diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index 9f00b9309d..4ae89cff60 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -207,12 +207,14 @@ func (iv *ImageVerifier) Verify( changed, err := iv.policyContext.JSONContext().HasChanged(pointer) if err == nil && !changed { iv.logger.V(4).Info("no change in image, skipping check", "image", image) + iv.ivm.Add(image, true) continue } verified, err := isImageVerified(iv.policyContext.NewResource(), image, iv.logger) if err == nil && verified { iv.logger.Info("image was previously verified, skipping check", "image", image) + iv.ivm.Add(image, true) continue } diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml new file mode 100644 index 0000000000..b20ef0bd7d --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml new file mode 100644 index 0000000000..1be7392b69 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource-v1.yaml +- resource-v2.yaml diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/README.md new file mode 100644 index 0000000000..e4f3658ded --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies we can update deployments with multiple containers when image verification is enabled + +## Expected Behavior + +Update works + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7651 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml new file mode 100644 index 0000000000..5a37fb4321 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: verify-image-signature +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml new file mode 100644 index 0000000000..5a23716568 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-signature +spec: + background: false + failurePolicy: Fail + rules: + - match: + any: + - resources: + kinds: + - Pod + name: verify-image + verifyImages: + - attestors: + - count: 1 + entries: + - keys: + publicKeys: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKLYTatU9CUsrA5Td6jXiZTolwsx + HZKwYP5XkHhU436FGDD5Zi2nVFem6AbzXWHssIQRkAI3yJgKkB4J6Qe4OQ== + -----END PUBLIC KEY----- + imageReferences: + - ghcr.io/seankhliao/* + mutateDigest: false + required: true + verifyDigest: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 \ No newline at end of file diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml new file mode 100644 index 0000000000..f79ff0d58c --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: double +spec: + selector: + matchLabels: + app.kubernetes.io/name: double + template: + metadata: + labels: + app.kubernetes.io/name: double + spec: + containers: + - name: podinfo-a + image: ghcr.io/seankhliao/podinfo:6.3.3 + - name: podinfo-b + image: ghcr.io/seankhliao/podinfo:6.3.4 diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml new file mode 100644 index 0000000000..9be0f1f950 --- /dev/null +++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: double +spec: + selector: + matchLabels: + app.kubernetes.io/name: double + template: + metadata: + labels: + app.kubernetes.io/name: double + spec: + containers: + - name: podinfo-a + image: ghcr.io/seankhliao/podinfo:6.3.3 + - name: podinfo-b + image: ghcr.io/seankhliao/podinfo:6.3.5