mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity
kyverno/pkg/engine/utils/image.go
Vishal Choudhary 87c7ce254a
feat: add skipImageReferences in verify images (#8633) 
* feat: add skipImageReferences in verify images

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: chainsaw tests

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: chainsaw-test.yaml

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: typo in assert

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-01-23 12:27:39 +00:00

83 lines
2.8 KiB
Go
Raw Blame History

package utils
import (
"fmt"
"strings"
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/ext/wildcard"
"github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
apiutils "github.com/kyverno/kyverno/pkg/utils/api"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
func ImageMatches(image string, imagePatterns []string) bool {
for _, imagePattern := range imagePatterns {
if wildcard.Match(imagePattern, image) {
return true
}
}
return false
}
func GetMatchingImages(images map[string]map[string]apiutils.ImageInfo, rule kyvernov1.Rule) ([]apiutils.ImageInfo, string) {
imageInfos := []apiutils.ImageInfo{}
imageRefs := []string{}
for _, infoMap := range images {
for _, imageInfo := range infoMap {
image := imageInfo.String()
for _, verifyImage := range rule.VerifyImages {
verifyImage = *verifyImage.Convert()
imageRefs = append(imageRefs, verifyImage.ImageReferences...)
if ImageMatches(image, verifyImage.ImageReferences) {
imageInfos = append(imageInfos, imageInfo)
}
}
}
}
return imageInfos, strings.Join(imageRefs, ",")
}
func ExtractMatchingImages(
resource unstructured.Unstructured,
context enginecontext.Interface,
rule kyvernov1.Rule,
cfg config.Configuration,
) ([]apiutils.ImageInfo, string, error) {
var (
images map[string]map[string]apiutils.ImageInfo
err error
)
images = context.ImageInfo()
if rule.ImageExtractors != nil {
images, err = context.GenerateCustomImageInfo(&resource, rule.ImageExtractors, cfg)
if err != nil {
// if we get an error while generating custom images from image extractors,
// don't check for matching images in imageExtractors
return nil, "", err
}
}
matchingImages, imageRefs := GetMatchingImages(images, rule)
return matchingImages, imageRefs, nil
}
func IsImageVerified(resource unstructured.Unstructured, image string, log logr.Logger) (engineapi.ImageVerificationMetadataStatus, error) {
if resource.Object == nil {
return engineapi.ImageVerificationFail, fmt.Errorf("nil resource")
}
if annotations := resource.GetAnnotations(); len(annotations) == 0 {
return engineapi.ImageVerificationFail, nil
} else if data, ok := annotations[kyverno.AnnotationImageVerify]; !ok {
log.V(2).Info("missing image metadata in annotation", "key", kyverno.AnnotationImageVerify)
return engineapi.ImageVerificationFail, fmt.Errorf("image is not verified")
} else if ivm, err := engineapi.ParseImageMetadata(data); err != nil {
log.Error(err, "failed to parse image verification metadata", "data", data)
return engineapi.ImageVerificationFail, fmt.Errorf("failed to parse image metadata: %w", err)
} else {
return ivm.ImageVerificationStatus(image), nil
}
}
View git blame Copy permalink