Modified annotation matching during rollback (#7752)

* enhanced has changed func Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * modified changed annotation func Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * modified HasImageVerifiedAnnotationChanged Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added kuttl-test Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added ghcr.io/kyverno images Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * fixed unit tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * fixed unit tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> --------- Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
2025-03-31 03:45:17 +00:00 · 2023-07-24 13:40:07 +05:30 · 2023-07-24 13:40:07 +05:30 · c276060ff8
commit c276060ff8
parent 00329c1881
11 changed files with 160 additions and 4 deletions
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@ -2,6 +2,7 @@ package internal
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
@ -59,11 +60,31 @@ func HasImageVerifiedAnnotationChanged(ctx engineapi.PolicyContext, log logr.Log
 	}
 	newValue := newResource.GetAnnotations()[engineapi.ImageVerifyAnnotationKey]
 	oldValue := oldResource.GetAnnotations()[engineapi.ImageVerifyAnnotationKey]
-	result := newValue != oldValue
+	if newValue == oldValue {
-	if result {
+		return false
 		log.V(2).Info("annotation mismatch", "oldValue", oldValue, "newValue", newValue, "key", engineapi.ImageVerifyAnnotationKey)
 	}
-	return result
+	var newValueObj, oldValueObj map[string]bool
 	err := json.Unmarshal([]byte(newValue), &newValueObj)
 	if err != nil {
 		log.Error(err, "failed to parse new resource annotation.")
 		return true
 	}
 	err = json.Unmarshal([]byte(oldValue), &oldValueObj)
 	if err != nil {
 		log.Error(err, "failed to parse old resource annotation.")
 		return true
 	}
 	for img := range oldValueObj {
 		_, found := newValueObj[img]
 		if found {
 			result := newValueObj[img] != oldValueObj[img]
 			if result {
 				log.V(2).Info("annotation mismatch", "oldValue", oldValue, "newValue", newValue, "key", engineapi.ImageVerifyAnnotationKey)
 				return result
 			}
 		}
 	}
 	return false
 }
 func matchImageReferences(imageReferences []string, image string) bool {
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml
@ -0,0 +1,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
 - policy.yaml
 assert:
 - policy-ready.yaml
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml
@ -0,0 +1,7 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
 - deployment_old.yaml
 - deployment_new.yaml
 assert:
 - deployment-assert.yaml
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml
@ -0,0 +1,5 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
  - command: kubectl -n verify-images rollout undo deployment nginx-deployment
    namespaced: true
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml
@ -0,0 +1,11 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nginx-deployment
  namespace: verify-images
 spec:
  template:
    spec:
      containers:
      - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2@sha256:0fc1f3b764be56f7c881a69cbd553ae25a2b5523c6901fbacb8270307c29d0c4
        name: nginx
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md
@ -0,0 +1,11 @@
 ## Description
 This test verifies images during rollback
 ## Expected Behavior
 This test creates a ClusterPolicy and Deployments, and when we perform a rollback, it will be successfully rolled back.
 ## Reference Issue(s)
 5363
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml
@ -0,0 +1,11 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nginx-deployment
  namespace: verify-images
 spec:
  template:
    spec:
      containers:
      - image: ghcr.io/kyverno/test-verify-image-rollback:signed-1@sha256:e0cc6dba04bee00badd8b13495d4411060b5563a9499fbc20e46316328efad30
        name: nginx
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml
@ -0,0 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: verify-images
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: ghcr.io/kyverno/test-verify-image-rollback:signed-1
        name: nginx
        resources: {}
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml
@ -0,0 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: verify-images
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2
        name: nginx
        resources: {}
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml
@ -0,0 +1,9 @@
 apiVersion: kyverno.io/v2beta1
 kind: ClusterPolicy
 metadata:
  name: check-image
 status:
  conditions:
  - reason: Succeeded
    status: "True"
    type: Ready
--- a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml
@ -0,0 +1,33 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: verify-images
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: check-image
 spec:
  validationFailureAction: Enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail
  rules:
    - name: check-image
      match:
        any:
        - resources:
            kinds:
              - Deployment
      verifyImages:
      - imageReferences:
        - "ghcr.io/kyverno*"
        attestors:
        - count: 1
          entries:
          - keys:
              publicKeys: |-
                -----BEGIN PUBLIC KEY-----
                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfnYaFSrs2pLp4ShcWBgMLJM6Gki/
                1tC5ZWN2IuJTe2RbyVrDEn1qLBXNzGKhIXbsUyO5+BuIfgMdek1pDYFZGQ==
                -----END PUBLIC KEY-----