mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

fix: transfer image verify iamges to kyverno (#11340)

Browse source 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-10-07 21:26:12 +05:30 committed by GitHub
parent 373f942ea9
commit 00fd6d47f8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
36 changed files with 43 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml
View file

@ -18,7 +18,7 @@ spec:
verifyImages: verifyImages:
- failureAction: Enforce - failureAction: Enforce
imageReferences: imageReferences:
- "ghcr.io/chipzoller/zulu*" - "ghcr.io/kyverno/zulu*"
attestations: attestations:
- type: https://slsa.dev/provenance/v0.2 - type: https://slsa.dev/provenance/v0.2
attestors: attestors:

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml
View file

@ -18,7 +18,7 @@ spec:
verifyImages: verifyImages:
- failureAction: Enforce - failureAction: Enforce
imageReferences: imageReferences:
- "ghcr.io/chipzoller/zulu*" - "ghcr.io/kyverno/zulu*"
attestations: attestations:
- type: https://slsa.dev/provenance/v0.2 - type: https://slsa.dev/provenance/v0.2
attestors: attestors:

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/policy.yaml
View file

@ -32,6 +32,6 @@ spec:
value: true value: true
predicateType: https://slsa.dev/provenance/v0.2 predicateType: https://slsa.dev/provenance/v0.2
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/policy.yaml
View file

@ -32,6 +32,6 @@ spec:
value: true value: true
predicateType: cosign.sigstore.dev/attestation/vuln/v1 predicateType: cosign.sigstore.dev/attestation/vuln/v1
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/policy.yaml
View file

@ -32,6 +32,6 @@ spec:
value: true value: true
predicateType: cosign.sigstore.dev/attestation/vuln/v1 predicateType: cosign.sigstore.dev/attestation/vuln/v1
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/policy.yaml
View file

@ -23,5 +23,5 @@ spec:
value: true value: true
predicateType: https://slsa.dev/provenance/v0.2 predicateType: https://slsa.dev/provenance/v0.2
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/policy.yaml
View file

@ -40,6 +40,6 @@ spec:
value: true value: true
predicateType: https://slsa.dev/provenance/v0.2 predicateType: https://slsa.dev/provenance/v0.2
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/policy.yaml
View file

@ -40,6 +40,6 @@ spec:
value: true value: true
predicateType: https://slsa.dev/provenance/v0.2 predicateType: https://slsa.dev/provenance/v0.2
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/policy.yaml
View file

@ -39,6 +39,6 @@ spec:
value: true value: true
predicateType: https://slsa.dev/provenance/v0.2 predicateType: https://slsa.dev/provenance/v0.2
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
failureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/pod.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml
View file

@ -18,7 +18,7 @@ spec:
verifyImages: verifyImages:
- failureAction: Enforce - failureAction: Enforce
imageReferences: imageReferences:
- "ghcr.io/chipzoller/zulu:*" - "ghcr.io/kyverno/zulu:*"
attestors: attestors:
- count: 1 - count: 1
entries: entries:

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14 - image: ghcr.io/kyverno/zulu:v0.0.14
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
url: https://rekor.sigstore.dev url: https://rekor.sigstore.dev
subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v* subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu:* - ghcr.io/kyverno/zulu:*
mutateDigest: true mutateDigest: true
required: true required: true
verifyDigest: true verifyDigest: true

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu - image: ghcr.io/kyverno/zulu
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu:latest":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu:latest":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu - image: ghcr.io/kyverno/zulu
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
url: https://rekor.sigstore.dev url: https://rekor.sigstore.dev
subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v* subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
mutateDigest: false mutateDigest: false
required: false required: false
verifyDigest: false verifyDigest: false

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-apply-1.yaml
View file

@ -5,5 +5,5 @@ metadata:
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu - image: ghcr.io/kyverno/zulu
name: zulu name: zulu

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-02-assert-1.yaml
View file

@ -2,10 +2,10 @@ apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
annotations: annotations:
kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu:latest":"pass"}' kyverno.io/verify-images: '{"ghcr.io/kyverno/zulu:latest":"pass"}'
name: zulu name: zulu
namespace: default namespace: default
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu - image: ghcr.io/kyverno/zulu
name: zulu name: zulu

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
url: https://rekor.sigstore.dev url: https://rekor.sigstore.dev
subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v* subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*
imageReferences: imageReferences:
- ghcr.io/chipzoller/zulu* - ghcr.io/kyverno/zulu*
mutateDigest: false mutateDigest: false
required: true required: true
verifyDigest: false verifyDigest: false

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/bad.yaml
View file

@ -7,7 +7,7 @@ metadata:
namespace: exclude-refs namespace: exclude-refs
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: test name: test
resources: {} resources: {}
- image: ghcr.io/kyverno/kyverno:latest - image: ghcr.io/kyverno/kyverno:latest

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml
View file

@ -55,7 +55,7 @@ spec:
imageReferences: imageReferences:
- "ghcr.io/*" - "ghcr.io/*"
skipImageReferences: skipImageReferences:
- "ghcr.io/chipzoller*" - "ghcr.io/kyverno*"
failureAction: Enforce failureAction: Enforce
attestors: attestors:
- count: 1 - count: 1

2
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/skipped.yaml
View file

@ -7,7 +7,7 @@ metadata:
namespace: exclude-refs namespace: exclude-refs
spec: spec:
containers: containers:
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db - image: ghcr.io/kyverno/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
name: test name: test
resources: {} resources: {}
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst