diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md b/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md index 8730ebe1fca2..099dc8c1ce9a 100644 --- a/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md +++ b/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md @@ -47,7 +47,7 @@ First, install the Helm chart that deploys the Sigstore Policy Controller: helm upgrade policy-controller --install --atomic \ --create-namespace --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \ - --version v0.10.0-github5 + --version v0.10.0-github7 ``` This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations. @@ -60,7 +60,7 @@ Once the policy controller has been deployed, you need to add the GitHub `TrustR helm upgrade trust-policies --install --atomic \ --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \ - --version v0.5.0 \ + --version v0.6.1 \ --set policy.enabled=true \ --set policy.organization=MY-ORGANIZATION ``` @@ -98,16 +98,32 @@ For example, to enforce attestations for images that match the pattern `ghcr.io/ helm upgrade trust-policies --install --atomic \ --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \ - --version v0.5.0 \ + --version v0.6.1 \ --set policy.enabled=true \ --set policy.organization=MY-ORGANIZATION \ --set-json 'policy.exemptImages=["index.docker.io/library/busybox**"]' \ --set-json 'policy.images=["ghcr.io/MY-ORGANIZATION/**"]' ``` -Note that to match `busybox`, we need to provide the fully-qualified image name with double-star glob: `index.docker.io/library/busybox**`. +All patterns must use the fully-qualified name, even if the images originate from Docker Hub. In this example, if we want to exempt the image `busybox`, we must provide the full name including the domain and double-star glob to match all image versions: `index.docker.io/library/busybox**`. -Also note that any image you intend to admit _must_ have a matching glob pattern in the `policy.images` list. If an image does not match any pattern, it will be rejected. +Note that any image you intend to admit _must_ have a matching glob pattern in the `policy.images` list. If an image does not match any pattern, it will be rejected. Additionally, if an image matches both `policy.images` and `policy.exemptImages`, it will be rejected. + +{% ifversion ghec %} + +If your GitHub Enterprise account has a subdomain on GHE.com, you must specify a value for the GitHub trust domain. This value is used to fetch the trusted materials associated with the data residency region that hosts your GitHub Enterprise account. This value can be found by logging into your enterprise account with the `gh` CLI tool and running the following command: + +```bash copy +gh api meta --jq .domains.artifact_attestations.trust_domain +``` + +This value must be added when installing the `trust-policies` chart, like so: + +```bash copy +--set-json 'policy.trust.githubTrustDomain="YOUR-GHEC-TRUST-DOMAIN"' +``` + +{% endif %} ### Advanced usage @@ -115,13 +131,13 @@ To see the full set of options you may configure with the Helm chart, you can ru For policy controller options: ```bash copy -helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github5 +helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github7 ``` For trust policy options: ```bash copy -helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.5.0 +helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.6.1 ``` For more information on the Sigstore Policy Controller, see the [Sigstore Policy Controller documentation](https://docs.sigstore.dev/policy-controller/overview/).