From fca068d0f6eccfaaf6f6c90dcc5230922ddaea17 Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Wed, 4 May 2022 09:41:59 +0530 Subject: [PATCH] Fix Cli test for image verification (#3760) * fix Cli test for image verification --- .../kubectl-kyverno/utils/common/common.go | 15 ++++++----- .../images/secure-images/kyverno-test.yaml | 11 ++++++++ .../test/images/secure-images/policies.yaml | 24 +++++++++++++++++ .../test/images/secure-images/resources.yaml | 8 ++++++ .../test/images/signatures/kyverno-test.yaml | 18 ++++++++----- test/cli/test/images/signatures/policies.yaml | 6 +++-- .../cli/test/images/signatures/resources.yaml | 4 +-- .../images/verify-signature/kyverno-test.yaml | 16 +++++++++++ .../images/verify-signature/policies.yaml | 27 +++++++++++++++++++ .../images/verify-signature/resources.yaml | 18 +++++++++++++ 10 files changed, 129 insertions(+), 18 deletions(-) create mode 100644 test/cli/test/images/secure-images/kyverno-test.yaml create mode 100644 test/cli/test/images/secure-images/policies.yaml create mode 100644 test/cli/test/images/secure-images/resources.yaml create mode 100644 test/cli/test/images/verify-signature/kyverno-test.yaml create mode 100644 test/cli/test/images/verify-signature/policies.yaml create mode 100644 test/cli/test/images/verify-signature/resources.yaml diff --git a/cmd/cli/kubectl-kyverno/utils/common/common.go b/cmd/cli/kubectl-kyverno/utils/common/common.go index 7e483d4f3c..02aa6ab7de 100644 --- a/cmd/cli/kubectl-kyverno/utils/common/common.go +++ b/cmd/cli/kubectl-kyverno/utils/common/common.go @@ -501,12 +501,6 @@ OuterLoop: } } - verifyImageResponse := engine.VerifyAndPatchImages(policyContext) - if verifyImageResponse != nil && !verifyImageResponse.IsEmpty() { - engineResponses = append(engineResponses, verifyImageResponse) - updateResultCounts(policy, verifyImageResponse, resPath, rc) - } - var policyHasValidate bool for _, rule := range autogen.ComputeRules(policy) { if rule.HasValidate() || rule.HasImagesValidationChecks() { @@ -527,6 +521,12 @@ OuterLoop: engineResponses = append(engineResponses, validateResponse) } + verifyImageResponse := engine.VerifyAndPatchImages(policyContext) + if verifyImageResponse != nil && !verifyImageResponse.IsEmpty() { + engineResponses = append(engineResponses, verifyImageResponse) + info = ProcessValidateEngineResponse(policy, verifyImageResponse, resPath, rc, policyReport) + } + var policyHasGenerate bool for _, rule := range autogen.ComputeRules(policy) { if rule.HasGenerate() { @@ -709,7 +709,7 @@ func ProcessValidateEngineResponse(policy v1.PolicyInterface, validateResponse * printCount := 0 for _, policyRule := range autogen.ComputeRules(policy) { ruleFoundInEngineResponse := false - if !policyRule.HasValidate() && !policyRule.HasImagesValidationChecks() { + if !policyRule.HasValidate() && !policyRule.HasImagesValidationChecks() && !policyRule.HasVerifyImages() { continue } @@ -793,6 +793,7 @@ func updateResultCounts(policy v1.PolicyInterface, engineResponse *response.Engi for i, ruleResponse := range engineResponse.PolicyResponse.Rules { if policyRule.Name == ruleResponse.Name { ruleFoundInEngineResponse = true + if ruleResponse.Status == response.RuleStatusPass { rc.Pass++ } else { diff --git a/test/cli/test/images/secure-images/kyverno-test.yaml b/test/cli/test/images/secure-images/kyverno-test.yaml new file mode 100644 index 0000000000..e585738168 --- /dev/null +++ b/test/cli/test/images/secure-images/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: test-image-enforce-signatures +policies: + - policies.yaml +resources: + - resources.yaml +results: + - policy: secure-images + rule: enforce-signatures + resource: tomcat + kind: Pod + status: fail \ No newline at end of file diff --git a/test/cli/test/images/secure-images/policies.yaml b/test/cli/test/images/secure-images/policies.yaml new file mode 100644 index 0000000000..cc0ca9d06f --- /dev/null +++ b/test/cli/test/images/secure-images/policies.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secure-images + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: enforce-signatures + match: + resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "*" + required: true + verifyDigest: false + mutateDigest: false diff --git a/test/cli/test/images/secure-images/resources.yaml b/test/cli/test/images/secure-images/resources.yaml new file mode 100644 index 0000000000..87337d1d95 --- /dev/null +++ b/test/cli/test/images/secure-images/resources.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: tomcat +spec: + containers: + - name: tomcat + image: ghcr.io/jimbugwadia/demo-java-tomcat:v0.0.15 \ No newline at end of file diff --git a/test/cli/test/images/signatures/kyverno-test.yaml b/test/cli/test/images/signatures/kyverno-test.yaml index 4892545c18..c8a1e5dca6 100644 --- a/test/cli/test/images/signatures/kyverno-test.yaml +++ b/test/cli/test/images/signatures/kyverno-test.yaml @@ -1,12 +1,16 @@ -name: test-image-digest +name: test-image-signature policies: - policies.yaml resources: - resources.yaml results: -# Requires Kyverno CLI updates -# - policy: verify-signature -# rule: check-static-key -# resource: signed -# kind: Pod -# status: pass \ No newline at end of file + - policy: verify-signature + rule: check-static-key + resource: signed + kind: Pod + status: pass + - policy: verify-signature + rule: check-static-key + resource: unsigned + kind: Pod + status: fail \ No newline at end of file diff --git a/test/cli/test/images/signatures/policies.yaml b/test/cli/test/images/signatures/policies.yaml index 9873939913..8694ab4318 100644 --- a/test/cli/test/images/signatures/policies.yaml +++ b/test/cli/test/images/signatures/policies.yaml @@ -6,6 +6,8 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: + background: false + validationFailureAction: enforce rules: - name: check-static-key match: @@ -20,6 +22,6 @@ spec: - staticKey: key: |- -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyBg8yod24/wIcc5QqlVLtCfL+6Te - +nwdPdTvMb1AiZn24zBToHJVZvQdYLgRWAbh0Jd+6JhEwsDmnXRrlV7rfw== + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== -----END PUBLIC KEY----- diff --git a/test/cli/test/images/signatures/resources.yaml b/test/cli/test/images/signatures/resources.yaml index d30711a035..7e8fcc10eb 100644 --- a/test/cli/test/images/signatures/resources.yaml +++ b/test/cli/test/images/signatures/resources.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Pod metadata: name: signed -sspec: +spec: containers: - name: signed image: ghcr.io/kyverno/test-verify-image:signed @@ -12,7 +12,7 @@ apiVersion: v1 kind: Pod metadata: name: unsigned -sspec: +spec: containers: - name: signed image: ghcr.io/kyverno/test-verify-image:unsigned \ No newline at end of file diff --git a/test/cli/test/images/verify-signature/kyverno-test.yaml b/test/cli/test/images/verify-signature/kyverno-test.yaml new file mode 100644 index 0000000000..b1fbc21560 --- /dev/null +++ b/test/cli/test/images/verify-signature/kyverno-test.yaml @@ -0,0 +1,16 @@ +name: test-image-verify-signature +policies: + - policies.yaml +resources: + - resources.yaml +results: + - policy: check-image + rule: verify-signature + resource: signed + kind: Pod + status: pass + - policy: check-image + rule: verify-signature + resource: unsigned + kind: Pod + status: fail \ No newline at end of file diff --git a/test/cli/test/images/verify-signature/policies.yaml b/test/cli/test/images/verify-signature/policies.yaml new file mode 100644 index 0000000000..6387872db2 --- /dev/null +++ b/test/cli/test/images/verify-signature/policies.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: enforce + background: false + rules: + - name: verify-signature + match: + resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "*" + attestors: + - count: 1 + entries: + - staticKey: + key: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- \ No newline at end of file diff --git a/test/cli/test/images/verify-signature/resources.yaml b/test/cli/test/images/verify-signature/resources.yaml new file mode 100644 index 0000000000..7e8fcc10eb --- /dev/null +++ b/test/cli/test/images/verify-signature/resources.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: signed +spec: + containers: + - name: signed + image: ghcr.io/kyverno/test-verify-image:signed +--- +apiVersion: v1 +kind: Pod +metadata: + name: unsigned +spec: + containers: + - name: signed + image: ghcr.io/kyverno/test-verify-image:unsigned \ No newline at end of file