diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-assert.yaml new file mode 100644 index 0000000000..33390d5dcb --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-keyless +status: + ready: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-manifests.yaml new file mode 100644 index 0000000000..bf239d5aae --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-manifests.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-test +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-keyless +spec: + validationFailureAction: enforce + webhookTimeoutSeconds: 30 + rules: + - name: verify-images + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + preconditions: + - key: "{{request.operation}}" + operator: NotEquals + value: DELETE + imageExtractors: + Task: + - path: /spec/steps/*/image + verifyImages: + - imageReferences: + - "ghcr.io/*" + attestors: + - count: 1 + entries: + - keyless: + issuer: "https://token.actions.githubusercontent.com" + subject: "https://github.com/*" + rekor: + url: https://rekor.sigstore.dev + required: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml new file mode 100644 index 0000000000..797d2f4dd9 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml @@ -0,0 +1,9 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test +spec: + steps: + - name: cosign + image: ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6 \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/03-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/03-assert.yaml new file mode 100644 index 0000000000..00a796d516 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test + annotations: + kyverno.io/verify-images: '{"ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6":true}' \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/99-cleanup.yaml new file mode 100644 index 0000000000..901039dff1 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-task.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md new file mode 100644 index 0000000000..6abc915a9b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that more complex image extraction with keyless verification and required=true is working by submitting a Task which uses a verified container image. The Task should be created and the annotation `kyverno.io/verify-images` written which contains the image with digest and `true` indicating it was verified. \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-assert.yaml new file mode 100644 index 0000000000..4e8ef06f08 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-complex +status: + ready: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-manifests.yaml new file mode 100644 index 0000000000..a14488e3a1 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-manifests.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-test +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-complex +spec: + validationFailureAction: enforce + rules: + - name: verify-images + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + preconditions: + - key: "{{request.operation}}" + operator: NotEquals + value: DELETE + imageExtractors: + Task: + - path: /spec/steps/* + name: steps + value: image + key: name + verifyImages: + - image: "*" + key: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml new file mode 100644 index 0000000000..850b8c6eb6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml @@ -0,0 +1,14 @@ +## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f badtask.yaml + then + echo "Tested failed. Task was created when it shouldn't have been." + exit 1 + else + echo "Test succeeded. Task was not created as intended." + exit 0 + fi \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml new file mode 100644 index 0000000000..de1b3f099b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md new file mode 100644 index 0000000000..698da27e03 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that more complex image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned). \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml new file mode 100644 index 0000000000..192d130a6b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml @@ -0,0 +1,9 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test +spec: + steps: + - name: ubuntu-example + image: ubuntu:bionic diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-assert.yaml new file mode 100644 index 0000000000..e51f26047c --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-no-extractor +status: + ready: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-manifests.yaml new file mode 100644 index 0000000000..b643df8eb3 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/01-manifests.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-test +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-no-extractor +spec: + validationFailureAction: enforce + rules: + - name: verify-images + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + preconditions: + - key: "{{request.operation}}" + operator: NotEquals + value: DELETE + verifyImages: + - image: "*" + key: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml new file mode 100644 index 0000000000..192d130a6b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml @@ -0,0 +1,9 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test +spec: + steps: + - name: ubuntu-example + image: ubuntu:bionic diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/03-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/03-assert.yaml new file mode 100644 index 0000000000..de1b3f099b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/03-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/99-cleanup.yaml new file mode 100644 index 0000000000..901039dff1 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml,02-task.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md new file mode 100644 index 0000000000..d4dd872f51 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that a ClusterPolicy without defining an imageExtractor causes a CustomResource to pass through. Since the ClusterPolicy does not name a field from which to extract the image, no verification can be performed. Expected result is the Task is created even though the image within is not verified. \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-assert.yaml new file mode 100644 index 0000000000..9dc5e6e273 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-simple +status: + ready: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-manifests.yaml new file mode 100644 index 0000000000..b59928742a --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-manifests.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tekton-test +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-simple +spec: + validationFailureAction: enforce + rules: + - name: verify-images + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + preconditions: + - key: "{{request.operation}}" + operator: NotEquals + value: DELETE + imageExtractors: + Task: + - path: /spec/steps/*/image + verifyImages: + - image: "*" + key: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- +--- diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml new file mode 100644 index 0000000000..850b8c6eb6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml @@ -0,0 +1,14 @@ +## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f badtask.yaml + then + echo "Tested failed. Task was created when it shouldn't have been." + exit 1 + else + echo "Test succeeded. Task was not created as intended." + exit 0 + fi \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/03-errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/03-errors.yaml new file mode 100644 index 0000000000..de1b3f099b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/99-cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/99-cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md new file mode 100644 index 0000000000..dd7287ff04 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that simple image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned). \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml new file mode 100644 index 0000000000..192d130a6b --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml @@ -0,0 +1,9 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name + namespace: tekton-test +spec: + steps: + - name: ubuntu-example + image: ubuntu:bionic