Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chris Farhood
|
852eaed1bc | ||
 Null Pointer Nancy
|
c111a5a95a | ||
|
Chris Farhood
|
5dc724a41f | ||
|
Chris Farhood
|
95c002664e |
@@ -94,14 +94,14 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
|
||||
REVIEWER_APPROVED=$(printf '%s' "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
|
||||
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
||||
|
||||
echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
|
||||
|
||||
# Fallback: check if CTO approved as alternative for uat→main
|
||||
if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
|
||||
REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
|
||||
REVIEWER_APPROVED=$(printf '%s' "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
|
||||
'[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
|
||||
if [ "${REVIEWER_APPROVED}" = "true" ]; then
|
||||
echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
|
||||
|
||||
@@ -1,24 +0,0 @@
|
||||
# Installation Policy
|
||||
|
||||
## Approved Installation Method
|
||||
|
||||
**The ONLY approved method for installing this plugin is via [Artifact Hub](https://artifacthub.io/) using the Headlamp plugin installer.**
|
||||
|
||||
No other installation method is acceptable. This includes but is not limited to:
|
||||
|
||||
- Direct installation from GitHub release assets
|
||||
- Manual npm pack / tarball extraction
|
||||
- initContainer workarounds that bypass Artifact Hub
|
||||
- Direct file copy or sidecar injection
|
||||
|
||||
## Enforcement
|
||||
|
||||
All deployment configurations, CI/CD pipelines, and documentation MUST reference Artifact Hub as the sole plugin distribution channel. Any pull request that introduces an alternative installation method will be rejected.
|
||||
|
||||
## Rationale
|
||||
|
||||
Artifact Hub provides verified checksums, consistent versioning, and a standard discovery mechanism for the CNCF ecosystem. Bypassing it introduces security and integrity risks.
|
||||
|
||||
---
|
||||
|
||||
*This policy is set by the CTO and approved by the CEO of Privileged Escalation.*
|
||||
@@ -66,6 +66,10 @@ pluginsManager:
|
||||
url: https://github.com/privilegedescalation/headlamp-tns-csi-plugin/releases/download/v1.0.0/tns-csi-1.0.0.tar.gz
|
||||
```
|
||||
|
||||
|
||||
|
||||
> See [Plugin Installation Policy](https://git.farh.net/privilegedescalation/privilegedescalation.com/wiki/Plugin-Installation-Policy) for approved installation methods.
|
||||
|
||||
## RBAC / Security Setup
|
||||
|
||||
The plugin reads from the Kubernetes API and the tns-csi controller pod's Prometheus endpoint (deployed in `kube-system`). The Benchmark page additionally creates and deletes Jobs and PVCs.
|
||||
|
||||
Reference in New Issue
Block a user