feat: add image verification support to background scan (#5047)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2025-03-28 02:18:15 +00:00 · 2022-10-18 17:23:02 +02:00 · 2022-10-18 17:23:02 +02:00 · 5aec07215f
commit 5aec07215f
parent 5a09a78350
1 changed files with 48 additions and 3 deletions
--- a/pkg/controllers/report/utils/scanner.go
+++ b/pkg/controllers/report/utils/scanner.go
@ -7,6 +7,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/response"
+	"go.uber.org/multierr"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

@ -36,16 +37,31 @@ func NewScanner(logger logr.Logger, client dclient.Interface, excludeGroupRole .
 func (s *scanner) ScanResource(resource unstructured.Unstructured, nsLabels map[string]string, policies ...kyvernov1.PolicyInterface) map[kyvernov1.PolicyInterface]ScanResult {
 	results := map[kyvernov1.PolicyInterface]ScanResult{}
 	for _, policy := range policies {
-		response, err := s.scan(resource, nsLabels, policy)
+		var errors []error
+		response, err := s.validateResource(resource, nsLabels, policy)
 		if err != nil {
 			s.logger.Error(err, "failed to scan resource")
+			errors = append(errors, err)
 		}
-		results[policy] = ScanResult{response, err}
+		spec := policy.GetSpec()
+		if spec.HasVerifyImages() {
+			ivResponse, err := s.validateImages(resource, nsLabels, policy)
+			if err != nil {
+				s.logger.Error(err, "failed to scan images")
+				errors = append(errors, err)
+			}
+			if response == nil {
+				response = ivResponse
+			} else {
+				response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ivResponse.PolicyResponse.Rules...)
+			}
+		}
+		results[policy] = ScanResult{response, multierr.Combine(errors...)}
 	}
 	return results
 }

-func (s *scanner) scan(resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*response.EngineResponse, error) {
+func (s *scanner) validateResource(resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*response.EngineResponse, error) {
 	ctx := context.NewContext()
 	if err := ctx.AddResource(resource.Object); err != nil {
 		return nil, err
@ -69,3 +85,32 @@ func (s *scanner) scan(resource unstructured.Unstructured, nsLabels map[string]s
 	}
 	return engine.Validate(policyCtx), nil
 }
+
+func (s *scanner) validateImages(resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*response.EngineResponse, error) {
+	ctx := context.NewContext()
+	if err := ctx.AddResource(resource.Object); err != nil {
+		return nil, err
+	}
+	if err := ctx.AddNamespace(resource.GetNamespace()); err != nil {
+		return nil, err
+	}
+	if err := ctx.AddImageInfos(&resource); err != nil {
+		return nil, err
+	}
+	if err := ctx.AddOperation("CREATE"); err != nil {
+		return nil, err
+	}
+	policyCtx := &engine.PolicyContext{
+		Policy:           policy,
+		NewResource:      resource,
+		JSONContext:      ctx,
+		Client:           s.client,
+		NamespaceLabels:  nsLabels,
+		ExcludeGroupRole: s.excludeGroupRole,
+	}
+	response, _ := engine.VerifyAndPatchImages(policyCtx)
+	if len(response.PolicyResponse.Rules) > 0 {
+		s.logger.Info("validateImages", "policy", policy, "response", response)
+	}
+	return response, nil
+}