Skip to content

Fix #1592 move authorities as siblings of images. #1593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 11, 2022
Merged

Fix #1592 move authorities as siblings of images. #1593

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 66 additions & 66 deletions config/300-clusterimagepolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,80 +39,80 @@ spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
properties:
images:
authorities:
type: array
items:
type: object
properties:
authorities:
type: array
items:
type: object
properties:
ctlog:
type: object
required:
- url
properties:
url:
type: string
key:
ctlog:
type: object
required:
- url
properties:
url:
type: string
key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
keyless:
type: object
properties:
ca-key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
identities:
type: array
items:
type: object
properties:
data:
description: Data contains the inline public key
issuer:
type: string
kms:
description: KMS contains the KMS url of the public key
subject:
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
keyless:
type: object
properties:
ca-key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
identities:
type: array
items:
type: object
properties:
issuer:
type: string
subject:
type: string
url:
type: string
source:
type: array
items:
type: object
properties:
oci:
type: string
url:
type: string
source:
type: array
items:
type: object
properties:
oci:
type: string
images:
type: array
items:
type: object
properties:
glob:
type: string
regex:
Expand Down
3 changes: 1 addition & 2 deletions config/config-image-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,4 @@ data:
# EXAMPLE CONFIGURATION #
# #
################################
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\",\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}]}"

cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"
2 changes: 1 addition & 1 deletion pkg/apis/config/image_policies.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ func (p *ImagePolicyConfig) GetAuthorities(image string) ([]v1alpha1.Authority,
for _, v := range p.Policies {
for _, pattern := range v.Images {
if GlobMatch(image, pattern.Glob) {
ret = append(ret, pattern.Authorities...)
ret = append(ret, v.Authorities...)
}
}
}
Expand Down
48 changes: 24 additions & 24 deletions pkg/apis/config/testdata/config-image-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,37 +30,37 @@ data:
cluster-image-policy-0: |
images:
- glob: rando
authorities:
- key:
data: inlinedata here
- key:
kms: whatevs
authorities:
- key:
data: inlinedata here
- key:
kms: whatevs
cluster-image-policy-1: |
images:
- glob: randomstuff*
authorities:
- key:
data: otherinline here
authorities:
- key:
data: otherinline here
cluster-image-policy-2: |
images:
- glob: rando3
authorities:
- keyless:
ca-key:
data: cakey chilling here
url: http://keylessurl.here
identities:
- issuer: issuer
subject: subject
authorities:
- keyless:
ca-key:
data: cakey chilling here
url: http://keylessurl.here
identities:
- issuer: issuer
subject: subject
cluster-image-policy-3: |
images:
- glob: inlinecert
authorities:
- key:
data: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
-----END PUBLIC KEY-----
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\",\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}]}"
authorities:
- key:
data: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
-----END PUBLIC KEY-----
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"

8 changes: 4 additions & 4 deletions pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,16 +52,16 @@ func (*ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind {

// ClusterImagePolicySpec defines a list of images that should be verified
type ClusterImagePolicySpec struct {
Images []ImagePattern `json:"images"`
Images []ImagePattern `json:"images"`
Authorities []Authority `json:"authorities"`
}

// ImagePattern defines a pattern and its associated authorties
// If multiple patterns match a particular image, then ALL of
// those authorities must be satisfied for the image to be admitted.
type ImagePattern struct {
Glob string `json:"glob"`
Regex string `json:"regex"`
Authorities []Authority `json:"authorities"`
Glob string `json:"glob"`
Regex string `json:"regex"`
}

// The authorities block defines the rules for discovering and
Expand Down
18 changes: 10 additions & 8 deletions pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,17 @@ func (policy *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError
}

func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError) {
if len(spec.Images) == 0 {
errors = errors.Also(apis.ErrGeneric("At least one image should be defined").ViaField("images"))
}
for i, image := range spec.Images {
errors = errors.Also(image.Validate(ctx)).ViaFieldIndex("images", i)
errors = errors.Also(image.Validate(ctx).ViaFieldIndex("images", i))
}
if len(spec.Authorities) == 0 {
errors = errors.Also(apis.ErrGeneric("At least one authority should be defined").ViaField("authorities"))
}
for i, authority := range spec.Authorities {
errors = errors.Also(authority.Validate(ctx).ViaFieldIndex("authorities", i))
}
return
}
Expand All @@ -51,13 +60,6 @@ func (image *ImagePattern) Validate(ctx context.Context) *apis.FieldError {
errs = errs.Also(apis.ErrDisallowedFields("regex"))
}

if len(image.Authorities) == 0 {
errs = errs.Also(apis.ErrGeneric("At least one authority should be defined").ViaField("authorities"))
}
for i := range image.Authorities {
errs = errs.Also(image.Authorities[i].Validate(ctx).ViaFieldIndex("authorities", i))
}

return errs
}

Expand Down
Loading