mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

Added support to specify key signature algorithm in verifyImages (#4855)

Browse source 
Signed-off-by: Pratik Shah <pratik@infracloud.io>

Signed-off-by: Pratik Shah <pratik@infracloud.io>
This commit is contained in:
Pratik Shah 2022-10-14 11:09:57 +05:30 committed by GitHub
parent 16aca2816f
commit 8a0083105d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 563 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
api/kyverno/v1/image_verification_types.go
View file

@ -132,6 +132,10 @@ type StaticKeyAttestor struct {
// attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha256 and sha512
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// Rekor is not checked. If an empty object is provided the public instance of
// Rekor (https://rekor.sigstore.dev) is used.
@ -305,7 +309,9 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)
if ska.PublicKeys == "" {
errs = append(errs, field.Invalid(path, ska, "A key is required"))
}
if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
}
return errs
}

64
charts/kyverno/templates/crds.yaml
View file

@ -2399,6 +2399,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -2686,6 +2690,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -4136,6 +4144,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -4423,6 +4435,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -5824,6 +5840,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -6101,6 +6121,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -7536,6 +7560,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -7823,6 +7851,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -9820,6 +9852,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -10107,6 +10143,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -11557,6 +11597,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -11844,6 +11888,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -13245,6 +13293,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -13522,6 +13574,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -14957,6 +15013,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.
@ -15244,6 +15304,10 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for public keys. Supported values are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. If specified Repository will override other OCI image repository locations for this Attestor.

48
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2291,6 +2291,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -2726,6 +2732,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -5148,6 +5160,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -5595,6 +5613,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -7804,6 +7828,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -8224,6 +8254,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -10621,6 +10657,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -11068,6 +11110,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional

48
config/crds/kyverno.io_policies.yaml
View file

@ -2292,6 +2292,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -2727,6 +2733,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -5150,6 +5162,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -5597,6 +5615,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -7807,6 +7831,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -8227,6 +8257,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -10624,6 +10660,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -11071,6 +11113,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional

96
config/install.yaml
View file

@ -3585,6 +3585,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -4020,6 +4026,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -6442,6 +6454,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -6889,6 +6907,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -9098,6 +9122,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -9518,6 +9548,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -11915,6 +11951,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -12362,6 +12404,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -15384,6 +15432,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -15819,6 +15873,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -18242,6 +18302,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -18689,6 +18755,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -20899,6 +20971,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -21319,6 +21397,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -23716,6 +23800,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -24163,6 +24253,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional

96
config/install_debug.yaml
View file

@ -3579,6 +3579,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -4014,6 +4020,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -6436,6 +6448,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -6883,6 +6901,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -9092,6 +9116,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -9512,6 +9542,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -11909,6 +11945,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -12356,6 +12398,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -15375,6 +15423,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -15810,6 +15864,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -18233,6 +18293,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -18680,6 +18746,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -20890,6 +20962,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -21310,6 +21388,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional alternate
@ -23707,6 +23791,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional
@ -24154,6 +24244,12 @@ spec:
required:
- url
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512
type: string
type: object
repository:
description: Repository is an optional

11
docs/crd/v1/index.html
View file

@ -3405,6 +3405,17 @@ attestors and the count is applied across the keys.</p>
</tr>
<tr>
<td>
<code>signatureAlgorithm</code><br/>
<em>
string
</em>
</td>
<td>
<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512</p>
</td>
</tr>
<tr>
<td>
<code>rekor</code><br/>
<em>
<a href="#kyverno.io/v1.CTLog">

12
pkg/cosign/cosign.go
View file

@ -46,6 +46,7 @@ type Options struct {
Annotations map[string]string
Repository string
RekorURL string
SignatureAlgorithm string
}
type Response struct {
@ -115,6 +116,11 @@ func verifySignature(opts Options) (*Response, error) {
func buildCosignOptions(opts Options) (*cosign.CheckOpts, error) {
var remoteOpts []remote.Option
var err error
signatureAlgorithmMap := map[string]crypto.Hash{
"": crypto.SHA256,
"sha256": crypto.SHA256,
"sha512": crypto.SHA512,
}
ro := options.RegistryOptions{}
remoteOpts, err = ro.ClientOpts(context.Background())
if err != nil {
@ -142,7 +148,7 @@ func buildCosignOptions(opts Options) (*cosign.CheckOpts, error) {
if opts.Key != "" {
if strings.HasPrefix(strings.TrimSpace(opts.Key), "-----BEGIN PUBLIC KEY-----") {
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key))
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithmMap[opts.SignatureAlgorithm])
if err != nil {
return nil, errors.Wrap(err, "failed to load public key from PEM")
}
@ -406,14 +412,14 @@ func stringToJSONMap(i interface{}) (map[string]interface{}, error) {
return data, nil
}
func decodePEM(raw []byte) (signature.Verifier, error) {
func decodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error) {
// PEM encoded file.
pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(raw)
if err != nil {
return nil, errors.Wrap(err, "pem to public key")
}
return signature.LoadVerifier(pubKey, crypto.SHA256)
return signature.LoadVerifier(pubKey, signatureAlgorithm)
}
func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, error) {

1
pkg/engine/imageVerify.go
View file

@ -429,6 +429,7 @@ func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageV
if attestor.Keys.Rekor != nil {
opts.RekorURL = attestor.Keys.Rekor.URL
}
opts.SignatureAlgorithm = attestor.Keys.SignatureAlgorithm
} else if attestor.Certificates != nil {
path = path + ".certificates"
opts.Cert = attestor.Certificates.Certificate

10
pkg/policy/validate.go
View file

@ -254,6 +254,16 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
}
}
if rule.HasVerifyImages() {
verifyImagePath := rulePath.Child("verifyImages")
for index, i := range rule.VerifyImages {
errs = append(errs, i.Validate(verifyImagePath.Index(index))...)
}
if len(errs) != 0 {
return nil, errs.ToAggregate()
}
}
podOnlyMap := make(map[string]bool) // Validate that Kind is only Pod
podOnlyMap["Pod"] = true
if reflect.DeepEqual(common.GetKindsFromRule(rule), podOnlyMap) && podControllerAutoGenExclusion(policy) {

153
pkg/policy/validate_test.go
View file

@ -1226,6 +1226,159 @@ func Test_deny_exec(t *testing.T) {
assert.NilError(t, err)
}
func Test_SignatureAlgorithm(t *testing.T) {
testcases := []struct {
description string
policy []byte
expectedOutput bool
}{
{
description: "Test empty signature algorithm - pass",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "check-empty-signature-algorithm"
},
"spec": {
"rules": [
{
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"verifyImages": [
{
"imageReferences": [
"ghcr.io/kyverno/test-verify-image:*"
],
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----"
}
}
]
}
]
}
]
}
]
}
}`),
expectedOutput: true,
},
{
description: "Test invalid signature algorithm - fail",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "check-invalid-signature-algorithm"
},
"spec": {
"rules": [
{
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"verifyImages": [
{
"imageReferences": [
"ghcr.io/kyverno/test-verify-image:*"
],
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",
"signatureAlgorithm": "sha123"
}
}
]
}
]
}
]
}
]
}
}`),
expectedOutput: false,
},
{
description: "Test invalid signature algorithm - fail",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "check-valid-signature-algorithm"
},
"spec": {
"rules": [
{
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"verifyImages": [
{
"imageReferences": [
"ghcr.io/kyverno/test-verify-image:*"
],
"attestors": [
{
"count": 1,
"entries": [
{
"keys": {
"publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----",
"signatureAlgorithm": "sha256"
}
}
]
}
]
}
]
}
]
}
}`),
expectedOutput: true,
},
}
for _, testcase := range testcases {
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(testcase.policy, &policy)
assert.NilError(t, err)
openApiManager, _ := openapi.NewManager()
_, err = Validate(policy, nil, true, openApiManager)
if testcase.expectedOutput {
assert.NilError(t, err)
} else {
assert.ErrorContains(t, err, "Invalid signature algorithm provided")
}
}
}
func Test_existing_resource_policy(t *testing.T) {
var err error
rawPolicy := []byte(`{

26
test/e2e/verifyimages/resources.go
View file

@ -144,9 +144,16 @@ spec:
Task:
- path: /spec/steps/*/image
verifyImages:
- image: "ghcr.io/*"
subject: "https://github.com/*"
issuer: "https://token.actions.githubusercontent.com"
- imageReferences:
- "ghcr.io/*"
attestors:
- count: 1
entries:
- keyless:
issuer: "https://token.actions.githubusercontent.com"
subject: "https://github.com/*"
rekor:
url: https://rekor.sigstore.dev
required: false
`)
@ -172,9 +179,16 @@ spec:
Task:
- path: /spec/steps/*/image
verifyImages:
- image: "ghcr.io/*"
subject: "https://github.com/*"
issuer: "https://token.actions.githubusercontent.com"
- imageReferences:
- "ghcr.io/*"
attestors:
- count: 1
entries:
- keyless:
issuer: "https://token.actions.githubusercontent.com"
subject: "https://github.com/*"
rekor:
url: https://rekor.sigstore.dev
required: true
`)