1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

refactor: remove some api unnecessary pointers (4) (#3713)

* refactor: remove some api unnecessary pointers

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: remove some api unnecessary pointers (2)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: remove some api unnecessary pointers (3)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: remove some api unnecessary pointers (4)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-04-29 09:12:01 +02:00 committed by GitHub
parent a45986c04d
commit 24ed931f42
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 36 additions and 36 deletions

View file

@ -64,7 +64,7 @@ type Rule struct {
// VerifyImages is used to verify image signatures and mutate them to add a digest
// +optional
VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}
// HasMutate checks for mutate rule

View file

@ -1000,13 +1000,9 @@ func (in *Rule) DeepCopyInto(out *Rule) {
in.Generation.DeepCopyInto(&out.Generation)
if in.VerifyImages != nil {
in, out := &in.VerifyImages, &out.VerifyImages
*out = make([]*ImageVerification, len(*in))
*out = make([]ImageVerification, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(ImageVerification)
(*in).DeepCopyInto(*out)
}
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}

View file

@ -1698,6 +1698,10 @@ the image reference.</p>
<h3 id="kyverno.io/v1.ImageVerification">ImageVerification
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.Rule">Rule</a>)
</p>
<p>
<p>ImageVerification validates that images that match the specified pattern
are signed with the supplied public key. Once the image is verified it is
mutated to include the SHA digest retrieved during the registration.</p>
@ -2676,8 +2680,8 @@ Generation
<td>
<code>verifyImages</code></br>
<em>
<a href="#kyverno.io/v1.*./api/kyverno/v1.ImageVerification">
[]*./api/kyverno/v1.ImageVerification
<a href="#kyverno.io/v1.ImageVerification">
[]ImageVerification
</a>
</em>
</td>

View file

@ -22,14 +22,14 @@ import (
// https://github.com/kyverno/kyverno/issues/568
type kyvernoRule struct {
Name string `json:"name"`
MatchResources *kyverno.MatchResources `json:"match"`
ExcludeResources *kyverno.MatchResources `json:"exclude,omitempty"`
Context *[]kyverno.ContextEntry `json:"context,omitempty"`
AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"`
Mutation *kyverno.Mutation `json:"mutate,omitempty"`
Validation *kyverno.Validation `json:"validate,omitempty"`
VerifyImages []*kyverno.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
Name string `json:"name"`
MatchResources *kyverno.MatchResources `json:"match"`
ExcludeResources *kyverno.MatchResources `json:"exclude,omitempty"`
Context *[]kyverno.ContextEntry `json:"context,omitempty"`
AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"`
Mutation *kyverno.Mutation `json:"mutate,omitempty"`
Validation *kyverno.Validation `json:"validate,omitempty"`
VerifyImages []kyverno.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}
func createRule(rule *kyverno.Rule) *kyvernoRule {
@ -181,9 +181,9 @@ func generateRule(logger logr.Logger, name string, rule *kyverno.Rule, tplKey, s
return rule
}
if rule.VerifyImages != nil {
newVerifyImages := make([]*kyverno.ImageVerification, len(rule.VerifyImages))
newVerifyImages := make([]kyverno.ImageVerification, len(rule.VerifyImages))
for i, vi := range rule.VerifyImages {
newVerifyImages[i] = vi.DeepCopy()
newVerifyImages[i] = *vi.DeepCopy()
}
rule.VerifyImages = newVerifyImages
return rule

View file

@ -178,7 +178,7 @@ func loadCertPool(roots []byte) (*x509.CertPool, error) {
// FetchAttestations retrieves signed attestations and decodes them into in-toto statements
// https://github.com/in-toto/attestation/blob/main/spec/README.md#statement
func FetchAttestations(imageRef string, imageVerify *v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
ctx := context.Background()
var err error

View file

@ -114,13 +114,13 @@ func appendError(resp *response.EngineResponse, rule *v1.Rule, msg string, statu
func substituteVariables(rule *v1.Rule, ctx context.EvalInterface, logger logr.Logger) (*v1.Rule, error) {
// remove attestations as variables are not substituted in them
ruleCopy := rule.DeepCopy()
for _, iv := range ruleCopy.VerifyImages {
iv.Attestations = nil
ruleCopy := *rule.DeepCopy()
for i := range ruleCopy.VerifyImages {
ruleCopy.VerifyImages[i].Attestations = nil
}
var err error
*ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, *ruleCopy)
ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, ruleCopy)
if err != nil {
return nil, err
}
@ -130,7 +130,7 @@ func substituteVariables(rule *v1.Rule, ctx context.EvalInterface, logger logr.L
ruleCopy.VerifyImages[i].Attestations = rule.VerifyImages[i].Attestations
}
return ruleCopy, nil
return &ruleCopy, nil
}
type imageVerifier struct {
@ -140,9 +140,9 @@ type imageVerifier struct {
resp *response.EngineResponse
}
func (iv *imageVerifier) verify(imageVerify *v1.ImageVerification, images map[string]map[string]kubeutils.ImageInfo) {
func (iv *imageVerifier) verify(imageVerify v1.ImageVerification, images map[string]map[string]kubeutils.ImageInfo) {
// for backward compatibility
imageVerify = imageVerify.Convert()
imageVerify = *imageVerify.Convert()
for _, infoMap := range images {
for _, imageInfo := range infoMap {
@ -212,7 +212,7 @@ func (iv *imageVerifier) handleDigest(digest string, imageInfo kubeutils.ImageIn
return patch, nil
}
func (iv *imageVerifier) markImageVerified(imageVerify *v1.ImageVerification, ruleResp *response.RuleResponse, digest string, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
func (iv *imageVerifier) markImageVerified(imageVerify v1.ImageVerification, ruleResp *response.RuleResponse, digest string, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
if hasImageVerifiedAnnotationChanged(iv.policyContext, imageInfo.Name, digest) {
msg := "changes to `images.kyverno.io` annotation are not allowed"
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil)
@ -292,7 +292,7 @@ func imageMatches(image string, imagePatterns []string) bool {
return false
}
func (iv *imageVerifier) verifySignatures(imageVerify *v1.ImageVerification, imageInfo kubeutils.ImageInfo) (*response.RuleResponse, string) {
func (iv *imageVerifier) verifySignatures(imageVerify v1.ImageVerification, imageInfo kubeutils.ImageInfo) (*response.RuleResponse, string) {
image := imageInfo.String()
iv.logger.V(2).Info("verifying image signatures", "image", image, "attestors", len(imageVerify.Attestors), "attestations", len(imageVerify.Attestations))
@ -312,7 +312,7 @@ func (iv *imageVerifier) verifySignatures(imageVerify *v1.ImageVerification, ima
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), digest
}
func (iv *imageVerifier) verifyAttestorSet(attestorSet v1.AttestorSet, imageVerify *v1.ImageVerification, image, path string) (string, error) {
func (iv *imageVerifier) verifyAttestorSet(attestorSet v1.AttestorSet, imageVerify v1.ImageVerification, image, path string) (string, error) {
var errorList []error
verifiedCount := 0
attestorSet = expandStaticKeys(attestorSet)
@ -409,7 +409,7 @@ func getRequiredCount(as v1.AttestorSet) int {
return *as.Count
}
func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify *v1.ImageVerification, image string) (*cosign.Options, string) {
func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify v1.ImageVerification, image string) (*cosign.Options, string) {
path := ""
opts := &cosign.Options{
ImageRef: image,
@ -466,7 +466,7 @@ func makeAddDigestPatch(imageInfo kubeutils.ImageInfo, digest string) ([]byte, e
return json.Marshal(patch)
}
func (iv *imageVerifier) verifyAttestations(imageVerify *v1.ImageVerification, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
func (iv *imageVerifier) verifyAttestations(imageVerify v1.ImageVerification, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
image := imageInfo.String()
start := time.Now()

View file

@ -523,11 +523,11 @@ func Test_ChangedAnnotation(t *testing.T) {
}
func Test_MarkImageVerified(t *testing.T) {
imageVerifyRule := &kyverno.ImageVerification{Required: true}
imageVerifyRule := kyverno.ImageVerification{Required: true}
iv := &imageVerifier{
logger: log.Log,
policyContext: buildContext(t, testPolicyGood, testResource, ""),
rule: &kyverno.Rule{VerifyImages: []*kyverno.ImageVerification{imageVerifyRule}},
rule: &kyverno.Rule{VerifyImages: []kyverno.ImageVerification{imageVerifyRule}},
resp: &response.EngineResponse{},
}
@ -545,8 +545,8 @@ func Test_MarkImageVerified(t *testing.T) {
assert.Equal(t, value, "true")
ruleResp.Patches = nil
imageVerifyRule = &kyverno.ImageVerification{Required: false}
iv.rule = &kyverno.Rule{VerifyImages: []*kyverno.ImageVerification{imageVerifyRule}}
imageVerifyRule = kyverno.ImageVerification{Required: false}
iv.rule = &kyverno.Rule{VerifyImages: []kyverno.ImageVerification{imageVerifyRule}}
iv.markImageVerified(imageVerifyRule, ruleResp, digest, imageInfo)
assert.Equal(t, len(ruleResp.Patches), 0)
}