diff --git a/config/security/runtime-image-mirror-policy.json b/config/security/runtime-image-mirror-policy.json index 4a75d9c28..d1ba157dd 100644 --- a/config/security/runtime-image-mirror-policy.json +++ b/config/security/runtime-image-mirror-policy.json @@ -278,6 +278,29 @@ "max_surge": 1 } } + }, + { + "asset_id": "runtime-image:sealed-secrets-controller", + "source_index_digest": "sha256:74cd190f424b591dd82a234685c8c81d50b33af807e03470bc12b23d202e0106", + "platform_digest": "sha256:1827b36853e124ac0dd2554f7cd55c04952ecb7c38ff19a4a8d93d633811ed68", + "target_registry_digest": "sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363", + "push_ref": "registry.wooo.work/awoooi/runtime-mirror/sealed-secrets-controller:0.26.0-linux-amd64", + "runtime_ref": "192.168.0.110:5000/awoooi/runtime-mirror/sealed-secrets-controller@sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363", + "workload": { + "kind": "deployment", + "namespace": "kube-system", + "name": "sealed-secrets-controller", + "container": "sealed-secrets-controller" + }, + "availability_guard": { + "minimum_ready_replicas": 1, + "maximum_effective_unavailable": 0, + "minimum_effective_surge": 1, + "enforced_strategy": { + "max_unavailable": 0, + "max_surge": 1 + } + } } ] } diff --git a/scripts/security/tests/test_runtime_image_mirror_controller.py b/scripts/security/tests/test_runtime_image_mirror_controller.py index 8107e2496..e5ec0145c 100644 --- a/scripts/security/tests/test_runtime_image_mirror_controller.py +++ b/scripts/security/tests/test_runtime_image_mirror_controller.py @@ -81,7 +81,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase): self.assertEqual(policy.work_item_id, "AIA-P0-006-02A") self.assertEqual(policy.risk_level, "high") - self.assertEqual(len(policy.images), 17) + self.assertEqual(len(policy.images), 18) self.assertNotIn("github.com", raw) self.assertNotIn("ghcr.io", raw) self.assertIn('"external_pull_allowed": false', raw) @@ -106,7 +106,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase): ) ) container_kinds = [image.workload.container_kind for image in policy.images] - self.assertEqual(container_kinds.count("container"), 14) + self.assertEqual(container_kinds.count("container"), 15) self.assertEqual(container_kinds.count("init_container"), 3) vpa = next( @@ -176,6 +176,31 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase): ), ) + sealed_secrets = next( + image + for image in policy.images + if image.asset_id == "runtime-image:sealed-secrets-controller" + ) + self.assertEqual( + sealed_secrets.target_registry_digest, + "sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363", + ) + self.assertEqual(sealed_secrets.workload.namespace, "kube-system") + self.assertEqual(sealed_secrets.workload.name, "sealed-secrets-controller") + self.assertEqual( + sealed_secrets.workload.container, "sealed-secrets-controller" + ) + self.assertEqual( + sealed_secrets.availability_guard, + controller.AvailabilityGuard( + minimum_ready_replicas=1, + maximum_effective_unavailable=0, + minimum_effective_surge=1, + enforced_max_unavailable=0, + enforced_max_surge=1, + ), + ) + def test_policy_loads_and_validates_init_container_kind(self) -> None: image = self._image_with_container_kind("init_container")