mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
chore: convert chainsaw tests to Test resource (#9099)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
9d407259dc
commit
8f6f21c5c7
160 changed files with 1309 additions and 1146 deletions
|
|
@ -1,63 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-signatures
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-1
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
mutateDigest: true
|
||||
required: true
|
||||
verifyDigest: true
|
||||
- name: check-2
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF
|
||||
zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
imageReferences:
|
||||
- my.local.repo/*
|
||||
mutateDigest: false
|
||||
required: true
|
||||
verifyDigest: false
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: validate-signatures
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-1
|
||||
verifyImages:
|
||||
- attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keys:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
|
||||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
ignoreTlog: true
|
||||
url: https://rekor.sigstore.dev
|
||||
imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
mutateDigest: true
|
||||
required: true
|
||||
verifyDigest: true
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-2
|
||||
verifyImages:
|
||||
- attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keys:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF
|
||||
zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
ignoreTlog: true
|
||||
url: https://rekor.sigstore.dev
|
||||
imageReferences:
|
||||
- my.local.repo/*
|
||||
mutateDigest: false
|
||||
required: true
|
||||
verifyDigest: false
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -7,4 +7,4 @@ spec:
|
|||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: signed
|
||||
name: signed
|
||||
|
|
@ -5,4 +5,4 @@ metadata:
|
|||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: signed
|
||||
- name: signed
|
||||
|
|
@ -1,7 +1,19 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: multiple-attestors
|
||||
spec:
|
||||
timeouts:
|
||||
apply: 90s
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
|
|||
|
|
@ -1,54 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
namespace: default
|
||||
name: keys
|
||||
data:
|
||||
org: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
|
||||
50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==
|
||||
-----END PUBLIC KEY-----
|
||||
org1:
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
|
||||
50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==
|
||||
-----END PUBLIC KEY-----
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: verify-image-with-multi-keys
|
||||
annotations:
|
||||
policies.kyverno.io/title: Verify Image with Multiple Keys
|
||||
policies.kyverno.io/category: Sample
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/minversion: 1.7.0
|
||||
kyverno.io/kyverno-version: 1.7.2
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
There may be multiple keys used to sign images based on
|
||||
the parties involved in the creation process. This image
|
||||
verification policy requires the named image be signed by
|
||||
two separate keys. It will search for a global "production"
|
||||
key in a ConfigMap called `key` in the `default` Namespace
|
||||
and also a Namespace key in the same ConfigMap.
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
rules:
|
||||
- name: check-image-with-two-keys
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
context:
|
||||
- name: keys
|
||||
configMap:
|
||||
name: keys
|
||||
namespace: default
|
||||
verifyImages:
|
||||
- image: "*"
|
||||
key: "{{ keys.data.org }}"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
org: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/\n50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A==\n-----END
|
||||
PUBLIC KEY----- "
|
||||
org1: '-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/
|
||||
50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== -----END PUBLIC KEY-----'
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: keys
|
||||
namespace: default
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
kyverno.io/kubernetes-version: "1.23"
|
||||
kyverno.io/kyverno-version: 1.7.2
|
||||
policies.kyverno.io/category: Sample
|
||||
policies.kyverno.io/description: There may be multiple keys used to sign images
|
||||
based on the parties involved in the creation process. This image verification
|
||||
policy requires the named image be signed by two separate keys. It will search
|
||||
for a global "production" key in a ConfigMap called `key` in the `default` Namespace
|
||||
and also a Namespace key in the same ConfigMap.
|
||||
policies.kyverno.io/minversion: 1.7.0
|
||||
policies.kyverno.io/severity: medium
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/title: Verify Image with Multiple Keys
|
||||
name: verify-image-with-multi-keys
|
||||
spec:
|
||||
background: true
|
||||
rules:
|
||||
- context:
|
||||
- configMap:
|
||||
name: keys
|
||||
namespace: default
|
||||
name: keys
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-image-with-two-keys
|
||||
verifyImages:
|
||||
- image: '*'
|
||||
key: '{{ keys.data.org }}'
|
||||
validationFailureAction: Enforce
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: configmap-context-lookup
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-2.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resources
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: empty-image
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: create-bad-pod
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: bad-pod.yaml
|
||||
0
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml → test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-step-02-apply-1.yaml
Normal file → Executable file
0
test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml → test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/chainsaw-step-02-apply-1.yaml
Normal file → Executable file
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: failure-policy-test-noconfigmap-diffimage-success
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: bad-pod.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: crd
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: task
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: task.yaml
|
||||
- assert:
|
||||
file: task.yaml
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: imageextractors-complex-keyless
|
||||
spec:
|
||||
steps:
|
||||
- name: step-00
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: task.yaml
|
||||
- assert:
|
||||
file: task.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: crd
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: create-task
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: badtask.yaml
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: imageextractors-complex
|
||||
spec:
|
||||
steps:
|
||||
- name: step-00
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: badtask.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- error:
|
||||
file: chainsaw-step-03-error-1.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: crd
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: task
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: task.yaml
|
||||
- assert:
|
||||
file: task.yaml
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: imageextractors-none
|
||||
spec:
|
||||
steps:
|
||||
- name: step-00
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: task.yaml
|
||||
- assert:
|
||||
file: task.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: crd
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: create-task
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: badtask.yaml
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: imageextractors-simple
|
||||
spec:
|
||||
steps:
|
||||
- name: step-00
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
- assert:
|
||||
file: crd-ready.yaml
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: badtask.yaml
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: teststep
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-unsigned.yaml
|
||||
- apply:
|
||||
file: pod-signed.yaml
|
||||
- apply:
|
||||
file: pod-unprotected-ns.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
signed: "true"
|
||||
name: test-verify-images
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
labels:
|
||||
signed: "false"
|
||||
name: test-verify-images-unprotected
|
||||
|
|
@ -1,29 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images
|
||||
labels:
|
||||
signed: "true"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images-unprotected
|
||||
labels:
|
||||
signed: "false"
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: keyed-basic-ns-selector-policy
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: keyed-basic-rule
|
||||
match:
|
||||
- match:
|
||||
all:
|
||||
- resources:
|
||||
kinds:
|
||||
|
|
@ -34,10 +17,9 @@ spec:
|
|||
operator: In
|
||||
values:
|
||||
- "true"
|
||||
name: keyed-basic-rule
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/kyverno/test-verify-image:*"
|
||||
attestors:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
|
|
@ -46,5 +28,9 @@ spec:
|
|||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
url: https://rekor.sigstore.dev
|
||||
imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -6,4 +6,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
name: test-secret
|
||||
name: test-secret
|
||||
|
|
@ -2,4 +2,4 @@ apiVersion: v1
|
|||
kind: Pod
|
||||
metadata:
|
||||
name: test-signed-pod
|
||||
namespace: test-verify-images
|
||||
namespace: test-verify-images
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyed-basic-namespace-selector
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-2.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-3.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod-unsigned.yaml
|
||||
- apply:
|
||||
file: pod-signed.yaml
|
||||
- apply:
|
||||
file: pod-unprotected-ns.yaml
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images
|
||||
|
|
@ -1,28 +1,19 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: keyed-basic-policy
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: keyed-basic-rule
|
||||
match:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: keyed-basic-rule
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/kyverno/test-verify-image:*"
|
||||
attestors:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
|
|
@ -31,5 +22,9 @@ spec:
|
|||
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
url: https://rekor.sigstore.dev
|
||||
imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -6,4 +6,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
name: test-secret
|
||||
name: test-secret
|
||||
|
|
@ -2,4 +2,4 @@ apiVersion: v1
|
|||
kind: Pod
|
||||
metadata:
|
||||
name: test-secret-pod
|
||||
namespace: test-verify-images
|
||||
namespace: test-verify-images
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyed-basic
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-2.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: secret-in-keys
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: check-secret-in-keys
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/kyverno/test-verify-image:*"
|
||||
attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
secret:
|
||||
name: testsecret
|
||||
namespace: test-verify-images
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: testsecret
|
||||
namespace: test-verify-images
|
||||
data:
|
||||
cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
|
||||
type: Opaque
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: secret-in-keys
|
||||
spec:
|
||||
background: false
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-secret-in-keys
|
||||
verifyImages:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
rekor:
|
||||
ignoreTlog: true
|
||||
url: https://rekor.sigstore.dev
|
||||
secret:
|
||||
name: testsecret
|
||||
namespace: test-verify-images
|
||||
imageReferences:
|
||||
- ghcr.io/kyverno/test-verify-image:*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: testsecret
|
||||
namespace: test-verify-images
|
||||
type: Opaque
|
||||
|
|
@ -6,4 +6,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
name: test-secret
|
||||
name: test-secret
|
||||
|
|
@ -2,4 +2,4 @@ apiVersion: v1
|
|||
kind: Pod
|
||||
metadata:
|
||||
name: test-secret-pod
|
||||
namespace: test-verify-images
|
||||
namespace: test-verify-images
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyed-secret
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-2.yaml
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-3.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-slsa-attestations-pass-1
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-builder-id-keyless-pass-1
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu*"
|
||||
attestations:
|
||||
- predicateType: https://slsa.dev/provenance/v0.2
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: check-slsa-attestations-pass-1
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless-pass-1
|
||||
verifyImages:
|
||||
- attestations:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main
|
||||
conditions:
|
||||
- all:
|
||||
- key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{
|
||||
builder.id}}'') }}'
|
||||
operator: Equals
|
||||
value: true
|
||||
predicateType: https://slsa.dev/provenance/v0.2
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-1
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-slsa-attestations-pass-2
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-builder-id-keyless
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu*"
|
||||
attestations:
|
||||
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
- key: "{{ regex_match('^pkg:github/aquasecurity/trivy@0.34.0','{{ scanner.uri }}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: check-slsa-attestations-pass-2
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless
|
||||
verifyImages:
|
||||
- attestations:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main
|
||||
conditions:
|
||||
- all:
|
||||
- key: '{{ regex_match(''^pkg:github/aquasecurity/trivy@0.34.0'',''{{ scanner.uri
|
||||
}}'') }}'
|
||||
operator: Equals
|
||||
value: true
|
||||
predicateType: cosign.sigstore.dev/attestation/vuln/v1
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -6,4 +6,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/chipzoller/zulu:v0.0.14
|
||||
name: zulu
|
||||
name: zulu
|
||||
|
|
@ -8,4 +8,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
|
||||
name: zulu
|
||||
name: zulu
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-2
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-slsa-attestations-fail-1
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-builder-id-keyless-fail-1
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu*"
|
||||
attestations:
|
||||
- predicateType: cosign.sigstore.dev/attestation/vuln/v1
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pod
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod.yaml
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: check-slsa-attestations-fail-1
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless-fail-1
|
||||
verifyImages:
|
||||
- attestations:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main
|
||||
conditions:
|
||||
- all:
|
||||
- key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{
|
||||
builder.id}}'') }}'
|
||||
operator: Equals
|
||||
value: true
|
||||
predicateType: cosign.sigstore.dev/attestation/vuln/v1
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -2,4 +2,4 @@ apiVersion: v1
|
|||
kind: Pod
|
||||
metadata:
|
||||
name: zulu
|
||||
namespace: default
|
||||
namespace: default
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-3
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- error:
|
||||
file: chainsaw-step-03-error-1.yaml
|
||||
|
|
@ -6,4 +6,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/chipzoller/zulu:v0.0.14
|
||||
name: zulu
|
||||
name: zulu
|
||||
|
|
@ -8,4 +8,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
|
||||
name: zulu
|
||||
name: zulu
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-4
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-slsa-attestations-pass-3
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-builder-id-keyless
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu*"
|
||||
attestations:
|
||||
- predicateType: https://slsa.dev/provenance/v0.2
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
count: 1
|
||||
conditions:
|
||||
- all:
|
||||
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: check-slsa-attestations-pass-3
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless
|
||||
verifyImages:
|
||||
- attestations:
|
||||
- attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main
|
||||
conditions:
|
||||
- all:
|
||||
- key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{
|
||||
builder.id}}'') }}'
|
||||
operator: Equals
|
||||
value: true
|
||||
predicateType: https://slsa.dev/provenance/v0.2
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -6,4 +6,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/chipzoller/zulu:v0.0.14
|
||||
name: zulu
|
||||
name: zulu
|
||||
|
|
@ -8,4 +8,4 @@ metadata:
|
|||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db
|
||||
name: zulu
|
||||
name: zulu
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-counts-1
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-02-assert-1.yaml
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-slsa-attestations-fail-2
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-builder-id-keyless
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu*"
|
||||
attestations:
|
||||
- predicateType: https://slsa.dev/provenance/v0.2
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
count: 2
|
||||
conditions:
|
||||
- all:
|
||||
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pod
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod.yaml
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: check-slsa-attestations-fail-2
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless
|
||||
verifyImages:
|
||||
- attestations:
|
||||
- attestors:
|
||||
- count: 2
|
||||
entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main
|
||||
conditions:
|
||||
- all:
|
||||
- key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{
|
||||
builder.id}}'') }}'
|
||||
operator: Equals
|
||||
value: true
|
||||
predicateType: https://slsa.dev/provenance/v0.2
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -2,4 +2,4 @@ apiVersion: v1
|
|||
kind: Pod
|
||||
metadata:
|
||||
name: zulu
|
||||
namespace: default
|
||||
namespace: default
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-counts-2
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- error:
|
||||
file: chainsaw-step-03-error-1.yaml
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-slsa-attestations-fail-3
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
background: false
|
||||
rules:
|
||||
- name: check-builder-id-keyless
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu*"
|
||||
attestations:
|
||||
- predicateType: https://slsa.dev/provenance/v0.2
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
conditions:
|
||||
- all:
|
||||
- key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}"
|
||||
operator: Equals
|
||||
value: true
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: pod
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod.yaml
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: check-slsa-attestations-fail-3
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless
|
||||
verifyImages:
|
||||
- attestations:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main
|
||||
conditions:
|
||||
- all:
|
||||
- key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{
|
||||
builder.id}}'') }}'
|
||||
operator: Equals
|
||||
value: true
|
||||
predicateType: https://slsa.dev/provenance/v0.2
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu*
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -2,4 +2,4 @@ apiVersion: v1
|
|||
kind: Pod
|
||||
metadata:
|
||||
name: zulu
|
||||
namespace: default
|
||||
namespace: default
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: keyless-attestations-multiple-subjects-counts-3
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-01-apply-1.yaml
|
||||
- assert:
|
||||
file: chainsaw-step-01-assert-1.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: pod.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- error:
|
||||
file: chainsaw-step-03-error-1.yaml
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: keyless-mutatedigest-verifydigest-required
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
rules:
|
||||
- name: check-builder-id-keyless
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ghcr.io/chipzoller/zulu:*"
|
||||
mutateDigest: true
|
||||
verifyDigest: true
|
||||
required: true
|
||||
attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*"
|
||||
issuer: "https://token.actions.githubusercontent.com"
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: keyless-mutatedigest-verifydigest-required
|
||||
spec:
|
||||
rules:
|
||||
- match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: check-builder-id-keyless
|
||||
verifyImages:
|
||||
- attestors:
|
||||
- entries:
|
||||
- keyless:
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
issuer: https://token.actions.githubusercontent.com
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
subject: https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*
|
||||
imageReferences:
|
||||
- ghcr.io/chipzoller/zulu:*
|
||||
mutateDigest: true
|
||||
required: true
|
||||
verifyDigest: true
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue