mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

Fix Cli test for image verification (#3760)

Browse source 
* fix Cli test for image verification
This commit is contained in:
Vyankatesh Kudtarkar 2022-05-04 09:41:59 +05:30 committed by GitHub
parent 43fc77c71f
commit fca068d0f6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 129 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
cmd/cli/kubectl-kyverno/utils/common/common.go
View file

@ -501,12 +501,6 @@ OuterLoop:
}
}
verifyImageResponse := engine.VerifyAndPatchImages(policyContext)
if verifyImageResponse != nil && !verifyImageResponse.IsEmpty() {
engineResponses = append(engineResponses, verifyImageResponse)
updateResultCounts(policy, verifyImageResponse, resPath, rc)
}
var policyHasValidate bool
for _, rule := range autogen.ComputeRules(policy) {
if rule.HasValidate() || rule.HasImagesValidationChecks() {
@ -527,6 +521,12 @@ OuterLoop:
engineResponses = append(engineResponses, validateResponse)
}
verifyImageResponse := engine.VerifyAndPatchImages(policyContext)
if verifyImageResponse != nil && !verifyImageResponse.IsEmpty() {
engineResponses = append(engineResponses, verifyImageResponse)
info = ProcessValidateEngineResponse(policy, verifyImageResponse, resPath, rc, policyReport)
}
var policyHasGenerate bool
for _, rule := range autogen.ComputeRules(policy) {
if rule.HasGenerate() {
@ -709,7 +709,7 @@ func ProcessValidateEngineResponse(policy v1.PolicyInterface, validateResponse *
printCount := 0
for _, policyRule := range autogen.ComputeRules(policy) {
ruleFoundInEngineResponse := false
if !policyRule.HasValidate() && !policyRule.HasImagesValidationChecks() {
if !policyRule.HasValidate() && !policyRule.HasImagesValidationChecks() && !policyRule.HasVerifyImages() {
continue
}
@ -793,6 +793,7 @@ func updateResultCounts(policy v1.PolicyInterface, engineResponse *response.Engi
for i, ruleResponse := range engineResponse.PolicyResponse.Rules {
if policyRule.Name == ruleResponse.Name {
ruleFoundInEngineResponse = true
if ruleResponse.Status == response.RuleStatusPass {
rc.Pass++
} else {

11
test/cli/test/images/secure-images/kyverno-test.yaml Normal file
View file

@ -0,0 +1,11 @@
name: test-image-enforce-signatures
policies:
- policies.yaml
resources:
- resources.yaml
results:
- policy: secure-images
rule: enforce-signatures
resource: tomcat
kind: Pod
status: fail

24
test/cli/test/images/secure-images/policies.yaml Normal file
View file

@ -0,0 +1,24 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secure-images
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: enforce-signatures
match:
resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
required: true
verifyDigest: false
mutateDigest: false

8
test/cli/test/images/secure-images/resources.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Pod
metadata:
name: tomcat
spec:
containers:
- name: tomcat
image: ghcr.io/jimbugwadia/demo-java-tomcat:v0.0.15

18
test/cli/test/images/signatures/kyverno-test.yaml
View file

@ -1,12 +1,16 @@
name: test-image-digest
name: test-image-signature
policies:
- policies.yaml
resources:
- resources.yaml
results:
# Requires Kyverno CLI updates
# - policy: verify-signature
# rule: check-static-key
# resource: signed
# kind: Pod
# status: pass
- policy: verify-signature
rule: check-static-key
resource: signed
kind: Pod
status: pass
- policy: verify-signature
rule: check-static-key
resource: unsigned
kind: Pod
status: fail

6
test/cli/test/images/signatures/policies.yaml
View file

@ -6,6 +6,8 @@ metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
background: false
validationFailureAction: enforce
rules:
- name: check-static-key
match:
@ -20,6 +22,6 @@ spec:
- staticKey:
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyBg8yod24/wIcc5QqlVLtCfL+6Te
+nwdPdTvMb1AiZn24zBToHJVZvQdYLgRWAbh0Jd+6JhEwsDmnXRrlV7rfw==
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----

4
test/cli/test/images/signatures/resources.yaml
View file

@ -3,7 +3,7 @@ apiVersion: v1
kind: Pod
metadata:
name: signed
sspec:
spec:
containers:
- name: signed
image: ghcr.io/kyverno/test-verify-image:signed
@ -12,7 +12,7 @@ apiVersion: v1
kind: Pod
metadata:
name: unsigned
sspec:
spec:
containers:
- name: signed
image: ghcr.io/kyverno/test-verify-image:unsigned

16
test/cli/test/images/verify-signature/kyverno-test.yaml Normal file
View file

@ -0,0 +1,16 @@
name: test-image-verify-signature
policies:
- policies.yaml
resources:
- resources.yaml
results:
- policy: check-image
rule: verify-signature
resource: signed
kind: Pod
status: pass
- policy: check-image
rule: verify-signature
resource: unsigned
kind: Pod
status: fail

27
test/cli/test/images/verify-signature/policies.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: enforce
background: false
rules:
- name: verify-signature
match:
resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
attestors:
- count: 1
entries:
- staticKey:
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----

18
test/cli/test/images/verify-signature/resources.yaml Normal file
View file

@ -0,0 +1,18 @@
---
apiVersion: v1
kind: Pod
metadata:
name: signed
spec:
containers:
- name: signed
image: ghcr.io/kyverno/test-verify-image:signed
---
apiVersion: v1
kind: Pod
metadata:
name: unsigned
spec:
containers:
- name: signed
image: ghcr.io/kyverno/test-verify-image:unsigned