From 82c9c2d08b2b976546fc702bd955a020c8cf79d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 29 Apr 2022 13:48:22 +0200 Subject: [PATCH] fix: missing image verification rules in autogen (#3729) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: missing image verification rules in autogen Signed-off-by: Charles-Edouard Brétéché * fix: missing image verification rules in autogen Signed-off-by: Charles-Edouard Brétéché --- pkg/autogen/autogen.go | 7 +- pkg/autogen/autogen_test.go | 185 ++++++++++++++++++++++++++++++++++++ pkg/autogen/rule.go | 3 +- 3 files changed, 193 insertions(+), 2 deletions(-) diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index 5d079b17a2..bb84883532 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -269,10 +269,15 @@ func convertRule(rule kyvernoRule, kind string) (*kyverno.Rule, error) { } func ComputeRules(p kyverno.PolicyInterface) []kyverno.Rule { - spec := p.GetSpec() if !toggle.AutogenInternals() { + spec := p.GetSpec() return spec.Rules } + return computeRules(p) +} + +func computeRules(p kyverno.PolicyInterface) []kyverno.Rule { + spec := p.GetSpec() applyAutoGen, desiredControllers := CanAutoGen(spec) if !applyAutoGen { desiredControllers = "none" diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index 1c8157fa65..f924766ede 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -592,3 +592,188 @@ func Test_Deny(t *testing.T) { fmt.Sprintf("unexpected patch: %s\nexpected: %s", rulePatches[i], ep)) } } + +func Test_ComputeRules(t *testing.T) { + intPtr := func(i int) *int { return &i } + testCases := []struct { + name string + policy string + expectedRules []kyverno.Rule + }{ + { + name: "rule-with-match-name", + policy: ` +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image +spec: + validationFailureAction: enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: check-image + match: + resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "*" + attestors: + - count: 1 + entries: + - keyless: + roots: |- + -----BEGIN CERTIFICATE----- + MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ + MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt + bzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx + MjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t + MRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt + by1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK + AoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7 + 9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b + DVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG + J8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc + 9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i + vHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV + HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr + BgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b + NJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR + e6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M + GdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz + rxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv + FlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln + kA== + -----END CERTIFICATE-----`, + expectedRules: []kyverno.Rule{{ + Name: "check-image", + MatchResources: kyverno.MatchResources{ + ResourceDescription: kyverno.ResourceDescription{ + Kinds: []string{"Pod"}, + }, + }, + VerifyImages: []kyverno.ImageVerification{{ + ImageReferences: []string{"*"}, + Attestors: []kyverno.AttestorSet{{ + Count: intPtr(1), + Entries: []kyverno.Attestor{{ + Keyless: &kyverno.KeylessAttestor{ + Roots: `-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ +MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt +bzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx +MjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t +MRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt +by1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7 +9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b +DVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG +J8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc +9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i +vHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr +BgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b +NJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR +e6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M +GdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz +rxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv +FlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln +kA== +-----END CERTIFICATE-----`, + }, + }}, + }}, + }}, + }, { + Name: "autogen-check-image", + MatchResources: kyverno.MatchResources{ + ResourceDescription: kyverno.ResourceDescription{ + Kinds: []string{"DaemonSet", "Deployment", "Job", "StatefulSet"}, + }, + }, + VerifyImages: []kyverno.ImageVerification{{ + ImageReferences: []string{"*"}, + Attestors: []kyverno.AttestorSet{{ + Count: intPtr(1), + Entries: []kyverno.Attestor{{ + Keyless: &kyverno.KeylessAttestor{ + Roots: `-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ +MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt +bzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx +MjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t +MRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt +by1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7 +9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b +DVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG +J8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc +9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i +vHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr +BgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b +NJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR +e6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M +GdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz +rxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv +FlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln +kA== +-----END CERTIFICATE-----`, + }, + }}, + }}, + }}, + }, { + Name: "autogen-cronjob-check-image", + MatchResources: kyverno.MatchResources{ + ResourceDescription: kyverno.ResourceDescription{ + Kinds: []string{"CronJob"}, + }, + }, + VerifyImages: []kyverno.ImageVerification{{ + ImageReferences: []string{"*"}, + Attestors: []kyverno.AttestorSet{{ + Count: intPtr(1), + Entries: []kyverno.Attestor{{ + Keyless: &kyverno.KeylessAttestor{ + Roots: `-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ +MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt +bzEmMCQGA1UEAxMddmVuYWZpZGVtby1FQzJBTUFaLVFOSVI4OUktQ0EwHhcNMjAx +MjE0MjEzNzAzWhcNMjUxMjE0MjE0NzAzWjBZMRMwEQYKCZImiZPyLGQBGRYDY29t +MRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVtbzEmMCQGA1UEAxMddmVuYWZpZGVt +by1FQzJBTUFaLVFOSVI4OUktQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC5CTVQczGnh77yNxq+BGh5ff0qNcRTkFll+y8lJbMPHevebF7JLWBQTGS7 +9aHIqUQLjy9sPOkdMrDh/vOZNVhVrHon9uwepF81dUMJ9lMbfQSI/tytp78f0z6b +DVRHYZr/taYSkqNPT2FuHOijc7Y+oB3Q1DzPSoBc3a6I5DM6ET6O2GZWo3mqpImG +J8+dNllYgjVKEuxuPqQjT7VD4fB2GqJbwwL0E8bSyfsgMV9Y+qHdznkm8v+TbYoc +9uS83f1fjjp98D7VtWpSC4O/27JWgEED/BB58sOipUQHiECr6dD5VWGJ9fnVOV2i +vHqj9cKS6BGMkAh99ss0Bu/3DEBxAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBTuZecNgrj3Gdv9XpekFZuIkYtu9jAQBgkr +BgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAQEADPNrGypaKliXJ+H7gt6b +NJSBdWB9EV63CdvxjLOuqvp3IUu8KIV2mMsulEjxjAb5kya0SURJVFvr9rrLVxvR +e6B2SJUGUKJkX1Cq4nIthwGfJTEnypYhqMKkfUYjqfszU+1CerRD2ZTJHeKZsc7M +GdxLXeocztZ220idf6uDYeNLnGLBfkodEgFV0RmrlnHQYQdRqj3hjClLAkNqKVrz +rxNyyQvgaswK+4kHAPQhv+ipx4Q0eeROpp3prJ+dD0hhk8niQSKWQWZHyElhzIKv +FlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln +kA== +-----END CERTIFICATE-----`, + }, + }}, + }}, + }}, + }}, + }, + } + + for _, test := range testCases { + policies, err := utils.GetPolicy([]byte(test.policy)) + assert.NilError(t, err) + assert.Equal(t, 1, len(policies)) + rules := computeRules(policies[0]) + assert.DeepEqual(t, test.expectedRules, rules) + } +} diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index ca4913eece..e0a9d55c50 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -36,7 +36,8 @@ func createRule(rule *kyverno.Rule) *kyvernoRule { return nil } jsonFriendlyStruct := kyvernoRule{ - Name: rule.Name, + Name: rule.Name, + VerifyImages: rule.VerifyImages, } if !reflect.DeepEqual(rule.MatchResources, kyverno.MatchResources{}) { jsonFriendlyStruct.MatchResources = rule.MatchResources.DeepCopy()