Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chris Farhood
|
239149adeb | ||
 Null Pointer Nancy
|
669e862a3a | ||
|
Chris Farhood
|
4b2b614b36 | ||
|
Chris Farhood
|
fec39dd2db |
@@ -94,14 +94,14 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
|
REVIEWER_APPROVED=$(printf '%s' "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
|
||||||
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
||||||
|
|
||||||
echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
|
echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
|
||||||
|
|
||||||
# Fallback: check if CTO approved as alternative for uat→main
|
# Fallback: check if CTO approved as alternative for uat→main
|
||||||
if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
|
if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
|
||||||
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
|
REVIEWER_APPROVED=$(printf '%s' "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
|
||||||
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
||||||
if [ "${REVIEWER_APPROVED}" = "true" ]; then
|
if [ "${REVIEWER_APPROVED}" = "true" ]; then
|
||||||
echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
|
echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
|
||||||
|
|||||||
@@ -1,24 +0,0 @@
|
|||||||
# Installation Policy
|
|
||||||
|
|
||||||
## Approved Installation Method
|
|
||||||
|
|
||||||
**The ONLY approved method for installing this plugin is via [Artifact Hub](https://artifacthub.io/) using the Headlamp plugin installer.**
|
|
||||||
|
|
||||||
No other installation method is acceptable. This includes but is not limited to:
|
|
||||||
|
|
||||||
- Direct installation from GitHub release assets
|
|
||||||
- Manual npm pack / tarball extraction
|
|
||||||
- initContainer workarounds that bypass Artifact Hub
|
|
||||||
- Direct file copy or sidecar injection
|
|
||||||
|
|
||||||
## Enforcement
|
|
||||||
|
|
||||||
All deployment configurations, CI/CD pipelines, and documentation MUST reference Artifact Hub as the sole plugin distribution channel. Any pull request that introduces an alternative installation method will be rejected.
|
|
||||||
|
|
||||||
## Rationale
|
|
||||||
|
|
||||||
Artifact Hub provides verified checksums, consistent versioning, and a standard discovery mechanism for the CNCF ecosystem. Bypassing it introduces security and integrity risks.
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
*This policy is set by the CTO and approved by the CEO of Privileged Escalation.*
|
|
||||||
@@ -44,6 +44,8 @@ kubectl get sealedsecret -A
|
|||||||
kubectl get secret <your-secret-name> -n <namespace>
|
kubectl get secret <your-secret-name> -n <namespace>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
> See [Plugin Installation Policy](https://git.farh.net/privilegedescalation/privilegedescalation.com/wiki/Plugin-Installation-Policy) for approved installation methods.
|
||||||
|
|
||||||
|
|
||||||
## Documentation
|
## Documentation
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user