mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

Require predicate type (#5713)

Browse source 
* fix digest and verify logic

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* allow attestations with no attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* require predicateType

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix typo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Jim Bugwadia 2022-12-19 02:15:07 -08:00 committed by GitHub
parent b5625f340c
commit 14d82cbf6d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 87 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
api/kyverno/v1/image_verification_types.go
View file

@ -211,7 +211,8 @@ type CTLog struct {
// OCI registry and decodes them into a list of Statements.
type Attestation struct {
// PredicateType defines the type of Predicate contained within the Statement.
PredicateType string `json:"predicateType,omitempty" yaml:"predicateType,omitempty"`
// +kubebuilder:validation:Required
PredicateType string `json:"predicateType" yaml:"predicateType"`
// Attestors specify the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
@ -219,7 +220,7 @@ type Attestation struct {
// Conditions are used to verify attributes within a Predicate. If no Conditions are specified
// the attestation check is satisfied as long there are predicates that match the predicate type.
// +optional
// +kubebuilder:validation:Optional
Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

16
charts/kyverno/templates/crds.yaml
View file

@ -4198,6 +4198,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -6092,6 +6094,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -7965,6 +7969,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -9844,6 +9850,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12329,6 +12337,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -14223,6 +14233,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -16096,6 +16108,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -17975,6 +17989,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

8
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2830,6 +2830,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -5970,6 +5972,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -8899,6 +8903,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12014,6 +12020,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

8
config/crds/kyverno.io_policies.yaml
View file

@ -2832,6 +2832,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -5973,6 +5975,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -8903,6 +8907,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12018,6 +12024,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

16
config/install.yaml
View file

@ -6256,6 +6256,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -9396,6 +9398,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12325,6 +12329,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -15440,6 +15446,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -19201,6 +19209,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -22342,6 +22352,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -25272,6 +25284,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -28387,6 +28401,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

16
config/install_debug.yaml
View file

@ -6248,6 +6248,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -9388,6 +9390,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12317,6 +12321,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -15432,6 +15438,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -19190,6 +19198,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -22331,6 +22341,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -25261,6 +25273,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -28376,6 +28390,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

1
docs/user/crd/index.html
View file

@ -832,7 +832,6 @@ string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Conditions are used to verify attributes within a Predicate. If no Conditions are specified
the attestation check is satisfied as long there are predicates that match the predicate type.</p>
</td>

25
pkg/engine/imageVerify.go
View file

@ -339,6 +339,14 @@ func (iv *imageVerifier) verifyImage(
if imageInfo.Digest == "" {
imageInfo.Digest = cosignResp.Digest
}
if len(imageVerify.Attestations) == 0 {
return ruleResp, cosignResp.Digest
}
if imageInfo.Digest == "" {
imageInfo.Digest = cosignResp.Digest
}
}
return iv.verifyAttestations(ctx, imageVerify, imageInfo)
@ -358,7 +366,7 @@ func (iv *imageVerifier) verifyAttestors(
var err error
path := fmt.Sprintf(".attestors[%d]", i)
iv.logger.V(4).Info("verifying attestors", "path", path)
cosignResponse, err = iv.verifyAttestorSet(ctx, attestorSet, imageVerify, imageInfo, path, predicateType)
cosignResponse, err = iv.verifyAttestorSet(ctx, attestorSet, imageVerify, imageInfo, path)
if err != nil {
iv.logger.Error(err, "failed to verify image")
return iv.handleRegistryErrors(image, err), nil
@ -394,6 +402,10 @@ func (iv *imageVerifier) verifyAttestations(
var attestationError error
path := fmt.Sprintf(".attestations[%d]", i)
if attestation.PredicateType == "" {
return ruleResponse(*iv.rule, response.ImageVerify, path+": missing predicateType", response.RuleStatusFail), ""
}
if len(attestation.Attestors) == 0 {
// add an empty attestor to allow fetching and checking attestations
attestation.Attestors = []kyvernov1.AttestorSet{{Entries: []kyvernov1.Attestor{{}}}}
@ -451,7 +463,6 @@ func (iv *imageVerifier) verifyAttestorSet(
imageVerify kyvernov1.ImageVerification,
imageInfo apiutils.ImageInfo,
path string,
predicateType string,
) (*cosign.Response, error) {
var errorList []error
verifiedCount := 0
@ -471,7 +482,7 @@ func (iv *imageVerifier) verifyAttestorSet(
entryError = errors.Wrapf(err, "failed to unmarshal nested attestor %s", attestorPath)
} else {
attestorPath += ".attestor"
cosignResp, entryError = iv.verifyAttestorSet(ctx, *nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType)
cosignResp, entryError = iv.verifyAttestorSet(ctx, *nestedAttestorSet, imageVerify, imageInfo, attestorPath)
}
} else {
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, nil)
@ -619,14 +630,18 @@ func makeAddDigestPatch(imageInfo apiutils.ImageInfo, digest string) ([]byte, er
}
func (iv *imageVerifier) verifyAttestation(statements []map[string]interface{}, attestation kyvernov1.Attestation, imageInfo apiutils.ImageInfo) error {
if attestation.PredicateType == "" {
return fmt.Errorf("a predicateType is required")
}
image := imageInfo.String()
statementsByPredicate, types := buildStatementMap(statements)
iv.logger.V(4).Info("checking attestations", "predicates", types, "image", image)
statements = statementsByPredicate[attestation.PredicateType]
if statements == nil {
iv.logger.Info("attestation predicate type not found", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String())
return fmt.Errorf("predicate type %s not found", attestation.PredicateType)
iv.logger.Info("no attestations found for predicate", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String())
return fmt.Errorf("attestions not found for predicate type %s", attestation.PredicateType)
}
for _, s := range statements {