search

buildsec / frsca

https://buildsec.github.io/frsca
Apache License 2.0
225 stars 31 forks source link

Use internal registry with kyverno #437

Closed sudo-bmitch closed 11 months ago

sudo-bmitch commented 1 year ago

This follows #436. It changes the registry from 127.0.0.1 or registry.registry to the minikube internal name which can also be used by both admission controllers running in a pod and the k8s node pulling the images. This does require the registry-proxy to be running in the background.

Because of #430, the attestation admission control policy is set to validationFailureAction: "Audit".

bradbeck commented 1 year ago

I'm not able to reliably run minikube on my M1 Mac at the moment, so I can't really verify this change.

I've had some luck running minikube on top of colima instead of Docker Desktop. I think some of the internal registry stuff is different in this scenario though.

bradbeck commented 1 year ago

I was able to validate the changes by using minikube running on top of colima.

I did have to export REGISTRY_PORT=5500 because 5000 is in use by a MacOS related service.

bradbeck commented 1 year ago

😄 Looks like I just needed to delete the minikube volume in Docker Desktop in order to make minikube happy again.

Also still needed to export REGISTRY_PORT=5500 since ControlCenter (AirPlay) is using 5000.

stale[bot] commented 1 year ago

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contribution!

sudo-bmitch commented 1 year ago

Force push was just a rebase.

stale[bot] commented 1 year ago

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contribution!

stale[bot] commented 1 year ago

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contribution!

stale[bot] commented 1 year ago

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contribution!

stale[bot] commented 1 year ago

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contribution!

stale[bot] commented 12 months ago

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contribution!

stale[bot] commented 11 months ago

This pull request has been automatically closed because there has been no activity for 28 days. Please feel free to reopen it (or open a new one) if the proposed change is still appropriate. Thank you for your contribution!