mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: image verification (#7652)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-27 09:31:02 +02:00 committed by GitHub
parent 441641515a
commit df5f54198d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 100 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/engine/internal/imageverifier.go
View file

@ -207,12 +207,14 @@ func (iv *ImageVerifier) Verify(
changed, err := iv.policyContext.JSONContext().HasChanged(pointer) changed, err := iv.policyContext.JSONContext().HasChanged(pointer)
if err == nil && !changed { if err == nil && !changed {
iv.logger.V(4).Info("no change in image, skipping check", "image", image) iv.logger.V(4).Info("no change in image, skipping check", "image", image)
iv.ivm.Add(image, true)
continue continue
} }
verified, err := isImageVerified(iv.policyContext.NewResource(), image, iv.logger) verified, err := isImageVerified(iv.policyContext.NewResource(), image, iv.logger)
if err == nil && verified { if err == nil && verified {
iv.logger.Info("image was previously verified, skipping check", "image", image) iv.logger.Info("image was previously verified, skipping check", "image", image)
iv.ivm.Add(image, true)
continue continue
} }

6
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource-v1.yaml
- resource-v2.yaml

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test verifies we can update deployments with multiple containers when image verification is enabled
## Expected Behavior
Update works
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/7651

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: verify-image-signature
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

31
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signature
spec:
background: false
failurePolicy: Fail
rules:
- match:
any:
- resources:
kinds:
- Pod
name: verify-image
verifyImages:
- attestors:
- count: 1
entries:
- keys:
publicKeys: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKLYTatU9CUsrA5Td6jXiZTolwsx
HZKwYP5XkHhU436FGDD5Zi2nVFem6AbzXWHssIQRkAI3yJgKkB4J6Qe4OQ==
-----END PUBLIC KEY-----
imageReferences:
- ghcr.io/seankhliao/*
mutateDigest: false
required: true
verifyDigest: false
validationFailureAction: Enforce
webhookTimeoutSeconds: 30

18
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: double
spec:
selector:
matchLabels:
app.kubernetes.io/name: double
template:
metadata:
labels:
app.kubernetes.io/name: double
spec:
containers:
- name: podinfo-a
image: ghcr.io/seankhliao/podinfo:6.3.3
- name: podinfo-b
image: ghcr.io/seankhliao/podinfo:6.3.4

18
test/conformance/kuttl/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: double
spec:
selector:
matchLabels:
app.kubernetes.io/name: double
template:
metadata:
labels:
app.kubernetes.io/name: double
spec:
containers:
- name: podinfo-a
image: ghcr.io/seankhliao/podinfo:6.3.3
- name: podinfo-b
image: ghcr.io/seankhliao/podinfo:6.3.5