mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

adding support for Cosign key-value annotations (#2824)

Browse source 
* adding annotation check

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* adding tests

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* updating manifests

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* changing map val type to string form interface{}

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* passing args to opts

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Naman Lakhwani 2021-12-16 11:49:44 +05:30 committed by GitHub
parent c8e5750c4f
commit 59a460b31e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 4553 additions and 4426 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
api/kyverno/v1/policy_types.go
View file

@ -554,6 +554,11 @@ type ImageVerification struct {
// Issuer is the certificate issuer used for keyless signing.
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
// Annotations are used for image verification.
// Every specified key-value pair must exist and match in the verified payload.
// The payload may contain other key-value pairs.
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
// Repository is an optional alternate OCI repository to use for image signatures that match this rule.
// If specified Repository will override the default OCI image repository configured for the installation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`

16
charts/kyverno/templates/crds.yaml
View file

@ -1194,6 +1194,11 @@ spec:
items:
description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations.
items:
@ -1280,6 +1285,9 @@ spec:
image:
description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the image or attestation is signed with.
type: string
@ -3693,6 +3701,11 @@ spec:
items:
description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the OCI registry and decodes them into a list of Statement declarations.
items:
@ -3779,6 +3792,9 @@ spec:
image:
description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the image or attestation is signed with.
type: string

12
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -1884,6 +1884,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2016,6 +2024,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

12
config/crds/kyverno.io_policies.yaml
View file

@ -1885,6 +1885,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2017,6 +2025,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

24
config/install.yaml
View file

@ -1902,6 +1902,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2034,6 +2042,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.
@ -5554,6 +5566,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -5686,6 +5706,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

24
config/install_debug.yaml
View file

@ -1889,6 +1889,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -2021,6 +2029,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.
@ -5513,6 +5525,14 @@ spec:
public key. Once the image is verified it is mutated to
include the SHA digest retrieved during the registration.
properties:
annotations:
additionalProperties:
type: string
description: Annotations are used for image verification.
Every specified key-value pair must exist and match
in the verified payload. The payload may contain other
key-value pairs.
type: object
attestations:
description: Attestations are optional checks for signed
in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
@ -5645,6 +5665,10 @@ spec:
registry address, repository, image, and tag. Wildcards
(''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
type: string
issuer:
description: Issuer is the certificate issuer used for
keyless signing.
type: string
key:
description: Key is the PEM encoded public key that the
image or attestation is signed with.

17
pkg/cosign/cosign.go
View file

@ -78,6 +78,7 @@ type Options struct {
Roots []byte
Subject string
Issuer string
Annotations map[string]string
Repository string
Log logr.Logger
}
@ -155,6 +156,11 @@ func VerifySignature(opts Options) (digest string, err error) {
return "", errors.Wrap(err, "subject mismatch")
}
err = checkAnnotations(payload, opts.Annotations, log)
if err != nil {
return "", errors.Wrap(err, "annotation mismatch")
}
digest, err = extractDigest(opts.ImageRef, payload, log)
if err != nil {
return "", errors.Wrap(err, "failed to get digest")
@ -420,3 +426,14 @@ func extractSubject(imgRef string, payload []payload.SimpleContainerImage, log l
}
return "", fmt.Errorf("image subject not found for " + imgRef)
}
func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string, log logr.Logger) error {
for _, p := range payload {
for key, val := range annotations {
if val != p.Optional[key] {
return fmt.Errorf("value of " + key + " does not match")
}
}
}
return nil
}

8
pkg/cosign/cosign_test.go
View file

@ -21,7 +21,10 @@ const cosignPayload = `{
},
"type": "cosign container image signature"
},
"optional": null
"optional": {
"foo": "bar",
"bar": "baz"
}
}`
const tektonPayload = `{
@ -46,6 +49,9 @@ func TestCosignPayload(t *testing.T) {
signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
p, err := extractPayload(image, []oci.Signature{&sig{cosignPayload: signedPayloads}}, log)
assert.NilError(t, err)
a := map[string]string{"foo": "bar"}
err = checkAnnotations(p, a, log)
assert.NilError(t, err)
d, err := extractDigest(image, p, log)
assert.NilError(t, err)
assert.Equal(t, d, "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108")

11
pkg/engine/imageVerify.go
View file

@ -184,9 +184,20 @@ func (iv *imageVerifier) verifySignature(imageVerify *v1.ImageVerification, imag
opts.Key = imageVerify.Key
} else {
opts.Roots = []byte(imageVerify.Roots)
}
if imageVerify.Issuer != "" {
opts.Issuer = imageVerify.Issuer
}
if imageVerify.Subject != "" {
opts.Subject = imageVerify.Subject
}
if imageVerify.Annotations != nil {
opts.Annotations = imageVerify.Annotations
}
start := time.Now()
digest, err := cosign.VerifySignature(opts)
if err != nil {