From c276060ff8dfd3be82683a2b43090f3d5de959c2 Mon Sep 17 00:00:00 2001 From: Amit kumar Date: Mon, 24 Jul 2023 13:40:07 +0530 Subject: [PATCH] Modified annotation matching during rollback (#7752) * enhanced has changed func Signed-off-by: hackeramitkumar * modified changed annotation func Signed-off-by: hackeramitkumar * modified HasImageVerifiedAnnotationChanged Signed-off-by: hackeramitkumar * nits Signed-off-by: hackeramitkumar * added kuttl-test Signed-off-by: hackeramitkumar * added ghcr.io/kyverno images Signed-off-by: hackeramitkumar * fixed unit tests Signed-off-by: hackeramitkumar * fixed unit tests Signed-off-by: hackeramitkumar --------- Signed-off-by: hackeramitkumar Co-authored-by: Jim Bugwadia Co-authored-by: shuting Co-authored-by: Vishal Choudhary --- pkg/engine/internal/imageverifier.go | 29 +++++++++++++--- .../01-policy.yaml | 6 ++++ .../02-resource.yaml | 7 ++++ .../rollback-image-verification/03-test.yaml | 5 +++ .../04-assert.yaml | 11 +++++++ .../rollback-image-verification/README.md | 11 +++++++ .../deployment-assert.yaml | 11 +++++++ .../deployment_new.yaml | 21 ++++++++++++ .../deployment_old.yaml | 21 ++++++++++++ .../policy-ready.yaml | 9 +++++ .../rollback-image-verification/policy.yaml | 33 +++++++++++++++++++ 11 files changed, 160 insertions(+), 4 deletions(-) create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index 4ae89cff60..086d65810f 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -2,6 +2,7 @@ package internal import ( "context" + "encoding/json" "errors" "fmt" "net" @@ -59,11 +60,31 @@ func HasImageVerifiedAnnotationChanged(ctx engineapi.PolicyContext, log logr.Log } newValue := newResource.GetAnnotations()[engineapi.ImageVerifyAnnotationKey] oldValue := oldResource.GetAnnotations()[engineapi.ImageVerifyAnnotationKey] - result := newValue != oldValue - if result { - log.V(2).Info("annotation mismatch", "oldValue", oldValue, "newValue", newValue, "key", engineapi.ImageVerifyAnnotationKey) + if newValue == oldValue { + return false } - return result + var newValueObj, oldValueObj map[string]bool + err := json.Unmarshal([]byte(newValue), &newValueObj) + if err != nil { + log.Error(err, "failed to parse new resource annotation.") + return true + } + err = json.Unmarshal([]byte(oldValue), &oldValueObj) + if err != nil { + log.Error(err, "failed to parse old resource annotation.") + return true + } + for img := range oldValueObj { + _, found := newValueObj[img] + if found { + result := newValueObj[img] != oldValueObj[img] + if result { + log.V(2).Info("annotation mismatch", "oldValue", oldValue, "newValue", newValue, "key", engineapi.ImageVerifyAnnotationKey) + return result + } + } + } + return false } func matchImageReferences(imageReferences []string, image string) bool { diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml new file mode 100644 index 0000000000..f3857739b0 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-ready.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml new file mode 100644 index 0000000000..08c9818beb --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- deployment_old.yaml +- deployment_new.yaml +assert: +- deployment-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml new file mode 100644 index 0000000000..831f02fed7 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl -n verify-images rollout undo deployment nginx-deployment + namespaced: true \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml new file mode 100644 index 0000000000..ca5b8c5451 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: verify-images +spec: + template: + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2@sha256:0fc1f3b764be56f7c881a69cbd553ae25a2b5523c6901fbacb8270307c29d0c4 + name: nginx \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md new file mode 100644 index 0000000000..56ccf6e408 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies images during rollback + +## Expected Behavior + +This test creates a ClusterPolicy and Deployments, and when we perform a rollback, it will be successfully rolled back. + +## Reference Issue(s) + +5363 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml new file mode 100644 index 0000000000..905b7e8912 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: verify-images +spec: + template: + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-1@sha256:e0cc6dba04bee00badd8b13495d4411060b5563a9499fbc20e46316328efad30 + name: nginx \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml new file mode 100644 index 0000000000..384579eae6 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: nginx-deployment + namespace: verify-images +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-1 + name: nginx + resources: {} \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml new file mode 100644 index 0000000000..32abf02f00 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: nginx-deployment + namespace: verify-images +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2 + name: nginx + resources: {} \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml new file mode 100644 index 0000000000..b4fc505a22 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-image +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml new file mode 100644 index 0000000000..461e11afb8 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: verify-images +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: check-image + match: + any: + - resources: + kinds: + - Deployment + verifyImages: + - imageReferences: + - "ghcr.io/kyverno*" + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfnYaFSrs2pLp4ShcWBgMLJM6Gki/ + 1tC5ZWN2IuJTe2RbyVrDEn1qLBXNzGKhIXbsUyO5+BuIfgMdek1pDYFZGQ== + -----END PUBLIC KEY----- \ No newline at end of file