k8s.io/kubernetes/aks-prow-build/prow/kyverno.yaml at ce0516bc1563b967153ee3a7785ca9098260d733 · upodroid/k8s.io · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: insert-gcp-credentials
spec:
  rules:
    - name: add-creds
      match:
        any:
          - resources:
              kinds:
                - Pod
      preconditions:
        any:
          - key: '{{request.object.metadata.labels."created-by-prow" || ""}}'
            operator: Equals
            value: "true"
      mutate:
        patchStrategicMerge:
          spec:
            initContainers:
              # pod order matters
              - name: clonerefs
              - (name): "initupload"
                env:
                  - name: GOOGLE_APPLICATION_CREDENTIALS
                    value: /etc/google/adc.json
                volumeMounts:
                  - mountPath: /var/run/secrets/google-iam-token/serviceaccount
                    name: google-iam-token
                    readOnly: true
                  - mountPath: /etc/google
                    name: google-adc
                    readOnly: true
            containers:
              - name: test
              - (name): sidecar
                env:
                  - name: GOOGLE_APPLICATION_CREDENTIALS
                    value: /etc/google/adc.json
                volumeMounts:
                  - mountPath: /var/run/secrets/google-iam-token/serviceaccount
                    name: google-iam-token
                    readOnly: true
                  - mountPath: /etc/google
                    name: google-adc
                    readOnly: true
            volumes:
              - name: google-iam-token
                projected:
                  defaultMode: 420
                  sources:
                    - serviceAccountToken:
                        audience: sts.googleapis.com
                        expirationSeconds: 86400
                        path: token
              - name: google-adc
                configMap:
                  name: google-adc
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: google-adc
data:
  adc.json: |
    {
      "universe_domain": "googleapis.com",
      "type": "external_account",
      "audience": "//iam.googleapis.com/projects/773781448124/locations/global/workloadIdentityPools/prow-aks/providers/oidc",
      "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
      "token_url": "https://sts.googleapis.com/v1/token",
      "credential_source": {
        "file": "/var/run/secrets/google-iam-token/serviceaccount/token",
        "format": {
          "type": "text"
        }
      }
    }