From f5aa68eb55212d35a4bcf03c12d9fa4fd423d26a Mon Sep 17 00:00:00 2001 From: Riko Kudo Date: Tue, 15 Nov 2022 22:27:58 +0900 Subject: [PATCH] add test cases for yaml verification feature (#5326) * add test cases for yaml verification feature Signed-off-by: Riko Kudo * update policies to use the new schema version Signed-off-by: Riko Kudo Signed-off-by: Riko Kudo Co-authored-by: Chip Zoller Co-authored-by: shuting --- .../verify-signature/kyverno-test.yaml | 21 +++++++ .../manifests/verify-signature/policies.yaml | 63 +++++++++++++++++++ .../manifests/verify-signature/resources.yaml | 45 +++++++++++++ 3 files changed, 129 insertions(+) create mode 100644 test/cli/test/manifests/verify-signature/kyverno-test.yaml create mode 100644 test/cli/test/manifests/verify-signature/policies.yaml create mode 100644 test/cli/test/manifests/verify-signature/resources.yaml diff --git a/test/cli/test/manifests/verify-signature/kyverno-test.yaml b/test/cli/test/manifests/verify-signature/kyverno-test.yaml new file mode 100644 index 0000000000..1edd7b54ad --- /dev/null +++ b/test/cli/test/manifests/verify-signature/kyverno-test.yaml @@ -0,0 +1,21 @@ +name: yaml-verification +policies: + - policies.yaml +resources: + - resources.yaml +results: + - policy: validate-yaml + rule: validate-yaml + resource: test-service # no signature + kind: Service + result: fail + - policy: validate-yaml + rule: validate-yaml + resource: test-service2 # one signature + kind: Service + result: pass + - policy: validate-yaml + rule: validate-yaml-multi-sig + resource: test-service3 # multi signature + kind: Service + result: pass \ No newline at end of file diff --git a/test/cli/test/manifests/verify-signature/policies.yaml b/test/cli/test/manifests/verify-signature/policies.yaml new file mode 100644 index 0000000000..0ea2aff51d --- /dev/null +++ b/test/cli/test/manifests/verify-signature/policies.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + name: test* + validate: + manifests: + attestors: + # at least one signature required + - count: 1 + entries: + - keys: + # pub + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + # pub1 + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- + - name: validate-yaml-multi-sig + match: + any: + - resources: + kinds: + - Service + name: test* + validate: + manifests: + attestors: + # all signatures required + - entries: + - keys: + # pub + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + # pub1 + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- \ No newline at end of file diff --git a/test/cli/test/manifests/verify-signature/resources.yaml b/test/cli/test/manifests/verify-signature/resources.yaml new file mode 100644 index 0000000000..1f794fb3df --- /dev/null +++ b/test/cli/test/manifests/verify-signature/resources.yaml @@ -0,0 +1,45 @@ +# no signature +apiVersion: v1 +kind: Service +metadata: + name: test-service +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp +--- +# one signature +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp +--- +# multi signatures +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp