mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

adding support for Cosign key-value annotations (#2824)

Browse source 
* adding annotation check

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* adding tests

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* updating manifests

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* changing map val type to string form interface{}

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* passing args to opts

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Naman Lakhwani 2021-12-16 11:49:44 +05:30 committed by GitHub
parent c8e5750c4f
commit 59a460b31e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 4553 additions and 4426 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
api/kyverno/v1/policy_types.go
View file

@ -554,6 +554,11 @@ type ImageVerification struct {
// Issuer is the certificate issuer used for keyless signing.
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
// Annotations are used for image verification.
// Every specified key-value pair must exist and match in the verified payload.
// The payload may contain other key-value pairs.
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
// Repository is an optional alternate OCI repository to use for image signatures that match this rule.
// If specified Repository will override the default OCI image repository configured for the installation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

8852
charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

12
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -1884,6 +1884,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2016,6 +2024,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

12
config/crds/kyverno.io_policies.yaml
View file

@ -1885,6 +1885,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2017,6 +2025,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

24
config/install.yaml
View file

@ -1902,6 +1902,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2034,6 +2042,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.
@ -5554,6 +5566,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -5686,6 +5706,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

24
config/install_debug.yaml
View file

@ -1889,6 +1889,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2021,6 +2029,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.
@ -5513,6 +5525,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -5645,6 +5665,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

31
pkg/cosign/cosign.go
View file

@ -73,13 +73,14 @@ func UpdateKeychain() error {
}
type Options struct {
ImageRef string
Key string
Roots []byte
Subject string
Issuer string
Repository string
Log logr.Logger
ImageRef string
Key string
Roots []byte
Subject string
Issuer string
Annotations map[string]string
Repository string
Log logr.Logger
}
// VerifySignature verifies that the image has the expected key
@ -155,6 +156,11 @@ func VerifySignature(opts Options) (digest string, err error) {
return "", errors.Wrap(err, "subject mismatch")
}
err = checkAnnotations(payload, opts.Annotations, log)
if err != nil {
return "", errors.Wrap(err, "annotation mismatch")
}
digest, err = extractDigest(opts.ImageRef, payload, log)
if err != nil {
return "", errors.Wrap(err, "failed to get digest")
@ -420,3 +426,14 @@ func extractSubject(imgRef string, payload []payload.SimpleContainerImage, log l
}
return "", fmt.Errorf("image subject not found for " + imgRef)
}
func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string, log logr.Logger) error {
for _, p := range payload {
for key, val := range annotations {
if val != p.Optional[key] {
return fmt.Errorf("value of " + key + " does not match")
}
}
}
return nil
}

8
pkg/cosign/cosign_test.go
View file

@ -21,7 +21,10 @@ const cosignPayload = `{
},
"type": "cosign container image signature"
},
"optional": null
"optional": {
"foo": "bar",
"bar": "baz"
}
}`
const tektonPayload = `{
@ -46,6 +49,9 @@ func TestCosignPayload(t *testing.T) {
signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
p, err := extractPayload(image, []oci.Signature{&sig{cosignPayload: signedPayloads}}, log)
assert.NilError(t, err)
a := map[string]string{"foo": "bar"}
err = checkAnnotations(p, a, log)
assert.NilError(t, err)
d, err := extractDigest(image, p, log)
assert.NilError(t, err)
assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")

11
pkg/engine/imageVerify.go
View file

@ -184,9 +184,20 @@ func (iv *imageVerifier) verifySignature(imageVerify *v1.ImageVerification, imag
opts.Key = imageVerify.Key
} else {
opts.Roots = []byte(imageVerify.Roots)
}
if imageVerify.Issuer != "" {
opts.Issuer = imageVerify.Issuer
}
if imageVerify.Subject != "" {
opts.Subject = imageVerify.Subject
}
if imageVerify.Annotations != nil {
opts.Annotations = imageVerify.Annotations
}
start := time.Now()
digest, err := cosign.VerifySignature(opts)
if err != nil {