From e4cfb7723514e6e399de9852b1c99cfb003b8bfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Torres?= Date: Thu, 13 Apr 2023 13:52:44 -0500 Subject: [PATCH 1/3] Include coment about policy-controller annotations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Torres --- content/en/policy-controller/overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/policy-controller/overview.md b/content/en/policy-controller/overview.md index bb338d22..372a860d 100644 --- a/content/en/policy-controller/overview.md +++ b/content/en/policy-controller/overview.md @@ -10,6 +10,7 @@ position: 140 The `policy-controller` admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from `cosign`. `policy-controller` also resolves the image tags to ensure the image being ran is not different from when it was admitted. +The validation results are stored in a resource annotation with key `policy.sigstore.dev/policy-controller-results`. See the [installation instructions](/policy-controller/installation/) for more information. From 81462f101602484de787e5eb3fa55dd0e0373df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Torres?= Date: Mon, 17 Apr 2023 14:20:44 -0500 Subject: [PATCH 2/3] Revert "Include coment about policy-controller annotations" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit e4cfb7723514e6e399de9852b1c99cfb003b8bfd. Signed-off-by: Andrés Torres --- content/en/policy-controller/overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/en/policy-controller/overview.md b/content/en/policy-controller/overview.md index 372a860d..bb338d22 100644 --- a/content/en/policy-controller/overview.md +++ b/content/en/policy-controller/overview.md @@ -10,7 +10,6 @@ position: 140 The `policy-controller` admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from `cosign`. `policy-controller` also resolves the image tags to ensure the image being ran is not different from when it was admitted. -The validation results are stored in a resource annotation with key `policy.sigstore.dev/policy-controller-results`. See the [installation instructions](/policy-controller/installation/) for more information. From e1a5cdbe5549e31002d7b152b3c6236e9f12490c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Torres?= Date: Mon, 17 Apr 2023 14:35:49 -0500 Subject: [PATCH 3/3] Improve annotations docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Torres --- content/en/policy-controller/overview.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/content/en/policy-controller/overview.md b/content/en/policy-controller/overview.md index bb338d22..fd835a85 100644 --- a/content/en/policy-controller/overview.md +++ b/content/en/policy-controller/overview.md @@ -999,3 +999,14 @@ and TrustRoot. We will fix this in a newer API version, but can't do it without reving the API version due to backwards compatibility. In CIP the ctLog refers to Rekor, which in TrustRoot was correctly named `tLog`. Whereas in TrustRoot the `ctLog` correctly refers to the `Certificate Transparency Log`. + +## Enabling annotations + +The policy-controller can be configured to write the results of the policy +validation as an annotation. The validation results are stored in a resource +annotation with key `policy.sigstore.dev/policy-controller-results`. + +This behavior can be configured using the `config-policy-controller` ConfigMap +created under the release namespace (by default `cosign-system`), and by adding +an entry with the property `annotate-validation-results` and its value `false|true`. +The default is `false`.