skip var checks in attestations (#3876)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-05-11 02:31:48 -07:00 · 2022-05-11 02:31:48 -07:00 · 0cd21ec0f3
commit 0cd21ec0f3
parent c6a0bdd711
3 changed files with 45 additions and 4 deletions
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -459,7 +459,7 @@ func (iv *imageVerifier) verifyAttestations(imageVerify v1.ImageVerification, im
 		return ruleError(iv.rule, response.ImageVerify, fmt.Sprintf("failed to fetch attestations for %s", image), err)
 	}

-	iv.logger.V(4).Info("received attestations", "statements", statements)
+	iv.logger.V(4).Info("received attestations", "count", len(statements))
 	statementsByPredicate := buildStatementMap(statements)

 	for _, ac := range imageVerify.Attestations {
--- a/pkg/policy/allowed_vars_test.go
+++ b/pkg/policy/allowed_vars_test.go
@ -400,3 +400,44 @@ func TestNotAllowedVars_VariableFormats(t *testing.T) {
 		}
 	}
 }
+
+func TestNotAllowedVars_Attestations(t *testing.T) {
+	var policyYAML = []byte(`
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: attest-bom
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: check-attestations
+      match:
+        resources:
+          kinds:
+            - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/test/demo-java-tomcat:*"
+        attestations:
+        - predicateType: "https://cyclonedx.org/BOM/v1"
+        - predicateType: "https://trivy.aquasec.com/scan/v2"
+          conditions:
+          - all:
+            - key: "{{ scanner }}"
+              operator: Equals
+              value: trivy
+        - predicateType: https://example.com/provenance/v1
+`)
+
+	policyJSON, err := yaml.ToJSON(policyYAML)
+	assert.NilError(t, err)
+
+	policy, err := ut.GetPolicy(policyJSON)
+	assert.NilError(t, err)
+
+	err = hasInvalidVariables(policy[0], false)
+	assert.NilError(t, err)
+}
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -383,9 +383,9 @@ func hasInvalidVariables(policy kyverno.PolicyInterface, background bool) error
 		}

 		// skip variable checks on verifyImages.attestations, as variables in attestations are dynamic
-		for _, vi := range ruleCopy.VerifyImages {
-			for _, a := range vi.Attestations {
-				a.Conditions = nil
+		for i, vi := range ruleCopy.VerifyImages {
+			for j := range vi.Attestations {
+				ruleCopy.VerifyImages[i].Attestations[j].Conditions = nil
 			}
 		}