examples/verification/kubernetes-webhook.yaml at refactor · evan.jarrett.net/at-container-registry

evan.jarrett.net / at-container-registry
fork atom
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage. atcr.io
docker container atproto go
fork atom
at-container-registry / examples / verification / kubernetes-webhook.yaml
at refactor 259 lines 6.3 kB view raw
wrap content
evan.jarrett.net try and offline holds 4mo ago
e6b12642
  1# Kubernetes Admission Webhook for ATProto Signature Verification
  2#
  3# This example shows how to deploy a validating admission webhook that
  4# verifies ATProto signatures before allowing pods to be created.
  5#
  6# Prerequisites:
  7#   1. Build and push the webhook image (see examples/webhook/ for code)
  8#   2. Generate TLS certificates for the webhook
  9#   3. Create trust policy ConfigMap
 10#
 11# Usage:
 12#   kubectl apply -f kubernetes-webhook.yaml
 13#   kubectl label namespace production atcr-verify=enabled
 14
 15---
 16apiVersion: v1
 17kind: Namespace
 18metadata:
 19  name: atcr-system
 20---
 21# ConfigMap with trust policy
 22apiVersion: v1
 23kind: ConfigMap
 24metadata:
 25  name: atcr-trust-policy
 26  namespace: atcr-system
 27data:
 28  policy.yaml: |
 29    version: 1.0
 30
 31    # Global settings
 32    defaultAction: enforce  # enforce, audit, or allow
 33
 34    # Policies by image pattern
 35    policies:
 36      - name: production-images
 37        scope: "atcr.io/*/prod-*"
 38        require:
 39          signature: true
 40          trustedDIDs:
 41            - did:plc:your-org-devops
 42            - did:plc:your-org-security
 43          minSignatures: 1
 44        action: enforce
 45
 46      - name: staging-images
 47        scope: "atcr.io/*/staging-*"
 48        require:
 49          signature: true
 50          trustedDIDs:
 51            - did:plc:your-org-devops
 52            - did:plc:your-org-security
 53            - did:plc:your-developers
 54        action: enforce
 55
 56      - name: dev-images
 57        scope: "atcr.io/*/dev-*"
 58        require:
 59          signature: false
 60        action: audit  # Log but don't block
 61
 62    # Trusted DIDs configuration
 63    trustedDIDs:
 64      did:plc:your-org-devops:
 65        name: "DevOps Team"
 66        validFrom: "2024-01-01T00:00:00Z"
 67        expiresAt: null
 68
 69      did:plc:your-org-security:
 70        name: "Security Team"
 71        validFrom: "2024-01-01T00:00:00Z"
 72        expiresAt: null
 73
 74      did:plc:your-developers:
 75        name: "Developer Team"
 76        validFrom: "2024-06-01T00:00:00Z"
 77        expiresAt: null
 78---
 79# Service for webhook
 80apiVersion: v1
 81kind: Service
 82metadata:
 83  name: atcr-verify-webhook
 84  namespace: atcr-system
 85spec:
 86  selector:
 87    app: atcr-verify-webhook
 88  ports:
 89  - name: https
 90    port: 443
 91    targetPort: 8443
 92---
 93# Deployment for webhook
 94apiVersion: apps/v1
 95kind: Deployment
 96metadata:
 97  name: atcr-verify-webhook
 98  namespace: atcr-system
 99spec:
100  replicas: 2
101  selector:
102    matchLabels:
103      app: atcr-verify-webhook
104  template:
105    metadata:
106      labels:
107        app: atcr-verify-webhook
108    spec:
109      containers:
110      - name: webhook
111        image: atcr.io/atcr/verify-webhook:latest
112        imagePullPolicy: Always
113        ports:
114        - containerPort: 8443
115          name: https
116        env:
117        - name: TLS_CERT_FILE
118          value: /etc/webhook/certs/tls.crt
119        - name: TLS_KEY_FILE
120          value: /etc/webhook/certs/tls.key
121        - name: POLICY_FILE
122          value: /etc/webhook/policy/policy.yaml
123        - name: LOG_LEVEL
124          value: info
125        volumeMounts:
126        - name: webhook-certs
127          mountPath: /etc/webhook/certs
128          readOnly: true
129        - name: policy
130          mountPath: /etc/webhook/policy
131          readOnly: true
132        resources:
133          requests:
134            memory: "64Mi"
135            cpu: "100m"
136          limits:
137            memory: "256Mi"
138            cpu: "500m"
139        livenessProbe:
140          httpGet:
141            path: /healthz
142            port: 8443
143            scheme: HTTPS
144          initialDelaySeconds: 10
145          periodSeconds: 10
146        readinessProbe:
147          httpGet:
148            path: /readyz
149            port: 8443
150            scheme: HTTPS
151          initialDelaySeconds: 5
152          periodSeconds: 5
153      volumes:
154      - name: webhook-certs
155        secret:
156          secretName: atcr-verify-webhook-certs
157      - name: policy
158        configMap:
159          name: atcr-trust-policy
160---
161# ValidatingWebhookConfiguration
162apiVersion: admissionregistration.k8s.io/v1
163kind: ValidatingWebhookConfiguration
164metadata:
165  name: atcr-verify
166webhooks:
167- name: verify.atcr.io
168  admissionReviewVersions: ["v1", "v1beta1"]
169  sideEffects: None
170
171  # Client configuration
172  clientConfig:
173    service:
174      name: atcr-verify-webhook
175      namespace: atcr-system
176      path: /validate
177      port: 443
178    # CA bundle for webhook TLS (base64-encoded CA cert)
179    # Generate with: cat ca.crt | base64 -w 0
180    caBundle: LS0tLS1CRUdJTi... # Replace with your CA bundle
181
182  # Rules - what to validate
183  rules:
184  - operations: ["CREATE", "UPDATE"]
185    apiGroups: [""]
186    apiVersions: ["v1"]
187    resources: ["pods"]
188    scope: "Namespaced"
189
190  # Namespace selector - only validate labeled namespaces
191  namespaceSelector:
192    matchExpressions:
193    - key: atcr-verify
194      operator: In
195      values: ["enabled", "enforce"]
196
197  # Failure policy - what to do if webhook fails
198  failurePolicy: Fail  # Reject pods if webhook is unavailable
199
200  # Timeout
201  timeoutSeconds: 10
202
203  # Match policy
204  matchPolicy: Equivalent
205---
206# Example: Label a namespace to enable verification
207# kubectl label namespace production atcr-verify=enabled
208---
209# RBAC for webhook
210apiVersion: v1
211kind: ServiceAccount
212metadata:
213  name: atcr-verify-webhook
214  namespace: atcr-system
215---
216apiVersion: rbac.authorization.k8s.io/v1
217kind: ClusterRole
218metadata:
219  name: atcr-verify-webhook
220rules:
221- apiGroups: [""]
222  resources: ["pods"]
223  verbs: ["get", "list"]
224- apiGroups: [""]
225  resources: ["events"]
226  verbs: ["create", "patch"]
227---
228apiVersion: rbac.authorization.k8s.io/v1
229kind: ClusterRoleBinding
230metadata:
231  name: atcr-verify-webhook
232roleRef:
233  apiGroup: rbac.authorization.k8s.io
234  kind: ClusterRole
235  name: atcr-verify-webhook
236subjects:
237- kind: ServiceAccount
238  name: atcr-verify-webhook
239  namespace: atcr-system
240---
241# Secret for TLS certificates
242# Generate certificates with:
243#   openssl req -x509 -newkey rsa:4096 -keyout tls.key -out tls.crt \
244#     -days 365 -nodes -subj "/CN=atcr-verify-webhook.atcr-system.svc"
245#
246# Create secret with:
247#   kubectl create secret tls atcr-verify-webhook-certs \
248#     --cert=tls.crt --key=tls.key -n atcr-system
249#
250# (Commented out - create manually with your certs)
251# apiVersion: v1
252# kind: Secret
253# metadata:
254#   name: atcr-verify-webhook-certs
255#   namespace: atcr-system
256# type: kubernetes.io/tls
257# data:
258#   tls.crt: <base64-encoded-cert>
259#   tls.key: <base64-encoded-key>