mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

allow alternate image repositories (#2393)

Browse source 
* allow alternate image repositories

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* generate CRD YAMLs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2021-09-16 16:11:38 -07:00 committed by GitHub
parent 8910d8287a
commit 23af42dc92
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 68 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
charts/kyverno-crds/templates/crds.yaml
View file

@ -1520,6 +1520,12 @@ spec:
description: Key is the PEM encoded public key that the
image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository
to use for image signatures that match this rule. If
specified Repository will override the default OCI image
repository configured for the installation.
type: string
type: object
type: array
type: object
@ -4699,6 +4705,12 @@ spec:
description: Key is the PEM encoded public key that the
image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository
to use for image signatures that match this rule. If
specified Repository will override the default OCI image
repository configured for the installation.
type: string
type: object
type: array
type: object

8
cmd/kyverno/main.go
View file

@ -61,6 +61,7 @@ var (
disableMetricsExport bool
policyControllerResyncPeriod time.Duration
imagePullSecrets string
imageSignatureRepository string
setupLog = log.Log.WithName("setup")
)
@ -79,7 +80,8 @@ func main() {
flag.BoolVar(&disableMetricsExport, "disable-metrics", false, "Set this flag to 'true', to enable exposing the metrics.")
flag.StringVar(&metricsPort, "metrics-port", "8000", "Expose prometheus metrics at the given port, default to 8000.")
flag.DurationVar(&policyControllerResyncPeriod, "background-scan", time.Hour, "Perform background scan every given interval, e.g., 30s, 15m, 1h.")
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials")
flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
if err := flag.Set("v", "2"); err != nil {
setupLog.Error(err, "failed to set log level")
@ -164,6 +166,10 @@ func main() {
}
}
if imageSignatureRepository != "" {
cosign.ImageSignatureRepository = imageSignatureRepository
}
// KYVERNO CRD INFORMER
// watches CRD resources:
// - ClusterPolicy, Policy

6
definitions/crds/kyverno.io_clusterpolicies.yaml
View file

@ -1514,6 +1514,12 @@ spec:
description: Key is the PEM encoded public key that the
image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository
to use for image signatures that match this rule. If
specified Repository will override the default OCI image
repository configured for the installation.
type: string
type: object
type: array
type: object

6
definitions/crds/kyverno.io_policies.yaml
View file

@ -1515,6 +1515,12 @@ spec:
description: Key is the PEM encoded public key that the
image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository
to use for image signatures that match this rule. If
specified Repository will override the default OCI image
repository configured for the installation.
type: string
type: object
type: array
type: object

6
definitions/install.yaml
View file

@ -952,6 +952,9 @@ spec:
key:
description: Key is the PEM encoded public key that the image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation.
type: string
type: object
type: array
type: object
@ -3132,6 +3135,9 @@ spec:
key:
description: Key is the PEM encoded public key that the image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation.
type: string
type: object
type: array
type: object

6
definitions/install_debug.yaml
View file

@ -939,6 +939,9 @@ spec:
key:
description: Key is the PEM encoded public key that the image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation.
type: string
type: object
type: array
type: object
@ -3091,6 +3094,9 @@ spec:
key:
description: Key is the PEM encoded public key that the image is signed with.
type: string
repository:
description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation.
type: string
type: object
type: array
type: object

4
pkg/api/kyverno/v1/policy_types.go
View file

@ -435,6 +435,10 @@ type ImageVerification struct {
// Key is the PEM encoded public key that the image is signed with.
Key string `json:"key,omitempty" yaml:"key,omitempty"`
// Repository is an optional alternate OCI repository to use for image signatures that match this rule.
// If specified Repository will override the default OCI image repository configured for the installation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
}
// Generation defines how new resources should be created and managed.

17
pkg/cosign/cosign.go
View file

@ -19,6 +19,11 @@ import (
"k8s.io/client-go/kubernetes"
)
var (
// Alternate signature repository
ImageSignatureRepository string
)
// Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
func Initialize(client kubernetes.Interface, namespace, serviceAccount string, imagePullSecrets []string) error {
var kc authn.Keychain
@ -37,7 +42,7 @@ func Initialize(client kubernetes.Interface, namespace, serviceAccount string, i
return nil
}
func Verify(imageRef string, key []byte, log logr.Logger) (digest string, err error) {
func Verify(imageRef string, key []byte, repository string, log logr.Logger) (digest string, err error) {
pubKey, err := decodePEM(key)
if err != nil {
return "", errors.Wrapf(err, "failed to decode PEM %v", string(key))
@ -56,6 +61,16 @@ func Verify(imageRef string, key []byte, log logr.Logger) (digest string, err er
return "", errors.Wrap(err, "failed to parse image")
}
cosignOpts.SignatureRepo = ref.Context()
if repository != "" {
signatureRepo, err := name.NewRepository(repository)
if err != nil {
return "", errors.Wrapf(err, "failed to parse signature repository %s", repository)
}
cosignOpts.SignatureRepo = signatureRepo
}
verified, err := cosign.Verify(context.Background(), ref, cosignOpts)
if err != nil {
msg := err.Error()

6
pkg/engine/imageVerify.go
View file

@ -64,6 +64,10 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
func verifyAndPatchImages(logger logr.Logger, policyContext *PolicyContext, rule *v1.Rule, imageVerify *v1.ImageVerification, images map[string]*context.ImageInfo, resp *response.EngineResponse) {
imagePattern := imageVerify.Image
key := imageVerify.Key
repository := cosign.ImageSignatureRepository
if imageVerify.Repository != "" {
repository = imageVerify.Repository
}
for _, imageInfo := range images {
image := imageInfo.String()
@ -88,7 +92,7 @@ func verifyAndPatchImages(logger logr.Logger, policyContext *PolicyContext, rule
}
start := time.Now()
digest, err := cosign.Verify(image, []byte(key), logger)
digest, err := cosign.Verify(image, []byte(key), repository, logger)
if err != nil {
logger.Info("failed to verify image", "image", image, "key", key, "error", err, "duration", time.Since(start).Seconds())
ruleResp.Success = false