fix: allow empty image (#6767)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/utils/api/image.go

@@ -88,7 +88,7 @@ func extract(obj interface{}, path []string, keyPath, valuePath string, fields [
 			}
 		}
 		value, ok := output[valuePath].(string)
-		if !ok {
+		if !ok || strings.TrimSpace(value) == "" {
 			// the image may not be present
 			logging.V(4).Info("image information is not present", "pointer", pointer)
 			return nil

test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml

test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: resource.yaml

test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/README.md

@@ -0,0 +1,8 @@
+## Description
+
+This test creates a policy to verify images signature.
+It then creates a `Deployment` that references an image with an empty string.
+
+## Expected Behavior
+
+The deployment should be created without error.

test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyed-basic-policy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyed-basic-policy
+spec:
+  validationFailureAction: enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail
+  rules:
+  - name: keyed-basic-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    verifyImages:
+    - imageReferences:
+      - '*'
+      attestors:
+      - entries:
+        - keys:
+            publicKeys: |-
+              -----BEGIN PUBLIC KEY-----
+              MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+              5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+              -----END PUBLIC KEY-----

test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/resource.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"httpd:latest","namespace":"example-namespace"},"fieldPath":"spec.template.spec.containers[?(@.name==\"httpd\")].image"}]'
+    openshift.io/generated-by: OpenShiftNewApp
+  labels:
+    app: httpd
+    app.kubernetes.io/component: httpd
+    app.kubernetes.io/instance: httpd
+  name: httpd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      deployment: httpd
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        openshift.io/generated-by: OpenShiftNewApp
+      labels:
+        deployment: httpd
+    spec:
+      containers:
+      - image: ' '
+        name: httpd
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        - containerPort: 8443
+          protocol: TCP