mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
fix: registry client not propagated correctly (#5622)
* fix: registry client not propagated correctly Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
aade51e20a
commit
ed97ff66d0
5 changed files with 27 additions and 23 deletions
|
|
@ -130,6 +130,7 @@ func VerifyAndPatchImages(rclient registryclient.Client, policyContext *PolicyCo
|
|||
|
||||
iv := &imageVerifier{
|
||||
logger: logger,
|
||||
rclient: rclient,
|
||||
policyContext: policyContext,
|
||||
rule: ruleCopy,
|
||||
resp: resp,
|
||||
|
|
@ -137,7 +138,7 @@ func VerifyAndPatchImages(rclient registryclient.Client, policyContext *PolicyCo
|
|||
}
|
||||
|
||||
for _, imageVerify := range ruleCopy.VerifyImages {
|
||||
iv.verify(rclient, imageVerify, ruleImages)
|
||||
iv.verify(imageVerify, ruleImages)
|
||||
}
|
||||
|
||||
if applyRules == kyvernov1.ApplyOne && resp.PolicyResponse.RulesAppliedCount > 0 {
|
||||
|
|
@ -177,6 +178,7 @@ func substituteVariables(rule *kyvernov1.Rule, ctx enginecontext.EvalInterface,
|
|||
|
||||
type imageVerifier struct {
|
||||
logger logr.Logger
|
||||
rclient registryclient.Client
|
||||
policyContext *PolicyContext
|
||||
rule *kyvernov1.Rule
|
||||
resp *response.EngineResponse
|
||||
|
|
@ -185,7 +187,7 @@ type imageVerifier struct {
|
|||
|
||||
// verify applies policy rules to each matching image. The policy rule results and annotation patches are
|
||||
// added to tme imageVerifier `resp` and `ivm` fields.
|
||||
func (iv *imageVerifier) verify(rclient registryclient.Client, imageVerify kyvernov1.ImageVerification, matchedImageInfos []apiutils.ImageInfo) {
|
||||
func (iv *imageVerifier) verify(imageVerify kyvernov1.ImageVerification, matchedImageInfos []apiutils.ImageInfo) {
|
||||
// for backward compatibility
|
||||
imageVerify = *imageVerify.Convert()
|
||||
|
||||
|
|
@ -214,10 +216,10 @@ func (iv *imageVerifier) verify(rclient registryclient.Client, imageVerify kyver
|
|||
continue
|
||||
}
|
||||
|
||||
ruleResp, digest := iv.verifyImage(rclient, imageVerify, imageInfo)
|
||||
ruleResp, digest := iv.verifyImage(imageVerify, imageInfo)
|
||||
|
||||
if imageVerify.MutateDigest {
|
||||
patch, retrievedDigest, err := iv.handleMutateDigest(rclient, digest, imageInfo)
|
||||
patch, retrievedDigest, err := iv.handleMutateDigest(digest, imageInfo)
|
||||
if err != nil {
|
||||
ruleResp = ruleError(iv.rule, response.ImageVerify, "failed to update digest", err)
|
||||
} else if patch != nil {
|
||||
|
|
@ -243,13 +245,13 @@ func (iv *imageVerifier) verify(rclient registryclient.Client, imageVerify kyver
|
|||
}
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) handleMutateDigest(rclient registryclient.Client, digest string, imageInfo apiutils.ImageInfo) ([]byte, string, error) {
|
||||
func (iv *imageVerifier) handleMutateDigest(digest string, imageInfo apiutils.ImageInfo) ([]byte, string, error) {
|
||||
if imageInfo.Digest != "" {
|
||||
return nil, "", nil
|
||||
}
|
||||
|
||||
if digest == "" {
|
||||
desc, err := rclient.FetchImageDescriptor(context.TODO(), imageInfo.String())
|
||||
desc, err := iv.rclient.FetchImageDescriptor(context.TODO(), imageInfo.String())
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
|
|
@ -293,7 +295,7 @@ func imageMatches(image string, imagePatterns []string) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifyImage(rclient registryclient.Client, imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) {
|
||||
func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) {
|
||||
if len(imageVerify.Attestors) <= 0 && len(imageVerify.Attestations) <= 0 {
|
||||
return nil, ""
|
||||
}
|
||||
|
|
@ -309,16 +311,16 @@ func (iv *imageVerifier) verifyImage(rclient registryclient.Client, imageVerify
|
|||
}
|
||||
|
||||
if len(imageVerify.Attestors) > 0 {
|
||||
ruleResp, _, _ := iv.verifyAttestors(rclient, imageVerify.Attestors, imageVerify, imageInfo, "")
|
||||
ruleResp, _, _ := iv.verifyAttestors(imageVerify.Attestors, imageVerify, imageInfo, "")
|
||||
if ruleResp.Status != response.RuleStatusPass {
|
||||
return ruleResp, ""
|
||||
}
|
||||
}
|
||||
|
||||
return iv.verifyAttestations(rclient, imageVerify, imageInfo)
|
||||
return iv.verifyAttestations(imageVerify, imageInfo)
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifyAttestors(rclient registryclient.Client, attestors []kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
|
||||
func (iv *imageVerifier) verifyAttestors(attestors []kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
|
||||
imageInfo apiutils.ImageInfo, predicateType string,
|
||||
) (*response.RuleResponse, *cosign.Response, []kyvernov1.AttestorSet) {
|
||||
var cosignResponse *cosign.Response
|
||||
|
|
@ -329,7 +331,7 @@ func (iv *imageVerifier) verifyAttestors(rclient registryclient.Client, attestor
|
|||
var err error
|
||||
path := fmt.Sprintf(".attestors[%d]", i)
|
||||
iv.logger.V(4).Info("verifying attestors", "path", path)
|
||||
cosignResponse, err = iv.verifyAttestorSet(rclient, attestorSet, imageVerify, imageInfo, path, predicateType)
|
||||
cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path, predicateType)
|
||||
if err != nil {
|
||||
iv.logger.Error(err, "failed to verify image")
|
||||
msg := fmt.Sprintf("failed to verify image %s: %s", image, err.Error())
|
||||
|
|
@ -353,7 +355,7 @@ func (iv *imageVerifier) verifyAttestors(rclient registryclient.Client, attestor
|
|||
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse, newAttestors
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifyAttestations(rclient registryclient.Client, imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) {
|
||||
func (iv *imageVerifier) verifyAttestations(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) {
|
||||
image := imageInfo.String()
|
||||
for i, attestation := range imageVerify.Attestations {
|
||||
var attestationError error
|
||||
|
|
@ -378,7 +380,7 @@ func (iv *imageVerifier) verifyAttestations(rclient registryclient.Client, image
|
|||
for _, a := range entries {
|
||||
entryPath := fmt.Sprintf("%s.entries[%d]", attestorPath, i)
|
||||
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, attestation)
|
||||
cosignResp, err := cosign.FetchAttestations(rclient, *opts)
|
||||
cosignResp, err := cosign.FetchAttestations(iv.rclient, *opts)
|
||||
if err != nil {
|
||||
iv.logger.Error(err, "failed to fetch attestations")
|
||||
msg := fmt.Sprintf("failed to fetch attestations %s: %s", image, err.Error())
|
||||
|
|
@ -413,7 +415,7 @@ func (iv *imageVerifier) verifyAttestations(rclient registryclient.Client, image
|
|||
return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), ""
|
||||
}
|
||||
|
||||
func (iv *imageVerifier) verifyAttestorSet(rclient registryclient.Client, attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
|
||||
func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
|
||||
imageInfo apiutils.ImageInfo, path, predicateType string,
|
||||
) (*cosign.Response, error) {
|
||||
var errorList []error
|
||||
|
|
@ -434,11 +436,11 @@ func (iv *imageVerifier) verifyAttestorSet(rclient registryclient.Client, attest
|
|||
entryError = errors.Wrapf(err, "failed to unmarshal nested attestor %s", attestorPath)
|
||||
} else {
|
||||
attestorPath += ".attestor"
|
||||
cosignResp, entryError = iv.verifyAttestorSet(rclient, *nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType)
|
||||
cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType)
|
||||
}
|
||||
} else {
|
||||
opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, kyvernov1.Attestation{PredicateType: predicateType})
|
||||
cosignResp, entryError = cosign.VerifySignature(rclient, *opts)
|
||||
cosignResp, entryError = cosign.VerifySignature(iv.rclient, *opts)
|
||||
if entryError != nil {
|
||||
entryError = errors.Wrapf(entryError, attestorPath+subPath)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ func LoadContext(logger logr.Logger, rclient registryclient.Client, contextEntri
|
|||
// Context Variable should be loaded after the values loaded from values file
|
||||
for _, entry := range contextEntries {
|
||||
if entry.ImageRegistry != nil && hasRegistryAccess {
|
||||
// rclient := store.GetRegistryClient()
|
||||
rclient := store.GetRegistryClient()
|
||||
if err := loadImageData(rclient, logger, entry, ctx); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/openapi"
|
||||
"github.com/kyverno/kyverno/pkg/policycache"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
|
|
@ -39,6 +40,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
|||
|
||||
return &handlers{
|
||||
client: dclient,
|
||||
rclient: registryclient.NewOrDie(),
|
||||
configuration: configuration,
|
||||
metricsConfig: metricsConfig,
|
||||
pCache: policyCache,
|
||||
|
|
|
|||
|
|
@ -180,8 +180,8 @@ func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request *admi
|
|||
logger.Error(err, "failed to build policy context")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
ivh := imageverification.NewImageVerificationHandler(logger, h.kyvernoClient, h.eventGen, h.admissionReports)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(h.metricsConfig, newRequest, verifyImagesPolicies, policyContext)
|
||||
ivh := imageverification.NewImageVerificationHandler(logger, h.kyvernoClient, h.rclient, h.eventGen, h.admissionReports)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(newRequest, verifyImagesPolicies, policyContext)
|
||||
if err != nil {
|
||||
logger.Error(err, "image verification failed")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
|
|
@ -25,7 +24,6 @@ import (
|
|||
|
||||
type ImageVerificationHandler interface {
|
||||
Handle(
|
||||
metrics.MetricsConfigManager,
|
||||
*admissionv1.AdmissionRequest,
|
||||
[]kyvernov1.PolicyInterface,
|
||||
*engine.PolicyContext,
|
||||
|
|
@ -35,11 +33,13 @@ type ImageVerificationHandler interface {
|
|||
func NewImageVerificationHandler(
|
||||
log logr.Logger,
|
||||
kyvernoClient versioned.Interface,
|
||||
rclient registryclient.Client,
|
||||
eventGen event.Interface,
|
||||
admissionReports bool,
|
||||
) ImageVerificationHandler {
|
||||
return &imageVerificationHandler{
|
||||
kyvernoClient: kyvernoClient,
|
||||
rclient: rclient,
|
||||
log: log,
|
||||
eventGen: eventGen,
|
||||
admissionReports: admissionReports,
|
||||
|
|
@ -48,13 +48,13 @@ func NewImageVerificationHandler(
|
|||
|
||||
type imageVerificationHandler struct {
|
||||
kyvernoClient versioned.Interface
|
||||
rclient registryclient.Client
|
||||
log logr.Logger
|
||||
eventGen event.Interface
|
||||
admissionReports bool
|
||||
}
|
||||
|
||||
func (h *imageVerificationHandler) Handle(
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
@ -77,7 +77,7 @@ func (h *imageVerificationHandler) handleVerifyImages(logger logr.Logger, reques
|
|||
verifiedImageData := &engine.ImageVerificationMetadata{}
|
||||
for _, p := range policies {
|
||||
policyContext := policyContext.WithPolicy(p)
|
||||
resp, ivm := engine.VerifyAndPatchImages(registryclient.NewOrDie(), policyContext)
|
||||
resp, ivm := engine.VerifyAndPatchImages(h.rclient, policyContext)
|
||||
|
||||
engineResponses = append(engineResponses, resp)
|
||||
patches = append(patches, resp.GetPatches()...)
|
||||
|
|
|
|||
Loading…
Reference in a new issue