From 7bd6a1a6f3bdb90c965e048b41894c6446c1d8a4 Mon Sep 17 00:00:00 2001 From: Neal DeBuhr Date: Sun, 13 Nov 2022 02:41:40 +0000 Subject: [PATCH] Better support GKE system and Bitnami application workloads in the binauthz configuration --- provisioning/modules/instance/binauthz.tf | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/provisioning/modules/instance/binauthz.tf b/provisioning/modules/instance/binauthz.tf index f972465..e1c47f3 100644 --- a/provisioning/modules/instance/binauthz.tf +++ b/provisioning/modules/instance/binauthz.tf @@ -6,6 +6,18 @@ resource "google_binary_authorization_policy" "isidro" { enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" } + # Foundations + admission_whitelist_patterns { + name_pattern = "gcr.io/gke-release/*" + } + admission_whitelist_patterns { + name_pattern = "quay.io/jetstack/*" + } + admission_whitelist_patterns { + name_pattern = "k8s.gcr.io/ingress-nginx/controller:*" + } + + # Applications admission_whitelist_patterns { name_pattern = "mysql:*" } @@ -15,12 +27,21 @@ resource "google_binary_authorization_policy" "isidro" { admission_whitelist_patterns { name_pattern = "openpolicyagent/opa:*" } + admission_whitelist_patterns { + name_pattern = "docker.io/bitnami/bitnami-shell:*" + } + admission_whitelist_patterns { + name_pattern = "docker.io/bitnami/jenkins:*" + } admission_whitelist_patterns { name_pattern = "docker.io/bitnami/kubectl:*" } admission_whitelist_patterns { name_pattern = "docker.io/bitnami/mongodb:*" } + admission_whitelist_patterns { + name_pattern = "docker.io/bitnami/postgresql:*" + } admission_whitelist_patterns { name_pattern = "docker.io/bitnami/rabbitmq:*" } @@ -28,7 +49,7 @@ resource "google_binary_authorization_policy" "isidro" { name_pattern = "docker.io/bitnami/redis:*" } admission_whitelist_patterns { - name_pattern = "quay.io/jetstack/*" + name_pattern = "docker.io/bitnami/sonarqube:*" } cluster_admission_rules {