adding emptyDir vol for keyless signing (#3366)

* adding emptyDir vol Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> * adding env TUF_ROOT Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
2025-04-08 10:04:25 +00:00 · 2022-03-10 13:39:22 +05:30 · 2022-03-10 13:39:22 +05:30 · 126742ad57
commit 126742ad57
parent 753d24d53c
3 changed files with 19 additions and 10 deletions
--- a/config/install.yaml
+++ b/config/install.yaml
@ -7921,6 +7921,8 @@ spec:
              fieldPath: metadata.namespace
        - name: KYVERNO_SVC
          value: kyverno-svc
+        - name: TUF_ROOT
+          value: /.sigstore
        image: ghcr.io/kyverno/kyverno:latest
        imagePullPolicy: IfNotPresent
        livenessProbe:
@ -7965,6 +7967,9 @@ spec:
          privileged: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
+        volumeMounts:
+        - mountPath: /.sigstore
+          name: sigstore
      initContainers:
      - env:
        - name: METRICS_CONFIG
@ -7994,3 +7999,6 @@ spec:
      securityContext:
        runAsNonRoot: true
      serviceAccountName: kyverno-service-account
+      volumes:
+      - emptyDir: {}
+        name: sigstore
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@ -7419,6 +7419,8 @@ rules:
  - namespaces
  - configmaps
  - secrets
+  - resourcequotas
+  - limitranges
  verbs:
  - create
  - update
@ -7434,16 +7436,6 @@ rules:
  - update
  - patch
  - delete
- apiGroups:
-  - quota
-  resources:
-  - resourcequotas
-  - limitranges
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/config/manifest/deployment.yaml
+++ b/config/manifest/deployment.yaml
@ -21,6 +21,9 @@ spec:
        # do not remove
        app.kubernetes.io/name: kyverno
    spec:
+      volumes:
+        - name: sigstore
+          emptyDir: {}
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
@ -93,6 +96,8 @@ spec:
                  fieldPath: metadata.namespace
            - name: KYVERNO_SVC
              value: kyverno-svc
+            - name: TUF_ROOT
+              value: /.sigstore
          securityContext:
            runAsNonRoot: true
            privileged: false
@ -127,6 +132,10 @@ spec:
            timeoutSeconds: 5
            failureThreshold: 4
            successThreshold: 1
+          # Failing to provide a writable $TUF_ROOT can cause TUF client initialization to panic
+          volumeMounts:
+          - mountPath: /.sigstore
+            name: sigstore
  strategy:
    type: RollingUpdate
    rollingUpdate: