mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00
Code Activity

Cherry-pick Require predicate type (#5717)

Browse source 
* cherry-pick #5713

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix args

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
shuting 2022-12-19 21:36:59 +08:00 committed by GitHub
parent b822a74dc9
commit 7682030bf9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 92 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
api/kyverno/v1/image_verification_types.go
View file

@ -192,7 +192,8 @@ type CTLog struct {
// OCI registry and decodes them into a list of Statements.
type Attestation struct {
// PredicateType defines the type of Predicate contained within the Statement.
PredicateType string `json:"predicateType,omitempty" yaml:"predicateType,omitempty"`
// +kubebuilder:validation:Required
PredicateType string `json:"predicateType" yaml:"predicateType"`
// Attestors specify the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
@ -200,7 +201,7 @@ type Attestation struct {
// Conditions are used to verify attributes within a Predicate. If no Conditions are specified
// the attestation check is satisfied as long there are predicates that match the predicate type.
// +optional
// +kubebuilder:validation:Optional
Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}

16
charts/kyverno/templates/crds.yaml
View file

@ -2731,6 +2731,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -4557,6 +4559,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -6324,6 +6328,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -8135,6 +8141,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -10514,6 +10522,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12340,6 +12350,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -14107,6 +14119,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -15918,6 +15932,8 @@ spec:
predicateType:
description: PredicateType defines the type of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

8
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2747,6 +2747,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -5788,6 +5790,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -8585,6 +8589,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -11601,6 +11607,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

8
config/crds/kyverno.io_policies.yaml
View file

@ -2749,6 +2749,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -5791,6 +5793,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -8589,6 +8593,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -11605,6 +11611,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

16
config/install.yaml
View file

@ -4073,6 +4073,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -7114,6 +7116,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -9911,6 +9915,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12927,6 +12933,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -16555,6 +16563,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -19597,6 +19607,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -22395,6 +22407,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -25411,6 +25425,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

16
config/install_debug.yaml
View file

@ -4067,6 +4067,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -7108,6 +7110,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -9905,6 +9909,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -12921,6 +12927,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -16546,6 +16554,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -19588,6 +19598,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -22386,6 +22398,8 @@ spec:
description: PredicateType defines the type of Predicate
contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:
@ -25402,6 +25416,8 @@ spec:
description: PredicateType defines the type
of Predicate contained within the Statement.
type: string
required:
- predicateType
type: object
type: array
attestors:

1
docs/user/crd/index.html
View file

@ -827,7 +827,6 @@ string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Conditions are used to verify attributes within a Predicate. If no Conditions are specified
the attestation check is satisfied as long there are predicates that match the predicate type.</p>
</td>

31
pkg/engine/imageVerify.go
View file

@ -320,6 +320,14 @@ func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, im
if imageInfo.Digest == "" {
imageInfo.Digest = cosignResp.Digest
}
if len(imageVerify.Attestations) == 0 {
return ruleResp, cosignResp.Digest
}
if imageInfo.Digest == "" {
imageInfo.Digest = cosignResp.Digest
}
}
return iv.verifyAttestations(imageVerify, imageInfo)
@ -338,7 +346,7 @@ func (iv *imageVerifier) verifyAttestors(
var err error
path := fmt.Sprintf(".attestors[%d]", i)
iv.logger.V(4).Info("verifying attestors", "path", path)
cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path, predicateType)
cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path)
if err != nil {
iv.logger.Error(err, "failed to verify image")
return iv.handleRegistryErrors(image, err), nil
@ -370,6 +378,10 @@ func (iv *imageVerifier) verifyAttestations(imageVerify kyvernov1.ImageVerificat
var attestationError error
path := fmt.Sprintf(".attestations[%d]", i)
if attestation.PredicateType == "" {
return ruleResponse(*iv.rule, response.ImageVerify, path+": missing predicateType", response.RuleStatusFail, nil), ""
}
if len(attestation.Attestors) == 0 {
// add an empty attestor to allow fetching and checking attestations
attestation.Attestors = []kyvernov1.AttestorSet{{Entries: []kyvernov1.Attestor{{}}}}
@ -421,8 +433,11 @@ func (iv *imageVerifier) verifyAttestations(imageVerify kyvernov1.ImageVerificat
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), imageInfo.Digest
}
func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
imageInfo apiutils.ImageInfo, path, predicateType string,
func (iv *imageVerifier) verifyAttestorSet(
attestorSet kyvernov1.AttestorSet,
imageVerify kyvernov1.ImageVerification,
imageInfo apiutils.ImageInfo,
path string,
) (*cosign.Response, error) {
var errorList []error
verifiedCount := 0
@ -442,7 +457,7 @@ func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, im
entryError = errors.Wrapf(err, "failed to unmarshal nested attestor %s", attestorPath)
} else {
attestorPath += ".attestor"
cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType)
cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath)
}
} else {
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, nil)
@ -582,14 +597,18 @@ func makeAddDigestPatch(imageInfo apiutils.ImageInfo, digest string) ([]byte, er
}
func (iv *imageVerifier) verifyAttestation(statements []map[string]interface{}, attestation kyvernov1.Attestation, imageInfo apiutils.ImageInfo) error {
if attestation.PredicateType == "" {
return fmt.Errorf("a predicateType is required")
}
image := imageInfo.String()
statementsByPredicate, types := buildStatementMap(statements)
iv.logger.V(4).Info("checking attestations", "predicates", types, "image", image)
statements = statementsByPredicate[attestation.PredicateType]
if statements == nil {
iv.logger.Info("attestation predicate type not found", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String())
return fmt.Errorf("predicate type %s not found", attestation.PredicateType)
iv.logger.Info("no attestations found for predicate", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String())
return fmt.Errorf("attestions not found for predicate type %s", attestation.PredicateType)
}
for _, s := range statements {