mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 18:38:40 +00:00
add remainder of e2e verifyImages tests (#5229)
Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com>
This commit is contained in:
Chip Zoller
GitHub
parent
da18305015
commit
745482a0e4
26 changed files with 373 additions and 0 deletions
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-keyless
|
||||
status:
|
||||
ready: true
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: tekton-test
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tasks.tekton.dev
|
||||
spec:
|
||||
group: tekton.dev
|
||||
preserveUnknownFields: false
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
subresources:
|
||||
status: {}
|
||||
names:
|
||||
kind: Task
|
||||
plural: tasks
|
||||
categories:
|
||||
- tekton
|
||||
- tekton-pipelines
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-keyless
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- name: verify-images
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*/image
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/*"
|
||||
attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keyless:
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
subject: "https://github.com/*"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
required: true
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
spec:
|
||||
steps:
|
||||
- name: cosign
|
||||
image: ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
annotations:
|
||||
kyverno.io/verify-images: '{"ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6":true}'
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-task.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# Title
|
||||
|
||||
Checks that more complex image extraction with keyless verification and required=true is working by submitting a Task which uses a verified container image. The Task should be created and the annotation `kyverno.io/verify-images` written which contains the image with digest and `true` indicating it was verified.
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-complex
|
||||
status:
|
||||
ready: true
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: tekton-test
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tasks.tekton.dev
|
||||
spec:
|
||||
group: tekton.dev
|
||||
preserveUnknownFields: false
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
subresources:
|
||||
status: {}
|
||||
names:
|
||||
kind: Task
|
||||
plural: tasks
|
||||
categories:
|
||||
- tekton
|
||||
- tekton-pipelines
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-complex
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
rules:
|
||||
- name: verify-images
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*
|
||||
name: steps
|
||||
value: image
|
||||
key: name
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
|
||||
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- script: |
|
||||
if kubectl apply -f badtask.yaml
|
||||
then
|
||||
echo "Tested failed. Task was created when it shouldn't have been."
|
||||
exit 1
|
||||
else
|
||||
echo "Test succeeded. Task was not created as intended."
|
||||
exit 0
|
||||
fi
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# Title
|
||||
|
||||
Checks that more complex image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned).
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
spec:
|
||||
steps:
|
||||
- name: ubuntu-example
|
||||
image: ubuntu:bionic
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-no-extractor
|
||||
status:
|
||||
ready: true
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: tekton-test
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tasks.tekton.dev
|
||||
spec:
|
||||
group: tekton.dev
|
||||
preserveUnknownFields: false
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
subresources:
|
||||
status: {}
|
||||
names:
|
||||
kind: Task
|
||||
plural: tasks
|
||||
categories:
|
||||
- tekton
|
||||
- tekton-pipelines
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-no-extractor
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
rules:
|
||||
- name: verify-images
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
spec:
|
||||
steps:
|
||||
- name: ubuntu-example
|
||||
image: ubuntu:bionic
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml,02-task.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# Title
|
||||
|
||||
Checks that a ClusterPolicy without defining an imageExtractor causes a CustomResource to pass through. Since the ClusterPolicy does not name a field from which to extract the image, no verification can be performed. Expected result is the Task is created even though the image within is not verified.
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-simple
|
||||
status:
|
||||
ready: true
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: tekton-test
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: tasks.tekton.dev
|
||||
spec:
|
||||
group: tekton.dev
|
||||
preserveUnknownFields: false
|
||||
versions:
|
||||
- name: v1beta1
|
||||
served: true
|
||||
storage: true
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
subresources:
|
||||
status: {}
|
||||
names:
|
||||
kind: Task
|
||||
plural: tasks
|
||||
categories:
|
||||
- tekton
|
||||
- tekton-pipelines
|
||||
scope: Namespaced
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: tasks-simple
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
rules:
|
||||
- name: verify-images
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- tekton.dev/v1beta1/Task
|
||||
preconditions:
|
||||
- key: "{{request.operation}}"
|
||||
operator: NotEquals
|
||||
value: DELETE
|
||||
imageExtractors:
|
||||
Task:
|
||||
- path: /spec/steps/*/image
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
key: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
---
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
|
||||
|
||||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- script: |
|
||||
if kubectl apply -f badtask.yaml
|
||||
then
|
||||
echo "Tested failed. Task was created when it shouldn't have been."
|
||||
exit 1
|
||||
else
|
||||
echo "Test succeeded. Task was not created as intended."
|
||||
exit 0
|
||||
fi
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
# Title
|
||||
|
||||
Checks that simple image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned).
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: example-task-name
|
||||
namespace: tekton-test
|
||||
spec:
|
||||
steps:
|
||||
- name: ubuntu-example
|
||||
image: ubuntu:bionic
|
||||
Loading…
Add table
Reference in a new issue