{"id":15048101,"url":"https://github.com/github/policy-controller","last_synced_at":"2025-10-19T22:32:47.587Z","repository":{"id":245883599,"uuid":"764152272","full_name":"github/policy-controller","owner":"github","description":"Temporary GitHub managed Sigstore Policy Controller fork","archived":false,"fork":false,"pushed_at":"2025-01-07T20:28:08.000Z","size":26001,"stargazers_count":2,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"release","last_synced_at":"2025-01-30T07:42:40.362Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/github.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-27T15:15:52.000Z","updated_at":"2025-01-07T20:26:24.000Z","dependencies_parsed_at":"2024-06-24T16:47:30.289Z","dependency_job_id":"86799bc7-ea37-4a1e-9630-31cfca3ef07e","html_url":"https://github.com/github/policy-controller","commit_stats":null,"previous_names":["github/policy-controller"],"tags_count":37,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fpolicy-controller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fpolicy-controller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fpolicy-controller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fpolicy-controller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/github","download_url":"https://codeload.github.com/github/policy-controller/tar.gz/refs/heads/release","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237224879,"owners_count":19275102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-24T21:08:06.184Z","updated_at":"2025-10-19T22:32:47.581Z","avatar_url":"https://github.com/github.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"**NOTE**: _This repository is no longer supported or updated by GitHub. If you wish to continue to develop this code yourself, we recommend you fork it._\n\n# GitHub Managed Policy Controller\n\nThis repository hosts a temporary GitHub owned \nfork of the [Sigstore Policy Controller repository](https://github.com/sigstore/policy-controller). Once functionality only present in this fork is merged upstream to [sigstore/policy-controller](https://github.com/sigstore/policy-controller), this\nfork will be archived.\n\nThe `policy-controller` admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from `cosign` and\nartifacts attestations produced by the [attest-build-provenance GitHub Action](https://github.com/actions/attest-build-provenance).\n\nFor more information about the `policy-controller`, have a look at the Sigstore documentation\n[here](https://docs.sigstore.dev/policy-controller/overview).\n\n## Background \n\nSee the [official documentation](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) on\nusing artifact attestations to establish build provenance and\nthe [blog post](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/) introducing Artifact Attestations.\n\n## Examples\n\nPlease see the [examples/](./examples/) directory for example policies etc.\n\n## Policy Testing\n\nThis repo includes a `policy-tester` tool which enables checking a policy against\nvarious images.\n\nIn the root of this repo, run the following to build:\n```\nmake policy-tester\n```\n\nThen run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:\n```\n(set -o pipefail \u0026\u0026 \\\n    ./policy-tester \\\n        --policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \\\n        --image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)\n```\n\n## Using Policy Controller with Azure Container Registry (ACR)\n\nTo allow the webhook to make requests to ACR, you must use one of the following\nmethods to authenticate:\n\n1. Managed identities (used with AKS clusters)\n1. Service principals (used with AKS clusters)\n1. Pod imagePullSecrets (used with non AKS clusters)\n\nSee the [official documentation](https://learn.microsoft.com/en-us/azure/container-registry/authenticate-kubernetes-options#scenarios).\n\n### Managed Identities for AKS Clusters\n\nSee the [official documentation](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json\u0026bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json\u0026tabs=azure-cli) for more details.\n\n1. You must enable managed identities for the cluster using the `--enable-managed-identities` flag with either the `az aks create` or `az aks update` commands\n1. You must attach the ACR to the AKS cluster using the `--attach-acr` with either\nthe `az aks create` or `az aks update` commands. See [here](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json\u0026bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json\u0026tabs=azure-cli#create-a-new-aks-cluster-and-integrate-with-an-existing-acr) for more details\n1. You must set the `AZURE_CLIENT_ID` environment variable to the managed identity's client ID.\n1. You must set the `AZURE_TENANT_ID` environment\nvariable to the Azure tenant the managed identity\nresides in.\n\nThese will detected by the Azure credential manager.\n\nWhen you create a cluster that has managed identities enabled,\na user assigned managed identity called\n`\u003cAKS cluster name\u003e-agentpool`. Use this identity's client ID\nwhen setting `AZURE_CLIENT_ID`. Make sure the ACR is attached to\nyour cluster.\n\n#### Installing Policy Controller locally from this repository\n\nIf you are deploying policy-controller directly from this repository with\n`make ko-apply`, you will need to add `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` to the list of environment\nvariables in the [webhook deployment configuration](config/webhook.yaml).\n\n#### Installing Policy Controller from the Helm chart\n\nYou can provide the managed identity's client ID as a custom environment\nvariable when installing the Helm chart:\n\n```bash\nhelm install policy-controller oci://ghcr.io/artifact-attestations-helm-charts/policy-controller \\\n    --version 0.9.0 \\\n    --set webhook.env.AZURE_CLIENT_ID=my-managed-id-client-id,webhook.env.AZURE_TENANT_ID=tenant-id\n```\n\n### Service Principals for AKS Clusters\n\n#### Installing Policy Controller from the Helm chart\n\nYou should be able to provide the service principal client ID and tenant ID\nas a workload identity annotations:\n\n```bash\nhelm install policy-controller oci://ghcr.io/artifact-attestations-helm-charts/policy-controller \\  \n    --version 0.9.0 \\\n    --set-json webhook.serviceAccount.annotations=\"{\\\"azure.workload.identity/client-id\\\": \\\"${SERVICE_PRINCIPAL_CLIENT_ID}\\\", \\\"azure.workload.identity/tenant-id\\\": \\\"${TENANT_ID}\\\"}\"\n```\n\n## License \n\nThis project is licensed under the terms of the Apache 2.0 open source license. Please refer to [Apache 2.0](./LICENSE) for the full terms.\n\n## Maintainers \n\nSee [CODEOWNERS](./CODEOWNERS) for a list of maintainers.\n\n## Support\n\nIf you have any questions or issues following examples outlined in this repository,\nplease file an [issue](https://github.com/github/policy-controller-helm/issues/new?template=Blank+issue) and we will assist you.\n\n## K8s Support Policy\n\nThis policy-controller's versions are able to run in the following versions of Kubernetes:\n\n|  | policy-controller `\u003e 0.2.x` | policy-controller `\u003e 0.10.x` |\n|---|:---:|:---:|\n| Kubernetes 1.23 | ✓ |   |\n| Kubernetes 1.24 | ✓ |   |\n| Kubernetes 1.25 | ✓ |   |\n| Kubernetes 1.27 |   | ✓ |\n| Kubernetes 1.28 |   | ✓ |\n| Kubernetes 1.29 |   | ✓ |\n\nnote: not fully tested yet, but can be installed\n\n## Security\n\nShould you discover any security issues, please refer to Sigstore's [security\npolicy](https://github.com/sigstore/policy-controller/security/policy).\n\n## Maintainer Documentation\n\n### Cutting a new release\n\nThe branch `release` on the private fork is used for customer-facing released code. \n\nIn order to push a new release, follow these steps:\n\n1. Merge any changes into the `release` branch.\n1. Tag as `v0.9.0+githubX` (incrementing the `X` as needed).\n1. Push the tag to the private fork.\n1. The [Release GitHub Action workflow](https://github.com/github/policy-controller/actions/workflows/release.yaml) will triggered automatically when the tag is pushed\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fpolicy-controller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithub%2Fpolicy-controller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fpolicy-controller/lists"}