fix imageRef matching (#5956)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/engine/imageVerify.go

@@ -339,6 +339,10 @@ func (iv *imageVerifier) verifyImage(
 	}
 
 	if len(imageVerify.Attestors) > 0 {
+		if !matchImageReferences(imageVerify.ImageReferences, imageInfo.String()) {
+			return nil, ""
+		}
+
 		ruleResp, cosignResp := iv.verifyAttestors(ctx, imageVerify.Attestors, imageVerify, imageInfo, "")
 		if ruleResp.Status != response.RuleStatusPass {
 			return ruleResp, ""
@@ -722,3 +726,12 @@ func evaluateConditions(
 	pass := variables.EvaluateAnyAllConditions(log, ctx, c)
 	return pass, nil
 }
+
+func matchImageReferences(imageReferences []string, image string) bool {
+	for _, imageRef := range imageReferences {
+		if wildcard.Match(imageRef, image) {
+			return true
+		}
+	}
+	return false
+}

test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-signatures
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml

@@ -0,0 +1,53 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-signatures
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: enforce
+  webhookTimeoutSeconds: 30
+  background: false
+  rules:
+    - name: check-1
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+                5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+                -----END PUBLIC KEY-----
+        imageReferences:
+        - ghcr.io/kyverno/test-verify-image:*
+        mutateDigest: true
+        required: true
+        verifyDigest: true
+    - name: check-2
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF
+                zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w==
+                -----END PUBLIC KEY-----
+        imageReferences:
+        - my.local.repo/*
+        mutateDigest: false
+        required: true
+        verifyDigest: false

test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: signed
+  namespace: default
+spec:
+  containers:
+  - name: signed

test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: signed
+  namespace: default
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    imagePullPolicy: IfNotPresent
+    name: signed

test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/99-cleanup.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete -f 01-policy.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true

test/conformance/kuttl/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md

@@ -0,0 +1,11 @@
+## Description
+
+A `VerifyImages` rule specifying multiple attestors should allow pod creation with valid images.
+
+## Expected Behavior
+
+The pod `signed` should be created successfully.
+
+## Reference Issue(s)
+
+Slack discussion - https://kubernetes.slack.com/archives/CLGR9BJU9/p1673303296239259.