diff --git a/components/repository-validator/base/kustomization.yaml b/components/repository-validator/base/kustomization.yaml new file mode 100644 index 00000000000..7d26af5cada --- /dev/null +++ b/components/repository-validator/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - validating-admission-policy.yaml + - validating-admission-policy-binding.yaml diff --git a/components/repository-validator/base/validating-admission-policy-binding.yaml b/components/repository-validator/base/validating-admission-policy-binding.yaml new file mode 100644 index 00000000000..5cc23d9584c --- /dev/null +++ b/components/repository-validator/base/validating-admission-policy-binding.yaml @@ -0,0 +1,24 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: repository-url-validator-binding +spec: + policyName: repository-url-validator + validationActions: [Deny, Audit] + paramRef: + namespace: repository-validator + parameterNotFoundAction: Deny + selector: + matchLabels: + app.kubernetes.io/name: repository-validator + # Apply to all namespaces except system namespaces + matchResources: + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - kube-public + - kube-node-lease + - repository-validator diff --git a/components/repository-validator/base/validating-admission-policy.yaml b/components/repository-validator/base/validating-admission-policy.yaml new file mode 100644 index 00000000000..67c401d8afd --- /dev/null +++ b/components/repository-validator/base/validating-admission-policy.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: repository-url-validator +spec: + failurePolicy: Fail + paramKind: + apiVersion: v1 + kind: ConfigMap + matchConstraints: + resourceRules: + - apiGroups: ["pipelinesascode.tekton.dev"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["repositories"] + variables: + # Parse the JSON config from the ConfigMap + - name: allowedPrefixes + expression: | + has(params.data) && has(params.data['config.json']) ? + json.decode(params.data['config.json']) : [] + # Check if any prefix is empty (allow-all case) + - name: allowAll + expression: | + size(variables.allowedPrefixes) == 1 && + variables.allowedPrefixes[0] == "" + validations: + - expression: | + variables.allowAll || + variables.allowedPrefixes.exists(prefix, + prefix != "" && object.spec.url.startsWith(prefix) + ) + messageExpression: | + 'Repository URL "' + object.spec.url + + '" is not allowed on this cluster. Contact support.' + reason: Forbidden + auditAnnotations: + - key: "repository-url-validation" + valueExpression: | + 'Repository URL: ' + object.spec.url + + ', Allowed prefixes: ' + string(variables.allowedPrefixes) diff --git a/components/repository-validator/staging/kustomization.yaml b/components/repository-validator/staging/kustomization.yaml index 629cf8b8f44..afcf3d105e9 100644 --- a/components/repository-validator/staging/kustomization.yaml +++ b/components/repository-validator/staging/kustomization.yaml @@ -1,10 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://github.com/konflux-ci/repository-validator/config/ocp?ref=1a1bd5856c7caf40ebf3d9a24fce209ba8a74bd9 - - https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=da151a856b711f28e49a42658d6c17fec5d228dd -images: - - name: controller - newName: quay.io/redhat-user-workloads/konflux-infra-tenant/repository-validator/repository-validator - newTag: 1a1bd5856c7caf40ebf3d9a24fce209ba8a74bd9 -namespace: repository-validator + - https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=ae250b8d6062d019ee9e539c655eab91745b4fb0 + - ../base +