Skip to content

fix(shield,cluster-shield): fixed shield and cluster-shield charts for AC with image-signature only #2448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 28, 2025
Merged

fix(shield,cluster-shield): fixed shield and cluster-shield charts for AC with image-signature only #2448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c13f2d8
Fixed shield and cluster-shield charts for AC with image-signature only
dbonino Nov 27, 2025
97d4cfb
updated chart version
dbonino Nov 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/cluster-shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: cluster-shield
description: Cluster Shield Helm Chart for Kubernetes
type: application
version: 1.18.0
version: 1.18.1
appVersion: "1.18.0"
maintainers:
- name: AlbertoBarba
Expand Down
2 changes: 1 addition & 1 deletion charts/cluster-shield/templates/validatingwebhookconfiguration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ webhooks:
apiVersions: [ "v1" ]
operations: [ "CREATE", "UPDATE" ]
resources:
{{- if .Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled }}
{{- if or .Values.cluster_shield.features.admission_control.container_vulnerability_management.enabled (and (.Values.cluster_shield.features.admission_control.supply_chain).enabled ((.Values.cluster_shield.features.admission_control.supply_chain).image_signature).enabled)}}
- "pods"
{{- end }}
- "deployments"
Expand Down
46 changes: 46 additions & 0 deletions charts/cluster-shield/tests/validatingwebhookconfiguration_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -525,3 +525,49 @@ tests:
resources:
- pods
scope: Namespaced
- it: Enable pod resources when image signature is enabled
set:
cluster_shield:
features:
admission_control:
enabled: true
supply_chain:
enabled: true
image_signature:
enabled: true
container_vulnerability_management:
enabled: false
failure_policy: Fail
documentIndex: 0
asserts:
- hasDocuments:
count: 2
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-shield
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].rules
- lengthEqual:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].rules
count: 1
- contains:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].rules
content:
apiGroups:
- ""
- apps
- batch
apiVersions: [ "v1" ]
operations: [ "CREATE", "UPDATE" ]
resources:
- pods
- deployments
- replicasets
- statefulsets
- daemonsets
- jobs
- cronjobs
scope: Namespaced
2 changes: 1 addition & 1 deletion charts/shield/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ maintainers:
- name: mavimo
email: marcovito.moscaritolo@sysdig.com
type: application
version: 1.24.0
version: 1.24.1
appVersion: "1.0.0"
2 changes: 1 addition & 1 deletion charts/shield/templates/cluster/tls-certificates-admissionregistration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ webhooks:
apiVersions: [ "v1" ]
operations: [ "CREATE", "UPDATE" ]
resources:
{{- if .Values.features.admission_control.container_vulnerability_management.enabled }}
{{- if or .Values.features.admission_control.container_vulnerability_management.enabled (and (.Values.features.admission_control.supply_chain).enabled ((.Values.features.admission_control.supply_chain).image_signature).enabled)}}
- pods
{{- end }}
- deployments
Expand Down
50 changes: 50 additions & 0 deletions charts/shield/tests/cluster/tls-certificates-admissionregistration_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -636,6 +636,56 @@ tests:
scope: Namespaced
documentIndex: 1

- it: Enable pod resources when image signature is enabled
set:
features:
admission_control:
enabled: true
supply_chain:
enabled: true
image_signature:
enabled: true
container_vulnerability_management:
enabled: false
failure_policy: Fail
asserts:
- hasDocuments:
count: 2
- containsDocument:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
name: shield-release-cluster-admission-control
documentIndex: 1
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")]
documentIndex: 1
- exists:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].rules
documentIndex: 1
- lengthEqual:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].rules
count: 1
documentIndex: 1
- contains:
path: .webhooks[?(@.name == "vac.secure.sysdig.com")].rules
content:
apiGroups:
- ""
- apps
- batch
apiVersions: [ "v1" ]
operations: [ "CREATE", "UPDATE" ]
resources:
- pods
- deployments
- replicasets
- statefulsets
- daemonsets
- jobs
- cronjobs
scope: Namespaced
documentIndex: 1

- it: Cert Manager Integration exclusive with tls secret name
set:
features:
Expand Down
Loading