mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
refactor: remove some api unnecessary pointers (4) (#3713)
* refactor: remove some api unnecessary pointers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove some api unnecessary pointers (2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove some api unnecessary pointers (3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove some api unnecessary pointers (4) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
a45986c04d
commit
24ed931f42
7 changed files with 36 additions and 36 deletions
|
@ -64,7 +64,7 @@ type Rule struct {
|
|||
|
||||
// VerifyImages is used to verify image signatures and mutate them to add a digest
|
||||
// +optional
|
||||
VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
|
||||
VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
|
||||
}
|
||||
|
||||
// HasMutate checks for mutate rule
|
||||
|
|
|
@ -1000,13 +1000,9 @@ func (in *Rule) DeepCopyInto(out *Rule) {
|
|||
in.Generation.DeepCopyInto(&out.Generation)
|
||||
if in.VerifyImages != nil {
|
||||
in, out := &in.VerifyImages, &out.VerifyImages
|
||||
*out = make([]*ImageVerification, len(*in))
|
||||
*out = make([]ImageVerification, len(*in))
|
||||
for i := range *in {
|
||||
if (*in)[i] != nil {
|
||||
in, out := &(*in)[i], &(*out)[i]
|
||||
*out = new(ImageVerification)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1698,6 +1698,10 @@ the image reference.</p>
|
|||
<h3 id="kyverno.io/v1.ImageVerification">ImageVerification
|
||||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.Rule">Rule</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>ImageVerification validates that images that match the specified pattern
|
||||
are signed with the supplied public key. Once the image is verified it is
|
||||
mutated to include the SHA digest retrieved during the registration.</p>
|
||||
|
@ -2676,8 +2680,8 @@ Generation
|
|||
<td>
|
||||
<code>verifyImages</code></br>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.*./api/kyverno/v1.ImageVerification">
|
||||
[]*./api/kyverno/v1.ImageVerification
|
||||
<a href="#kyverno.io/v1.ImageVerification">
|
||||
[]ImageVerification
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
|
|
@ -22,14 +22,14 @@ import (
|
|||
// https://github.com/kyverno/kyverno/issues/568
|
||||
|
||||
type kyvernoRule struct {
|
||||
Name string `json:"name"`
|
||||
MatchResources *kyverno.MatchResources `json:"match"`
|
||||
ExcludeResources *kyverno.MatchResources `json:"exclude,omitempty"`
|
||||
Context *[]kyverno.ContextEntry `json:"context,omitempty"`
|
||||
AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"`
|
||||
Mutation *kyverno.Mutation `json:"mutate,omitempty"`
|
||||
Validation *kyverno.Validation `json:"validate,omitempty"`
|
||||
VerifyImages []*kyverno.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
|
||||
Name string `json:"name"`
|
||||
MatchResources *kyverno.MatchResources `json:"match"`
|
||||
ExcludeResources *kyverno.MatchResources `json:"exclude,omitempty"`
|
||||
Context *[]kyverno.ContextEntry `json:"context,omitempty"`
|
||||
AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"`
|
||||
Mutation *kyverno.Mutation `json:"mutate,omitempty"`
|
||||
Validation *kyverno.Validation `json:"validate,omitempty"`
|
||||
VerifyImages []kyverno.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
|
||||
}
|
||||
|
||||
func createRule(rule *kyverno.Rule) *kyvernoRule {
|
||||
|
@ -181,9 +181,9 @@ func generateRule(logger logr.Logger, name string, rule *kyverno.Rule, tplKey, s
|
|||
return rule
|
||||
}
|
||||
if rule.VerifyImages != nil {
|
||||
newVerifyImages := make([]*kyverno.ImageVerification, len(rule.VerifyImages))
|
||||
newVerifyImages := make([]kyverno.ImageVerification, len(rule.VerifyImages))
|
||||
for i, vi := range rule.VerifyImages {
|
||||
newVerifyImages[i] = vi.DeepCopy()
|
||||
newVerifyImages[i] = *vi.DeepCopy()
|
||||
}
|
||||
rule.VerifyImages = newVerifyImages
|
||||
return rule
|
||||
|
|
|
@ -178,7 +178,7 @@ func loadCertPool(roots []byte) (*x509.CertPool, error) {
|
|||
|
||||
// FetchAttestations retrieves signed attestations and decodes them into in-toto statements
|
||||
// https://github.com/in-toto/attestation/blob/main/spec/README.md#statement
|
||||
func FetchAttestations(imageRef string, imageVerify *v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
|
||||
func FetchAttestations(imageRef string, imageVerify v1.ImageVerification, log logr.Logger) ([]map[string]interface{}, error) {
|
||||
ctx := context.Background()
|
||||
var err error
|
||||
|
||||
|
|
|
@ -114,13 +114,13 @@ func appendError(resp *response.EngineResponse, rule *v1.Rule, msg string, statu
|
|||
func substituteVariables(rule *v1.Rule, ctx context.EvalInterface, logger logr.Logger) (*v1.Rule, error) {
|
||||
|
||||
// remove attestations as variables are not substituted in them
|
||||
ruleCopy := rule.DeepCopy()
|
||||
for _, iv := range ruleCopy.VerifyImages {
|
||||
iv.Attestations = nil
|
||||
ruleCopy := *rule.DeepCopy()
|
||||
for i := range ruleCopy.VerifyImages {
|
||||
ruleCopy.VerifyImages[i].Attestations = nil
|
||||
}
|
||||
|
||||
var err error
|
||||
*ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, *ruleCopy)
|
||||
ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, ruleCopy)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -130,7 +130,7 @@ func substituteVariables(rule *v1.Rule, ctx context.EvalInterface, logger logr.L
|
|||
ruleCopy.VerifyImages[i].Attestations = rule.VerifyImages[i].Attestations
|
||||
}
|
||||
|
||||
return ruleCopy, nil
|
||||
return &ruleCopy, nil
|
||||
}
|
||||
|
||||
type imageVerifier struct {
|
||||
|
@ -140,9 +140,9 @@ type imageVerifier struct {
|
|||
resp *response.EngineResponse
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verify(imageVerify *v1.ImageVerification, images map[string]map[string]kubeutils.ImageInfo) {
|
||||
func (iv *imageVerifier) verify(imageVerify v1.ImageVerification, images map[string]map[string]kubeutils.ImageInfo) {
|
||||
// for backward compatibility
|
||||
imageVerify = imageVerify.Convert()
|
||||
imageVerify = *imageVerify.Convert()
|
||||
|
||||
for _, infoMap := range images {
|
||||
for _, imageInfo := range infoMap {
|
||||
|
@ -212,7 +212,7 @@ func (iv *imageVerifier) handleDigest(digest string, imageInfo kubeutils.ImageIn
|
|||
return patch, nil
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) markImageVerified(imageVerify *v1.ImageVerification, ruleResp *response.RuleResponse, digest string, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
|
||||
func (iv *imageVerifier) markImageVerified(imageVerify v1.ImageVerification, ruleResp *response.RuleResponse, digest string, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
|
||||
if hasImageVerifiedAnnotationChanged(iv.policyContext, imageInfo.Name, digest) {
|
||||
msg := "changes to `images.kyverno.io` annotation are not allowed"
|
||||
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil)
|
||||
|
@ -292,7 +292,7 @@ func imageMatches(image string, imagePatterns []string) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifySignatures(imageVerify *v1.ImageVerification, imageInfo kubeutils.ImageInfo) (*response.RuleResponse, string) {
|
||||
func (iv *imageVerifier) verifySignatures(imageVerify v1.ImageVerification, imageInfo kubeutils.ImageInfo) (*response.RuleResponse, string) {
|
||||
image := imageInfo.String()
|
||||
iv.logger.V(2).Info("verifying image signatures", "image", image, "attestors", len(imageVerify.Attestors), "attestations", len(imageVerify.Attestations))
|
||||
|
||||
|
@ -312,7 +312,7 @@ func (iv *imageVerifier) verifySignatures(imageVerify *v1.ImageVerification, ima
|
|||
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), digest
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifyAttestorSet(attestorSet v1.AttestorSet, imageVerify *v1.ImageVerification, image, path string) (string, error) {
|
||||
func (iv *imageVerifier) verifyAttestorSet(attestorSet v1.AttestorSet, imageVerify v1.ImageVerification, image, path string) (string, error) {
|
||||
var errorList []error
|
||||
verifiedCount := 0
|
||||
attestorSet = expandStaticKeys(attestorSet)
|
||||
|
@ -409,7 +409,7 @@ func getRequiredCount(as v1.AttestorSet) int {
|
|||
return *as.Count
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify *v1.ImageVerification, image string) (*cosign.Options, string) {
|
||||
func (iv *imageVerifier) buildOptionsAndPath(attestor v1.Attestor, imageVerify v1.ImageVerification, image string) (*cosign.Options, string) {
|
||||
path := ""
|
||||
opts := &cosign.Options{
|
||||
ImageRef: image,
|
||||
|
@ -466,7 +466,7 @@ func makeAddDigestPatch(imageInfo kubeutils.ImageInfo, digest string) ([]byte, e
|
|||
return json.Marshal(patch)
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifyAttestations(imageVerify *v1.ImageVerification, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
|
||||
func (iv *imageVerifier) verifyAttestations(imageVerify v1.ImageVerification, imageInfo kubeutils.ImageInfo) *response.RuleResponse {
|
||||
image := imageInfo.String()
|
||||
start := time.Now()
|
||||
|
||||
|
|
|
@ -523,11 +523,11 @@ func Test_ChangedAnnotation(t *testing.T) {
|
|||
}
|
||||
|
||||
func Test_MarkImageVerified(t *testing.T) {
|
||||
imageVerifyRule := &kyverno.ImageVerification{Required: true}
|
||||
imageVerifyRule := kyverno.ImageVerification{Required: true}
|
||||
iv := &imageVerifier{
|
||||
logger: log.Log,
|
||||
policyContext: buildContext(t, testPolicyGood, testResource, ""),
|
||||
rule: &kyverno.Rule{VerifyImages: []*kyverno.ImageVerification{imageVerifyRule}},
|
||||
rule: &kyverno.Rule{VerifyImages: []kyverno.ImageVerification{imageVerifyRule}},
|
||||
resp: &response.EngineResponse{},
|
||||
}
|
||||
|
||||
|
@ -545,8 +545,8 @@ func Test_MarkImageVerified(t *testing.T) {
|
|||
assert.Equal(t, value, "true")
|
||||
|
||||
ruleResp.Patches = nil
|
||||
imageVerifyRule = &kyverno.ImageVerification{Required: false}
|
||||
iv.rule = &kyverno.Rule{VerifyImages: []*kyverno.ImageVerification{imageVerifyRule}}
|
||||
imageVerifyRule = kyverno.ImageVerification{Required: false}
|
||||
iv.rule = &kyverno.Rule{VerifyImages: []kyverno.ImageVerification{imageVerifyRule}}
|
||||
iv.markImageVerified(imageVerifyRule, ruleResp, digest, imageInfo)
|
||||
assert.Equal(t, len(ruleResp.Patches), 0)
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue