diff --git a/pkg/utils/api/image.go b/pkg/utils/api/image.go index 8e3107ed20..fb4b25a932 100644 --- a/pkg/utils/api/image.go +++ b/pkg/utils/api/image.go @@ -88,7 +88,7 @@ func extract(obj interface{}, path []string, keyPath, valuePath string, fields [ } } value, ok := output[valuePath].(string) - if !ok { + if !ok || strings.TrimSpace(value) == "" { // the image may not be present logging.V(4).Info("image information is not present", "pointer", pointer) return nil diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml new file mode 100644 index 0000000000..a5b49ecf56 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: resource.yaml diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/README.md new file mode 100644 index 0000000000..1a0dedf626 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy to verify images signature. +It then creates a `Deployment` that references an image with an empty string. + +## Expected Behavior + +The deployment should be created without error. diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml new file mode 100644 index 0000000000..a2d2cc907e --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml new file mode 100644 index 0000000000..19592cea08 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-policy +spec: + validationFailureAction: enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - '*' + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/resource.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/resource.yaml new file mode 100644 index 0000000000..e739848a9a --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/empty-image/resource.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"httpd:latest","namespace":"example-namespace"},"fieldPath":"spec.template.spec.containers[?(@.name==\"httpd\")].image"}]' + openshift.io/generated-by: OpenShiftNewApp + labels: + app: httpd + app.kubernetes.io/component: httpd + app.kubernetes.io/instance: httpd + name: httpd +spec: + replicas: 1 + selector: + matchLabels: + deployment: httpd + strategy: {} + template: + metadata: + annotations: + openshift.io/generated-by: OpenShiftNewApp + labels: + deployment: httpd + spec: + containers: + - image: ' ' + name: httpd + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP