From a8480d7d2a48f5922e456c6791556adeaedd0de5 Mon Sep 17 00:00:00 2001 From: Max Shaposhnyk Date: Fri, 3 Oct 2025 09:24:06 +0300 Subject: [PATCH 1/3] Aplly Validating Admission Policy on repository validation on stg Signed-off-by: Max Shaposhnyk --- .../base/kustomization.yaml | 7 ++++ .../validating-admission-policy-binding.yaml | 24 +++++++++++ .../base/validating-admission-policy.yaml | 41 +++++++++++++++++++ .../staging/kustomization.yaml | 9 ++-- 4 files changed, 75 insertions(+), 6 deletions(-) create mode 100644 components/repository-validator/base/kustomization.yaml create mode 100644 components/repository-validator/base/validating-admission-policy-binding.yaml create mode 100644 components/repository-validator/base/validating-admission-policy.yaml diff --git a/components/repository-validator/base/kustomization.yaml b/components/repository-validator/base/kustomization.yaml new file mode 100644 index 00000000000..27ceb21839d --- /dev/null +++ b/components/repository-validator/base/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - validating-admission-policy.yaml + - validating-admission-policy-binding.yaml + +namespace: repository-validator diff --git a/components/repository-validator/base/validating-admission-policy-binding.yaml b/components/repository-validator/base/validating-admission-policy-binding.yaml new file mode 100644 index 00000000000..5cc23d9584c --- /dev/null +++ b/components/repository-validator/base/validating-admission-policy-binding.yaml @@ -0,0 +1,24 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: repository-url-validator-binding +spec: + policyName: repository-url-validator + validationActions: [Deny, Audit] + paramRef: + namespace: repository-validator + parameterNotFoundAction: Deny + selector: + matchLabels: + app.kubernetes.io/name: repository-validator + # Apply to all namespaces except system namespaces + matchResources: + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - kube-public + - kube-node-lease + - repository-validator diff --git a/components/repository-validator/base/validating-admission-policy.yaml b/components/repository-validator/base/validating-admission-policy.yaml new file mode 100644 index 00000000000..67c401d8afd --- /dev/null +++ b/components/repository-validator/base/validating-admission-policy.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: repository-url-validator +spec: + failurePolicy: Fail + paramKind: + apiVersion: v1 + kind: ConfigMap + matchConstraints: + resourceRules: + - apiGroups: ["pipelinesascode.tekton.dev"] + apiVersions: ["v1alpha1"] + operations: ["CREATE", "UPDATE"] + resources: ["repositories"] + variables: + # Parse the JSON config from the ConfigMap + - name: allowedPrefixes + expression: | + has(params.data) && has(params.data['config.json']) ? + json.decode(params.data['config.json']) : [] + # Check if any prefix is empty (allow-all case) + - name: allowAll + expression: | + size(variables.allowedPrefixes) == 1 && + variables.allowedPrefixes[0] == "" + validations: + - expression: | + variables.allowAll || + variables.allowedPrefixes.exists(prefix, + prefix != "" && object.spec.url.startsWith(prefix) + ) + messageExpression: | + 'Repository URL "' + object.spec.url + + '" is not allowed on this cluster. Contact support.' + reason: Forbidden + auditAnnotations: + - key: "repository-url-validation" + valueExpression: | + 'Repository URL: ' + object.spec.url + + ', Allowed prefixes: ' + string(variables.allowedPrefixes) diff --git a/components/repository-validator/staging/kustomization.yaml b/components/repository-validator/staging/kustomization.yaml index 629cf8b8f44..aa1525c913f 100644 --- a/components/repository-validator/staging/kustomization.yaml +++ b/components/repository-validator/staging/kustomization.yaml @@ -1,10 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://github.com/konflux-ci/repository-validator/config/ocp?ref=1a1bd5856c7caf40ebf3d9a24fce209ba8a74bd9 - - https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=da151a856b711f28e49a42658d6c17fec5d228dd -images: - - name: controller - newName: quay.io/redhat-user-workloads/konflux-infra-tenant/repository-validator/repository-validator - newTag: 1a1bd5856c7caf40ebf3d9a24fce209ba8a74bd9 + - https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=ae250b8d6062d019ee9e539c655eab91745b4fb0 + - ../base + namespace: repository-validator From 62264d22951ea46361d912c6e550e6cde596c005 Mon Sep 17 00:00:00 2001 From: Max Shaposhnyk Date: Mon, 6 Oct 2025 10:01:57 +0300 Subject: [PATCH 2/3] Fixup base kustomize to exclude ns Signed-off-by: Max Shaposhnyk --- components/repository-validator/base/kustomization.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/components/repository-validator/base/kustomization.yaml b/components/repository-validator/base/kustomization.yaml index 27ceb21839d..7d26af5cada 100644 --- a/components/repository-validator/base/kustomization.yaml +++ b/components/repository-validator/base/kustomization.yaml @@ -3,5 +3,3 @@ kind: Kustomization resources: - validating-admission-policy.yaml - validating-admission-policy-binding.yaml - -namespace: repository-validator From 87ddad387d1692a483c9b30b87f64e1974925722 Mon Sep 17 00:00:00 2001 From: Max Shaposhnyk Date: Mon, 6 Oct 2025 10:09:54 +0300 Subject: [PATCH 3/3] Fixup base kustomize to exclude ns Signed-off-by: Max Shaposhnyk --- components/repository-validator/staging/kustomization.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/components/repository-validator/staging/kustomization.yaml b/components/repository-validator/staging/kustomization.yaml index aa1525c913f..afcf3d105e9 100644 --- a/components/repository-validator/staging/kustomization.yaml +++ b/components/repository-validator/staging/kustomization.yaml @@ -4,4 +4,3 @@ resources: - https://github.com/redhat-appstudio/internal-infra-deployments/components/repository-validator/staging?ref=ae250b8d6062d019ee9e539c655eab91745b4fb0 - ../base -namespace: repository-validator