIG_FILE_PATH
             value: /config/config.json
-          - name: ANCHORE_USERNAME
-            {{ if .Values.anchore.credentialsSecret }}
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.anchore.credentialsSecret }}
-                key: username
-            {{ else }}
-            value: {{ .Values.anchore.username }}
-            {{ end }}
-          - name: ANCHORE_PASSWORD
-            {{ if .Values.anchore.credentialsSecret }}
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.anchore.credentialsSecret }}
-                key: password
-            {{ else }}
-            value: {{ .Values.anchore.password }}
-            {{ end }}
-
+          - name: CREDENTIALS_FILE_PATH
+            value: /credentials/credentials.json
           resources:
 {{ toYaml .Values.resources | indent 12 }}
   {{- if .Values.nodeSelector }}

diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml
@@ -5,10 +5,8 @@
 replicaCount: 1
 logVerbosity: 6
 
-image:
-  repository: anchore/kubernetes-admission-controller
-  tag: latest
-  pullPolicy: Always
+image: "anchore/kubernetes-admission-controller:v0.2.0"
+imagePullPolicy: IfNotPresent
 
 service:
   name: anchoreadmissioncontroller
@@ -20,20 +18,19 @@ apiService:
   group: admission.anchore.io
   version: v1beta1
 
-# Use this value to pass the endpoint to use if you already have Anchore Engine/Enterprise deployed
-anchore:
-  # The name of the secret to use for conferring Anchore credentials to the webhook handler
-  credentialsSecret: null
-  endpoint: null
-  username: ""
-  password: ""
-  policybundle: ""
-
-# Only admit images that pass policy
-enableStrictGating: false
-
-# Only admit images that have been analyzed
-enableAnalysisGating: false
+credentialsSecret: null
+anchoreEndpoint: ""
+policySelectors:
+  - Selector:
+      ResourceType: "image"
+      SelectorKeyRegex: ".*"
+      SelectorValueRegex: ".*"
+    PolicyReference:
+      Username: "admin"
+      # This is the default bundle id in anchore engine
+      PolicyBundleId: "2c53a13c-1765-11e8-82ef-23527761d060"
+    # Mode is one of: "policy", "analysis", or "breakglass". policy=>require policy pass, analysis=>require image analyzed, breakglass=>do nothing
+    Mode: breakglass
 
 # Request analysis of images if not already analyzed. This is the default if the above two are false, but is ignored if
 # strict gating or analysis gating are true