mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
5f5cda9fee
* enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
140 lines
3.3 KiB
Go
140 lines
3.3 KiB
Go
package validate
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor"
|
|
"github.com/kyverno/kyverno/pkg/policy/common"
|
|
)
|
|
|
|
// Validate validates a 'validate' rule
|
|
type Validate struct {
|
|
// rule to hold 'validate' rule specifications
|
|
rule *kyvernov1.Validation
|
|
}
|
|
|
|
// NewValidateFactory returns a new instance of Mutate validation checker
|
|
func NewValidateFactory(rule *kyvernov1.Validation) *Validate {
|
|
m := Validate{
|
|
rule: rule,
|
|
}
|
|
|
|
return &m
|
|
}
|
|
|
|
// Validate validates the 'validate' rule
|
|
func (v *Validate) Validate() (string, error) {
|
|
if err := v.validateElements(); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if target := v.rule.GetPattern(); target != nil {
|
|
if path, err := common.ValidatePattern(target, "/", []commonAnchors.IsAnchor{commonAnchors.IsConditionAnchor, commonAnchors.IsExistenceAnchor, commonAnchors.IsEqualityAnchor, commonAnchors.IsNegationAnchor, commonAnchors.IsGlobalAnchor}); err != nil {
|
|
return fmt.Sprintf("pattern.%s", path), err
|
|
}
|
|
}
|
|
|
|
if target := v.rule.GetAnyPattern(); target != nil {
|
|
anyPattern, err := v.rule.DeserializeAnyPattern()
|
|
if err != nil {
|
|
return "anyPattern", fmt.Errorf("failed to deserialize anyPattern, expect array: %v", err)
|
|
}
|
|
for i, pattern := range anyPattern {
|
|
if path, err := common.ValidatePattern(pattern, "/", []commonAnchors.IsAnchor{commonAnchors.IsConditionAnchor, commonAnchors.IsExistenceAnchor, commonAnchors.IsEqualityAnchor, commonAnchors.IsNegationAnchor, commonAnchors.IsGlobalAnchor}); err != nil {
|
|
return fmt.Sprintf("anyPattern[%d].%s", i, path), err
|
|
}
|
|
}
|
|
}
|
|
|
|
if v.rule.ForEachValidation != nil {
|
|
for _, foreach := range v.rule.ForEachValidation {
|
|
if err := v.validateForEach(foreach); err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
}
|
|
|
|
return "", nil
|
|
}
|
|
|
|
func (v *Validate) validateElements() error {
|
|
count := validationElemCount(v.rule)
|
|
if count == 0 {
|
|
return fmt.Errorf("one of pattern, anyPattern, deny, foreach must be specified")
|
|
}
|
|
|
|
if count > 1 {
|
|
return fmt.Errorf("only one of pattern, anyPattern, deny, foreach can be specified")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func validationElemCount(v *kyvernov1.Validation) int {
|
|
if v == nil {
|
|
return 0
|
|
}
|
|
|
|
count := 0
|
|
if v.GetPattern() != nil {
|
|
count++
|
|
}
|
|
|
|
if v.GetAnyPattern() != nil {
|
|
count++
|
|
}
|
|
|
|
if v.Deny != nil {
|
|
count++
|
|
}
|
|
|
|
if v.ForEachValidation != nil {
|
|
count++
|
|
}
|
|
|
|
if v.Manifests != nil && len(v.Manifests.Attestors) != 0 {
|
|
count++
|
|
}
|
|
|
|
return count
|
|
}
|
|
|
|
func (v *Validate) validateForEach(foreach kyvernov1.ForEachValidation) error {
|
|
if foreach.List == "" {
|
|
return fmt.Errorf("foreach.list is required")
|
|
}
|
|
|
|
if !strings.HasPrefix(foreach.List, "request.object") && !strings.HasPrefix(foreach.List, "request.userInfo") {
|
|
return fmt.Errorf("foreach.list must start with either 'request.object' or 'request.userInfo', e.g. 'request.object.spec.containers', 'request.userInfo.groups'")
|
|
}
|
|
|
|
count := foreachElemCount(foreach)
|
|
if count == 0 {
|
|
return fmt.Errorf("one of pattern, anyPattern, deny must be specified")
|
|
}
|
|
|
|
if count > 1 {
|
|
return fmt.Errorf("only one of pattern, anyPattern, deny can be specified")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func foreachElemCount(foreach kyvernov1.ForEachValidation) int {
|
|
count := 0
|
|
if foreach.GetPattern() != nil {
|
|
count++
|
|
}
|
|
|
|
if foreach.GetAnyPattern() != nil {
|
|
count++
|
|
}
|
|
|
|
if foreach.Deny != nil {
|
|
count++
|
|
}
|
|
|
|
return count
|
|
}
|