From cf8e1f5f767f4947af12cdec762cd366f2568076 Mon Sep 17 00:00:00 2001 From: Jacob Wallraff Date: Mon, 23 Sep 2024 14:44:18 -0700 Subject: [PATCH 1/2] Add EMU account storage restriction (#52374) --- .../abilities-and-restrictions-of-managed-user-accounts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md b/content/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md index 19b8d255f092..d4aaeafafdae 100644 --- a/content/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md +++ b/content/admin/managing-iam/understanding-iam-for-enterprises/abilities-and-restrictions-of-managed-user-accounts.md @@ -89,3 +89,4 @@ With {% data variables.product.prodname_emus %}, you can control the user accoun * Cannot create gists or comment on gists. * Cannot create personalized profiles. * Do not have access to the {% data variables.product.prodname_certifications %} program. +* Do not have an individual storage allocation. They can still generate content that counts against the enterprise storage allocation, but cannot create content that consumes storage at a user level, such as by publishing packages. From 954890b588c3f7e975d18f02087d2e4915997257 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Mon, 23 Sep 2024 18:00:11 -0400 Subject: [PATCH 2/2] Update docs about enforcing Artifact Attestations with Kubernetes (#52353) Signed-off-by: Cody Soyland Co-authored-by: Phill MV Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> Co-authored-by: jc-clark --- ...-with-a-kubernetes-admission-controller.md | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md b/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md index 8730ebe1fca2..099dc8c1ce9a 100644 --- a/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md +++ b/content/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller.md @@ -47,7 +47,7 @@ First, install the Helm chart that deploys the Sigstore Policy Controller: helm upgrade policy-controller --install --atomic \ --create-namespace --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller \ - --version v0.10.0-github5 + --version v0.10.0-github7 ``` This installs the Policy Controller into the `artifact-attestations` namespace. At this point, no policies have been configured, and it will not enforce any attestations. @@ -60,7 +60,7 @@ Once the policy controller has been deployed, you need to add the GitHub `TrustR helm upgrade trust-policies --install --atomic \ --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \ - --version v0.5.0 \ + --version v0.6.1 \ --set policy.enabled=true \ --set policy.organization=MY-ORGANIZATION ``` @@ -98,16 +98,32 @@ For example, to enforce attestations for images that match the pattern `ghcr.io/ helm upgrade trust-policies --install --atomic \ --namespace artifact-attestations \ oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies \ - --version v0.5.0 \ + --version v0.6.1 \ --set policy.enabled=true \ --set policy.organization=MY-ORGANIZATION \ --set-json 'policy.exemptImages=["index.docker.io/library/busybox**"]' \ --set-json 'policy.images=["ghcr.io/MY-ORGANIZATION/**"]' ``` -Note that to match `busybox`, we need to provide the fully-qualified image name with double-star glob: `index.docker.io/library/busybox**`. +All patterns must use the fully-qualified name, even if the images originate from Docker Hub. In this example, if we want to exempt the image `busybox`, we must provide the full name including the domain and double-star glob to match all image versions: `index.docker.io/library/busybox**`. -Also note that any image you intend to admit _must_ have a matching glob pattern in the `policy.images` list. If an image does not match any pattern, it will be rejected. +Note that any image you intend to admit _must_ have a matching glob pattern in the `policy.images` list. If an image does not match any pattern, it will be rejected. Additionally, if an image matches both `policy.images` and `policy.exemptImages`, it will be rejected. + +{% ifversion ghec %} + +If your GitHub Enterprise account has a subdomain on GHE.com, you must specify a value for the GitHub trust domain. This value is used to fetch the trusted materials associated with the data residency region that hosts your GitHub Enterprise account. This value can be found by logging into your enterprise account with the `gh` CLI tool and running the following command: + +```bash copy +gh api meta --jq .domains.artifact_attestations.trust_domain +``` + +This value must be added when installing the `trust-policies` chart, like so: + +```bash copy +--set-json 'policy.trust.githubTrustDomain="YOUR-GHEC-TRUST-DOMAIN"' +``` + +{% endif %} ### Advanced usage @@ -115,13 +131,13 @@ To see the full set of options you may configure with the Helm chart, you can ru For policy controller options: ```bash copy -helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github5 +helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github7 ``` For trust policy options: ```bash copy -helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.5.0 +helm show values oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.6.1 ``` For more information on the Sigstore Policy Controller, see the [Sigstore Policy Controller documentation](https://docs.sigstore.dev/policy-controller/overview/).