refactor: ImageVerification validation (#3372)

* fix: configmap resource filters generated by helm does not account for namespace Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: ImageVerification validation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-03-15 09:48:58 +01:00 · 2022-03-15 09:48:58 +01:00 · 8602e63f23
commit 8602e63f23
parent 68093cd44c
4 changed files with 135 additions and 52 deletions
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@ -713,42 +713,6 @@ func (v *ForEachValidation) SetAnyPattern(in apiextensions.JSON) {
 	v.RawAnyPattern = ToJSON(in)
 }

-// ImageVerification validates that images that match the specified pattern
-// are signed with the supplied public key. Once the image is verified it is
-// mutated to include the SHA digest retrieved during the registration.
-type ImageVerification struct {
-
-	// Image is the image name consisting of the registry address, repository, image, and tag.
-	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-	Image string `json:"image,omitempty" yaml:"image,omitempty"`
-
-	// Key is the PEM encoded public key that the image or attestation is signed with.
-	Key string `json:"key,omitempty" yaml:"key,omitempty"`
-
-	// Roots is the PEM encoded Root certificate chain used for keyless signing
-	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`
-
-	// Subject is the verified identity used for keyless signing, for example the email address
-	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
-
-	// Issuer is the certificate issuer used for keyless signing.
-	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
-
-	// Annotations are used for image verification.
-	// Every specified key-value pair must exist and match in the verified payload.
-	// The payload may contain other key-value pairs.
-	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
-
-	// Repository is an optional alternate OCI repository to use for image signatures that match this rule.
-	// If specified Repository will override the default OCI image repository configured for the installation.
-	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
-
-	// Attestations are optional checks for signed in-toto Statements used to verify the image.
-	// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
-	// OCI registry and decodes them into a list of Statement declarations.
-	Attestations []*Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`
-}
-
 // Attestation are checks for signed in-toto Statements that are used to verify the image.
 // See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
 // OCI registry and decodes them into a list of Statements.
--- a/api/kyverno/v1/image_verification_test.go
+++ b/api/kyverno/v1/image_verification_test.go
@ -0,0 +1,71 @@
+package v1
+
+import (
+	"fmt"
+	"testing"
+
+	"gotest.tools/assert"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_ImageVerification(t *testing.T) {
+	path := field.NewPath("dummy")
+	testCases := []struct {
+		name    string
+		subject ImageVerification
+		errors  func(*ImageVerification) field.ErrorList
+	}{{
+		name: "valid",
+		subject: ImageVerification{
+			Image:       "bla",
+			Key:         "bla",
+			Roots:       "bla",
+			Subject:     "bla",
+			Issuer:      "bla",
+			Annotations: map[string]string{"bla": "bla"},
+			Repository:  "bla",
+		},
+	}, {
+		name: "only key",
+		subject: ImageVerification{
+			Image: "bla",
+			Key:   "bla",
+		},
+	}, {
+		name: "only roots and subject",
+		subject: ImageVerification{
+			Image:   "bla",
+			Roots:   "bla",
+			Subject: "bla",
+		},
+	}, {
+		name: "key roots and subject",
+		subject: ImageVerification{
+			Image:   "bla",
+			Key:     "bla",
+			Roots:   "bla",
+			Subject: "bla",
+		},
+	}, {
+		name: "empty",
+		subject: ImageVerification{
+			Image: "bla",
+		},
+		errors: func(i *ImageVerification) field.ErrorList {
+			return field.ErrorList{
+				field.Invalid(path, i, "Either a public key, or root certificates and an email, are required"),
+			}
+		},
+	}}
+	for _, test := range testCases {
+		errs := test.subject.Validate(path)
+		var expectedErrs field.ErrorList
+		if test.errors != nil {
+			expectedErrs = test.errors(&test.subject)
+		}
+		assert.Equal(t, len(errs), len(expectedErrs), fmt.Sprintf("test %s failed", test.name))
+		if len(errs) != 0 {
+			assert.DeepEqual(t, errs, expectedErrs)
+		}
+	}
+}
--- a/api/kyverno/v1/image_verification_types.go
+++ b/api/kyverno/v1/image_verification_types.go
@ -0,0 +1,52 @@
+package v1
+
+import "k8s.io/apimachinery/pkg/util/validation/field"
+
+// ImageVerification validates that images that match the specified pattern
+// are signed with the supplied public key. Once the image is verified it is
+// mutated to include the SHA digest retrieved during the registration.
+type ImageVerification struct {
+
+	// Image is the image name consisting of the registry address, repository, image, and tag.
+	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+	Image string `json:"image,omitempty" yaml:"image,omitempty"`
+
+	// Key is the PEM encoded public key that the image or attestation is signed with.
+	Key string `json:"key,omitempty" yaml:"key,omitempty"`
+
+	// Roots is the PEM encoded Root certificate chain used for keyless signing
+	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`
+
+	// Subject is the verified identity used for keyless signing, for example the email address
+	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
+
+	// Issuer is the certificate issuer used for keyless signing.
+	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
+
+	// Annotations are used for image verification.
+	// Every specified key-value pair must exist and match in the verified payload.
+	// The payload may contain other key-value pairs.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+
+	// Repository is an optional alternate OCI repository to use for image signatures that match this rule.
+	// If specified Repository will override the default OCI image repository configured for the installation.
+	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
+
+	// Attestations are optional checks for signed in-toto Statements used to verify the image.
+	// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+	// OCI registry and decodes them into a list of Statement declarations.
+	Attestations []*Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (i *ImageVerification) Validate(path *field.Path) field.ErrorList {
+	var errs field.ErrorList
+	hasKey := i.Key != ""
+	hasRoots := i.Roots != ""
+	hasSubject := i.Subject != ""
+	if (hasKey && !hasRoots && !hasSubject) || (hasRoots && hasSubject) {
+		return nil
+	}
+	errs = append(errs, field.Invalid(path, i, "Either a public key, or root certificates and an email, are required"))
+	return errs
+}
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -25,6 +25,7 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/yaml"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
@ -77,8 +78,10 @@ func validateJSONPatchPathForForwardSlash(patch string) error {

 // Validate checks the policy and rules declarations for required configurations
 func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, openAPIController *openapi.Controller) error {
+	var errs field.ErrorList
 	namespaced := false
 	background := policy.Spec.Background == nil || *policy.Spec.Background
+	specPath := field.NewPath("spec")

 	clusterResources := make([]string, 0)
 	err := ValidateVariables(policy, background)
@ -129,7 +132,9 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 		}
 	}
 	rules := policy.Spec.GetRules()
+	rulesPath := specPath.Child("rules")
 	for i, rule := range rules {
+		rulePath := rulesPath.Index(i)
 		//check for forward slash
 		if err := validateJSONPatchPathForForwardSlash(rule.Mutation.PatchesJSON6902); err != nil {
 			return fmt.Errorf("path must begin with a forward slash: spec.rules[%d]: %s", i, err)
@ -243,12 +248,15 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
 			}

 			if rule.HasVerifyImages() {
-				for _, i := range rule.VerifyImages {
-					if err := validateVerifyImagesRule(i); err != nil {
-						return errors.Wrapf(err, "failed to validate policy %s rule %s", policy.Name, rule.Name)
-					}
+				verifyImagePath := rulePath.Child("verifyImages")
+				for index, i := range rule.VerifyImages {
+					errs = append(errs, i.Validate(verifyImagePath.Index(index))...)
 				}
 			}
+
+			if len(errs) != 0 {
+				return errs.ToAggregate()
+			}
 		}

 		//Validate Kind with match resource kinds
@ -1515,15 +1523,3 @@ func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.
 	}
 	return nil
 }
-
-func validateVerifyImagesRule(i *kyverno.ImageVerification) error {
-	hasKey := i.Key != ""
-	hasRoots := i.Roots != ""
-	hasSubject := i.Subject != ""
-
-	if (hasKey && !hasRoots && !hasSubject) || (hasRoots && hasSubject) {
-		return nil
-	}
-
-	return fmt.Errorf("either a public key, or root certificates and an email, are required")
-}