[go: up one dir, main page]
Skip to content

Commit

Permalink
feat: add skipImageReferences in verify images (kyverno#8633)
Browse files Browse the repository at this point in the history 
* feat: add skipImageReferences in verify images

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: chainsaw tests

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: chainsaw-test.yaml

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: typo in assert

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
  • Loading branch information
@vishal-chdhry @eddycharly
vishal-chdhry and eddycharly committed Jan 23, 2024
1 parent d47684c commit 87c7ce2
Show file tree
Hide file tree
Showing 37 changed files with 899 additions and 94 deletions.
7 changes: 7 additions & 0 deletions api/kyverno/v1/image_verification_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,13 @@ type ImageVerification struct {
// +kubebuilder:validation:Optional
ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`

// SkipImageReferences is a list of matching image reference patterns that should be skipped.
// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +kubebuilder:validation:Optional
SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`

// Deprecated. Use StaticKeyAttestor instead.
Key string `json:"key,omitempty" yaml:"key,omitempty"`

Expand Down
5 changes: 5 additions & 0 deletions api/kyverno/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions api/kyverno/v2beta1/image_verification_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ type ImageVerification struct {
// +kubebuilder:validation:Optional
ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`

// SkipImageReferences is a list of matching image reference patterns that should be skipped.
// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +kubebuilder:validation:Optional
SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`

// Attestors specified the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

88 changes: 88 additions & 0 deletions charts/kyverno/charts/crds/templates/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14291,6 +14291,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped. At
least one pattern in the list must match the image for
the rule to be skipped. Each image reference consists
of a registry address (defaults to docker.io), repository,
image, and tag (defaults to latest). Wildcards (''*''
and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -18849,6 +18860,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped.
At least one pattern in the list must match the
image for the rule to be skipped. Each image reference
consists of a registry address (defaults to docker.io),
repository, image, and tag (defaults to latest).
Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -23048,6 +23070,17 @@ spec:
i.e. have matched passed a signature or attestation
check.
type: boolean
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped. At
least one pattern in the list must match the image for
the rule to be skipped. Each image reference consists
of a registry address (defaults to docker.io), repository,
image, and tag (defaults to latest). Wildcards (''*''
and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
type:
description: Type specifies the method of signature validation.
The allowed options are Cosign and Notary. By default
Expand Down Expand Up @@ -27603,6 +27636,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped.
At least one pattern in the list must match the
image for the rule to be skipped. Each image reference
consists of a registry address (defaults to docker.io),
repository, image, and tag (defaults to latest).
Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -32099,6 +32143,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped. At
least one pattern in the list must match the image for
the rule to be skipped. Each image reference consists
of a registry address (defaults to docker.io), repository,
image, and tag (defaults to latest). Wildcards (''*''
and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -36658,6 +36713,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped.
At least one pattern in the list must match the
image for the rule to be skipped. Each image reference
consists of a registry address (defaults to docker.io),
repository, image, and tag (defaults to latest).
Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -40858,6 +40924,17 @@ spec:
i.e. have matched passed a signature or attestation
check.
type: boolean
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped. At
least one pattern in the list must match the image for
the rule to be skipped. Each image reference consists
of a registry address (defaults to docker.io), repository,
image, and tag (defaults to latest). Wildcards (''*''
and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
type:
description: Type specifies the method of signature validation.
The allowed options are Cosign and Notary. By default
Expand Down Expand Up @@ -45413,6 +45490,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped.
At least one pattern in the list must match the
image for the rule to be skipped. Each image reference
consists of a registry address (defaults to docker.io),
repository, image, and tag (defaults to latest).
Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down
44 changes: 44 additions & 0 deletions cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4340,6 +4340,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped. At
least one pattern in the list must match the image for
the rule to be skipped. Each image reference consists
of a registry address (defaults to docker.io), repository,
image, and tag (defaults to latest). Wildcards (''*''
and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -8898,6 +8909,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped.
At least one pattern in the list must match the
image for the rule to be skipped. Each image reference
consists of a registry address (defaults to docker.io),
repository, image, and tag (defaults to latest).
Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down Expand Up @@ -13097,6 +13119,17 @@ spec:
i.e. have matched passed a signature or attestation
check.
type: boolean
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped. At
least one pattern in the list must match the image for
the rule to be skipped. Each image reference consists
of a registry address (defaults to docker.io), repository,
image, and tag (defaults to latest). Wildcards (''*''
and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
type:
description: Type specifies the method of signature validation.
The allowed options are Cosign and Notary. By default
Expand Down Expand Up @@ -17652,6 +17685,17 @@ spec:
roots:
description: Deprecated. Use KeylessAttestor instead.
type: string
skipImageReferences:
description: 'SkipImageReferences is a list of matching
image reference patterns that should be skipped.
At least one pattern in the list must match the
image for the rule to be skipped. Each image reference
consists of a registry address (defaults to docker.io),
repository, image, and tag (defaults to latest).
Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
items:
type: string
type: array
subject:
description: Deprecated. Use KeylessAttestor instead.
type: string
Expand Down
Loading

0 comments on commit 87c7ce2

Please sign in to comment.