mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-15 00:36:28 +00:00
Code Activity

feat: add support for cosign experimental OCI 1.1 signatures (#10228)

Browse source 
* feat: add support for cosign experimental OCI 1.1 signatures

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: remove unrelated changes

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: linter

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: requested changes

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-06-19 04:33:53 +05:30 committed by GitHub
parent 386f39890e
commit 334594c128
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 293 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
api/kyverno/v1/image_verification_types.go
View file

@ -95,6 +95,11 @@ type ImageVerification struct {
// The repository can also be overridden per Attestor or Attestation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
// CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
// Defaults to false.
// +optional
CosignOCI11 bool `json:"cosignOCI11,omitempty"`
// MutateDigest enables replacement of image tags with digests.
// Defaults to true.
// +kubebuilder:default=true

15
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -4090,6 +4090,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -8360,6 +8365,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16670,6 +16680,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

15
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -4091,6 +4091,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -8362,6 +8367,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16673,6 +16683,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

15
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -4084,6 +4084,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -8354,6 +8359,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16664,6 +16674,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

15
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -4085,6 +4085,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -8356,6 +8361,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16667,6 +16677,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

15
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -4084,6 +4084,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -8354,6 +8359,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16664,6 +16674,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

15
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -4085,6 +4085,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -8356,6 +8361,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16667,6 +16677,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

30
config/install-latest-testing.yaml
View file

@ -11821,6 +11821,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -16091,6 +16096,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -24401,6 +24411,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -28978,6 +28993,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -33249,6 +33269,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -41560,6 +41585,11 @@ spec:
type: array
type: object
type: array
cosignOCI11:
description: |-
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string

13
docs/user/crd/index.html
View file

@ -2475,6 +2475,19 @@ The repository can also be overridden per Attestor or Attestation.</p>
</tr>
<tr>
<td>
<code>cosignOCI11</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.</p>
</td>
</tr>
<tr>
<td>
<code>mutateDigest</code><br/>
<em>
bool

28
docs/user/crd/kyverno.v1.html
View file

@ -4894,6 +4894,34 @@ The repository can also be overridden per Attestor or Attestation.</p>
<tr>
<td><code>cosignOCI11</code>
</br>
<span style="font-family: monospace">bool</span>
</td>
<td>
<p>CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.</p>
</td>
</tr>
<tr>
<td><code>mutateDigest</code>

9
pkg/client/applyconfigurations/kyverno/v1/imageverification.go
View file

@ -38,6 +38,7 @@ type ImageVerificationApplyConfiguration struct {
Attestations []AttestationApplyConfiguration `json:"attestations,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
Repository *string `json:"repository,omitempty"`
CosignOCI11 *bool `json:"cosignOCI11,omitempty"`
MutateDigest *bool `json:"mutateDigest,omitempty"`
VerifyDigest *bool `json:"verifyDigest,omitempty"`
Required *bool `json:"required,omitempty"`
@ -181,6 +182,14 @@ func (b *ImageVerificationApplyConfiguration) WithRepository(value string) *Imag
return b
}
// WithCosignOCI11 sets the CosignOCI11 field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CosignOCI11 field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithCosignOCI11(value bool) *ImageVerificationApplyConfiguration {
b.CosignOCI11 = &value
return b
}
// WithMutateDigest sets the MutateDigest field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the MutateDigest field is set to the value of the last call.

1
pkg/cosign/cosign.go
View file

@ -229,6 +229,7 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
cosignOpts.TSARootCertificates = roots
}
cosignOpts.ExperimentalOCI11 = opts.CosignOCI11
return cosignOpts, nil
}

23
pkg/cosign/cosign_test.go
View file

@ -324,6 +324,29 @@ I2MLdq2qjZFDOCXsxBxJpbmLGBx9ow6ZerlUxzws2AWv2pk=
assert.NilError(t, err)
}
func TestCosignOCI11Experimental(t *testing.T) {
opts := images.Options{
ImageRef: "ghcr.io/kyverno/test-verify-image:cosign-oci11",
Key: `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKYkkX32oSx61B4iwKXa6llAF2dB
IoL3R/9n1SJ7s00Nfkk3z4/Ar6q8el/guUmXi8akEJMxvHnvphorVUz8vQ==
-----END PUBLIC KEY-----
`,
}
rc, err := registryclient.New()
assert.NilError(t, err)
opts.Client = rc
verifier := &cosignVerifier{}
_, err = verifier.VerifySignature(context.TODO(), opts)
assert.ErrorContains(t, err, "no signatures found")
opts.CosignOCI11 = true
_, err = verifier.VerifySignature(context.TODO(), opts)
assert.NilError(t, err)
}
type testSignature struct {
cert *x509.Certificate
}

1
pkg/engine/internal/imageverifier.go
View file

@ -551,6 +551,7 @@ func (iv *ImageVerifier) buildCosignVerifier(
opts := &images.Options{
ImageRef: image,
Repository: imageVerify.Repository,
CosignOCI11: imageVerify.CosignOCI11,
Annotations: imageVerify.Annotations,
Client: iv.rclient,
}

1
pkg/images/verifier.go
View file

@ -33,6 +33,7 @@ type Options struct {
AdditionalExtensions map[string]string
Annotations map[string]string
Repository string
CosignOCI11 bool
IgnoreTlog bool
RekorURL string
RekorPubKey string

11
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test performs a simple verification of an image using a public key specified directly in the policy.
## Expected Behavior
Pod creation should pass as the image has been signed by the public key specified in the policy.
## Reference Issue(s)
N/A

4
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-1.yaml Executable file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-verify-images

31
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml Executable file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: keyed-basic-policy
spec:
background: false
failurePolicy: Fail
rules:
- match:
any:
- resources:
kinds:
- Pod
name: keyed-basic-rule
verifyImages:
- attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKYkkX32oSx61B4iwKXa6llAF2dB
IoL3R/9n1SJ7s00Nfkk3z4/Ar6q8el/guUmXi8akEJMxvHnvphorVUz8vQ==
-----END PUBLIC KEY-----
rekor:
ignoreTlog: true
url: https://rekor.sigstore.dev
imageReferences:
- ghcr.io/kyverno/test-verify-image:*
cosignOCI11: true
validationFailureAction: Enforce
webhookTimeoutSeconds: 30

9
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-assert-1.yaml Executable file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: keyed-basic-policy
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

9
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-apply-1.yaml Executable file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:cosign-oci11
name: test-secret

5
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-assert-1.yaml Executable file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images

23
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,23 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: keyed-basic
spec:
timeouts:
delete: 2m
steps:
- name: step-01
try:
- apply:
file: chainsaw-step-01-apply-1.yaml
- apply:
file: chainsaw-step-01-apply-2.yaml
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: chainsaw-step-02-apply-1.yaml
- assert:
file: chainsaw-step-02-assert-1.yaml