From 95bf469fd51416eb88a6ae8c05d780afa35427a4 Mon Sep 17 00:00:00 2001 From: Khaled Emara Date: Wed, 14 Aug 2024 19:52:22 +0300 Subject: [PATCH 1/8] fix(codegen): missing crd version (#10852) Signed-off-by: Khaled Emara --- Makefile | 2 +- .../kyverno.io/kyverno.io_updaterequests.yaml | 386 ++++++++++++++++++ .../kyverno/kyverno.io_updaterequests.yaml | 386 ++++++++++++++++++ config/install-latest-testing.yaml | 386 ++++++++++++++++++ 4 files changed, 1159 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b607859d4981..e903f03fc7ec 100644 --- a/Makefile +++ b/Makefile @@ -501,7 +501,7 @@ codegen-client-all: codegen-client-wrappers codegen-crds-kyverno: ## Generate kyverno CRDs @echo Generate kyverno crds... >&2 @rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno - @go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno + @go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno .PHONY: codegen-crds-policyreport codegen-crds-policyreport: ## Generate policy reports CRDs diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml index 030e189ccfe2..9549de94368e 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml @@ -24,6 +24,392 @@ spec: singular: updaterequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy diff --git a/config/crds/kyverno/kyverno.io_updaterequests.yaml b/config/crds/kyverno/kyverno.io_updaterequests.yaml index 20cbe100d1b1..dde694005f84 100644 --- a/config/crds/kyverno/kyverno.io_updaterequests.yaml +++ b/config/crds/kyverno/kyverno.io_updaterequests.yaml @@ -18,6 +18,392 @@ spec: singular: updaterequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index f5e0bd937a63..574b544507a7 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -41379,6 +41379,392 @@ spec: singular: updaterequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy From 787ec22b4a535a5d98e2cd3cf3725d3e74ca2ad1 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Wed, 14 Aug 2024 19:58:28 -0400 Subject: [PATCH 2/8] move Marcel to emeritus (#10857) Signed-off-by: chipzoller --- MAINTAINERS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS.md b/MAINTAINERS.md index c387932c23c3..8aad70bad826 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -7,7 +7,6 @@ Maintainers are approvers who have shown good technical judgement in guiding fea | Jim Bugwadia | [@JimBugwadia](https://github.com/JimBugwadia) | Nirmata | | Shuting Zhao | [@realshuting](https://github.com/realshuting) | Nirmata | | Chip Zoller | [@chipzoller](https://github.com/chipzoller) | Stackwatch (Kubecost) | -| Marcel Müller | [@MarcelMue](https://github.com/MarcelMue) | Giant Swarm GmbH | | Charles-Edouard Brétéché | [@eddycharly](https://github.com/eddycharly) | Nirmata | | Vishal Choudhary | [@vishal-chdhry](https://github.com/vishal-chdhry) | Nirmata | | Mariam Fahmy | [@MariamFahmy98](https://github.com/MariamFahmy98) | Nirmata | @@ -22,3 +21,4 @@ Maintainers are approvers who have shown good technical judgement in guiding fea | Prateek Pandey | [@prateekpandey14](https://github.com/prateekpandey14) | | | Sambhav Kothari | [@samj1912](https://github.com/samj1912) | Bloomberg | | Trey Dockendorf | [@treydock](https://github.com/treydock) | Ohio Supercomputer Center | +| Marcel Müller | [@MarcelMue](https://github.com/MarcelMue) | Giant Swarm GmbH | From 90be7c40faf8067df57161098b9d73d15b0ad5fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Aug 2024 07:30:34 +0000 Subject: [PATCH 3/8] chore(deps): bump github/codeql-action from 3.26.1 to 3.26.2 (#10861) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.1 to 3.26.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29d86d22a34ea372b1bbf3b2dced2e25ca6b3384...429e1977040da7a23b6822b13c129cd1ba93dbb2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 9a832ab42331..15ed5a6a5de2 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1 + uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: sarif_file: results.sarif From 2e39e27102c1e409b091060e1fc2f4ff691cebcc Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Thu, 15 Aug 2024 03:53:20 -0700 Subject: [PATCH 4/8] rename package: d4f --> breaker (#10863) * rename package: d4f --> breaker Signed-off-by: Jim Bugwadia * rename package: d4f --> breaker Signed-off-by: Jim Bugwadia --------- Signed-off-by: Jim Bugwadia --- cmd/kyverno/main.go | 4 ++-- pkg/{d4f => breaker}/breaker.go | 2 +- pkg/{d4f => breaker}/breaker_test.go | 2 +- pkg/webhooks/resource/handlers.go | 6 +++--- pkg/webhooks/resource/imageverification/handler.go | 6 +++--- pkg/webhooks/resource/validation/validation.go | 6 +++--- 6 files changed, 13 insertions(+), 13 deletions(-) rename pkg/{d4f => breaker}/breaker.go (99%) rename pkg/{d4f => breaker}/breaker_test.go (98%) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 926e8911bc27..72d52f7df4ed 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -13,6 +13,7 @@ import ( "github.com/go-logr/logr" "github.com/kyverno/kyverno/cmd/internal" "github.com/kyverno/kyverno/pkg/auth/checker" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions" "github.com/kyverno/kyverno/pkg/clients/dclient" @@ -25,7 +26,6 @@ import ( policycachecontroller "github.com/kyverno/kyverno/pkg/controllers/policycache" vapcontroller "github.com/kyverno/kyverno/pkg/controllers/validatingadmissionpolicy-generate" webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook" - "github.com/kyverno/kyverno/pkg/d4f" "github.com/kyverno/kyverno/pkg/engine/apicall" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/globalcontext/store" @@ -522,7 +522,7 @@ func main() { setup.Logger.Error(errors.New("failed to start admission reports watcher"), "failed to start admission reports watcher") os.Exit(1) } - reportsBreaker := d4f.NewBreaker("admission reports", func(context.Context) bool { + reportsBreaker := breaker.NewBreaker("admission reports", func(context.Context) bool { count, isRunning := ephrs.Count() if !isRunning { return true diff --git a/pkg/d4f/breaker.go b/pkg/breaker/breaker.go similarity index 99% rename from pkg/d4f/breaker.go rename to pkg/breaker/breaker.go index 7866307d3f9a..580f8e02297a 100644 --- a/pkg/d4f/breaker.go +++ b/pkg/breaker/breaker.go @@ -1,4 +1,4 @@ -package d4f +package breaker import ( "context" diff --git a/pkg/d4f/breaker_test.go b/pkg/breaker/breaker_test.go similarity index 98% rename from pkg/d4f/breaker_test.go rename to pkg/breaker/breaker_test.go index b1b626d6b017..649f2c4ce98f 100644 --- a/pkg/d4f/breaker_test.go +++ b/pkg/breaker/breaker_test.go @@ -1,4 +1,4 @@ -package d4f +package breaker import ( "context" diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 827be222fead..96deb10a86d8 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -11,13 +11,13 @@ import ( "github.com/alitto/pond" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/d4f" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/policycontext" @@ -64,7 +64,7 @@ type resourceHandlers struct { admissionReports bool backgroundServiceAccountName string auditPool *pond.WorkerPool - reportsBreaker d4f.Breaker + reportsBreaker breaker.Breaker } func NewHandlers( @@ -85,7 +85,7 @@ func NewHandlers( jp jmespath.Interface, maxAuditWorkers int, maxAuditCapacity int, - reportsBreaker d4f.Breaker, + reportsBreaker breaker.Breaker, ) webhooks.ResourceHandlers { return &resourceHandlers{ engine: engine, diff --git a/pkg/webhooks/resource/imageverification/handler.go b/pkg/webhooks/resource/imageverification/handler.go index 1e726159a6c4..115800c7b75a 100644 --- a/pkg/webhooks/resource/imageverification/handler.go +++ b/pkg/webhooks/resource/imageverification/handler.go @@ -7,9 +7,9 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/d4f" "github.com/kyverno/kyverno/pkg/engine" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/mutate/patch" @@ -40,7 +40,7 @@ type imageVerificationHandler struct { admissionReports bool cfg config.Configuration nsLister corev1listers.NamespaceLister - reportsBreaker d4f.Breaker + reportsBreaker breaker.Breaker } func NewImageVerificationHandler( @@ -51,7 +51,7 @@ func NewImageVerificationHandler( admissionReports bool, cfg config.Configuration, nsLister corev1listers.NamespaceLister, - reportsBreaker d4f.Breaker, + reportsBreaker breaker.Breaker, ) ImageVerificationHandler { return &imageVerificationHandler{ kyvernoClient: kyvernoClient, diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index ffec49f53817..d344df0297b0 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -7,9 +7,9 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/d4f" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/policycontext" "github.com/kyverno/kyverno/pkg/event" @@ -46,7 +46,7 @@ func NewValidationHandler( metrics metrics.MetricsConfigManager, cfg config.Configuration, nsLister corev1listers.NamespaceLister, - reportsBreaker d4f.Breaker, + reportsBreaker breaker.Breaker, ) ValidationHandler { return &validationHandler{ log: log, @@ -74,7 +74,7 @@ type validationHandler struct { metrics metrics.MetricsConfigManager cfg config.Configuration nsLister corev1listers.NamespaceLister - reportsBreaker d4f.Breaker + reportsBreaker breaker.Breaker } func (v *validationHandler) HandleValidationEnforce( From 40ba7129879e498aa77be0f5116b52f5f72bb0fe Mon Sep 17 00:00:00 2001 From: Khaled Emara Date: Thu, 15 Aug 2024 16:49:50 +0300 Subject: [PATCH 5/8] fix(log): set zerolog level to logr level (#10867) Signed-off-by: Khaled Emara Co-authored-by: Mariam Fahmy --- pkg/logging/log.go | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/pkg/logging/log.go b/pkg/logging/log.go index a5ac2120b914..d2c3d9530a99 100644 --- a/pkg/logging/log.go +++ b/pkg/logging/log.go @@ -55,27 +55,9 @@ func InitFlags(flags *flag.FlagSet) { // Setup configures the logger with the supplied log format. // It returns an error if the JSON logger could not be initialized or passed logFormat is not recognized. func Setup(logFormat string, loggingTimestampFormat string, level int) error { - var zerologLevel zerolog.Level - switch level { - case 6: - zerologLevel = zerolog.TraceLevel - case 5: - zerologLevel = zerolog.TraceLevel - case 4: - zerologLevel = zerolog.TraceLevel - case 3: - zerologLevel = zerolog.DebugLevel - case 2: - zerologLevel = zerolog.InfoLevel - case 1: - zerologLevel = zerolog.WarnLevel - default: - zerologLevel = zerolog.WarnLevel - } + zerologr.SetMaxV(level) - zerolog.SetGlobalLevel(zerologLevel) var logger zerolog.Logger - switch logFormat { case TextFormat: output := zerolog.ConsoleWriter{Out: os.Stderr} From 3c63152f1804de3843939a1f6484195c7437b52d Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Thu, 15 Aug 2024 07:42:29 -0700 Subject: [PATCH 6/8] update message (#10862) Signed-off-by: Jim Bugwadia --- pkg/controllers/webhook/controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index a0411f64be4e..8bda32fc8e84 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -452,7 +452,7 @@ func (c *controller) updatePolicyStatuses(ctx context.Context) error { if c.autoUpdateWebhooks { for _, set := range c.policyState { if !set.Has(policyKey) { - ready, message = false, "Not ready yet" + ready, message = false, "Not Ready" break } } From 5a60836279b75b25ef8a5ddd771f6c8ff1e0ee4f Mon Sep 17 00:00:00 2001 From: Garry O'Donnell Date: Thu, 15 Aug 2024 16:40:57 +0100 Subject: [PATCH 7/8] feat: add updateRequestThreshold config option to kyverno helm chart (#10739) Signed-off-by: Garry O'Donnell Co-authored-by: shuting Co-authored-by: Mariam Fahmy --- charts/kyverno/README.md | 1 + charts/kyverno/templates/config/configmap.yaml | 3 +++ charts/kyverno/values.yaml | 3 +++ config/install-latest-testing.yaml | 1 + 4 files changed, 8 insertions(+) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 48ed8b51d0c3..ed1b01e1a85e 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -295,6 +295,7 @@ The chart values are organised per component. | config.excludeClusterRoles | list | `[]` | Exclude roles | | config.generateSuccessEvents | bool | `false` | Generate success events. | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | +| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. | | config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | | config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. | | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. | diff --git a/charts/kyverno/templates/config/configmap.yaml b/charts/kyverno/templates/config/configmap.yaml index 7d6a91678c77..d10a74d5dde6 100644 --- a/charts/kyverno/templates/config/configmap.yaml +++ b/charts/kyverno/templates/config/configmap.yaml @@ -35,6 +35,9 @@ data: resourceFilters: >- {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }} {{- end -}} + {{- with .Values.config.updateRequestThreshold }} + updateRequestThreshold: {{ . | quote }} + {{- end -}} {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }} webhooks: {{ include "kyverno.config.webhooks" . | quote }} {{- else if .Values.config.webhooks }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 052b8c32d519..2f8cf434dc86 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -309,6 +309,9 @@ config: - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]' + # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. + updateRequestThreshold: 1000 + # -- Defines the `namespaceSelector` in the webhook configurations. # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element # will be forwarded to the webhook configurations. diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 574b544507a7..8e6a37856d19 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -172,6 +172,7 @@ data: [ServiceMonitor,kyverno,kyverno-reports-controller] [Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] + updateRequestThreshold: "1000" webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]" webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}" --- From f69ffe12ec1745a347489c77cfdcd1e01cf8a637 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Fri, 16 Aug 2024 12:33:59 +0530 Subject: [PATCH 8/8] feat: add full regexp support to cosign (#10815) Signed-off-by: Vishal Choudhary --- api/kyverno/v1/image_verification_types.go | 8 + .../kyverno.io_clusterpolicies.yaml | 136 +++++++++ .../kyverno.io/kyverno.io_policies.yaml | 136 +++++++++ .../data/crds/kyverno.io_clusterpolicies.yaml | 136 +++++++++ .../data/crds/kyverno.io_policies.yaml | 136 +++++++++ .../kyverno/kyverno.io_clusterpolicies.yaml | 136 +++++++++ config/crds/kyverno/kyverno.io_policies.yaml | 136 +++++++++ config/install-latest-testing.yaml | 272 ++++++++++++++++++ docs/user/crd/index.html | 22 ++ docs/user/crd/kyverno.v1.html | 58 ++++ .../kyverno/v1/keylessattestor.go | 18 ++ pkg/cosign/cosign.go | 68 +++-- pkg/cosign/cosign_test.go | 53 +++- pkg/engine/internal/imageverifier.go | 2 + pkg/images/verifier.go | 2 + .../keyless-attestation-regexp/README.md | 8 + .../chainsaw-test.yaml | 21 ++ .../pod-assert.yaml | 5 + .../keyless-attestation-regexp/pod.yaml | 9 + .../policy-assert.yaml | 7 + .../keyless-attestation-regexp/policy.yaml | 33 +++ 21 files changed, 1377 insertions(+), 25 deletions(-) create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 30925a772cd0..5d2800edae1d 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -256,10 +256,18 @@ type KeylessAttestor struct { // +kubebuilder:validation:Optional Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"` + // IssuerRegExp is the regular expression to match certificate issuer used for keyless signing. + // +kubebuilder:validation:Optional + IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"` + // Subject is the verified identity used for keyless signing, for example the email address. // +kubebuilder:validation:Optional Subject string `json:"subject,omitempty" yaml:"subject,omitempty"` + // SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address. + // +kubebuilder:validation:Optional + SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"` + // Roots is an optional set of PEM encoded trusted root certificates. // If not provided, the system roots are used. // +kubebuilder:validation:Optional diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 6cc6fe94c0f1..bdf66e154a1e 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -3169,6 +3169,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3200,6 +3205,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3669,6 +3680,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3700,6 +3716,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4046,6 +4068,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4076,6 +4103,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7539,6 +7572,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7570,6 +7608,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8044,6 +8088,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8077,6 +8127,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8427,6 +8484,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8458,6 +8520,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11713,6 +11781,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11744,6 +11817,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12202,6 +12281,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12233,6 +12317,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12579,6 +12669,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12609,6 +12704,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16052,6 +16153,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16083,6 +16189,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16557,6 +16669,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16590,6 +16708,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16940,6 +17065,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16971,6 +17101,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 244acd44e166..ac323e628b7a 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -3170,6 +3170,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3201,6 +3206,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3670,6 +3681,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3701,6 +3717,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4047,6 +4069,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4077,6 +4104,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7541,6 +7574,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7572,6 +7610,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8046,6 +8090,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8079,6 +8129,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8429,6 +8486,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8460,6 +8522,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11716,6 +11784,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11747,6 +11820,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12205,6 +12284,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12236,6 +12320,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12582,6 +12672,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12612,6 +12707,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16055,6 +16156,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16086,6 +16192,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16560,6 +16672,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16593,6 +16711,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16943,6 +17068,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16974,6 +17104,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index f47d88288348..86c37dd3e937 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3163,6 +3163,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3194,6 +3199,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3663,6 +3674,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3694,6 +3710,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4040,6 +4062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4070,6 +4097,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7533,6 +7566,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7564,6 +7602,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8038,6 +8082,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8071,6 +8121,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8421,6 +8478,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8452,6 +8514,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11707,6 +11775,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11738,6 +11811,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12196,6 +12275,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12227,6 +12311,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12573,6 +12663,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12603,6 +12698,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16046,6 +16147,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16077,6 +16183,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16551,6 +16663,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16584,6 +16702,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16934,6 +17059,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16965,6 +17095,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 1e7589b40732..3bb6f5c6108c 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3164,6 +3164,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3195,6 +3200,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3664,6 +3675,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3695,6 +3711,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4041,6 +4063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4071,6 +4098,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7535,6 +7568,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7566,6 +7604,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8040,6 +8084,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8073,6 +8123,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8423,6 +8480,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8454,6 +8516,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11710,6 +11778,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11741,6 +11814,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12199,6 +12278,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12230,6 +12314,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12576,6 +12666,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12606,6 +12701,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16049,6 +16150,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16080,6 +16186,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16554,6 +16666,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16587,6 +16705,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16937,6 +17062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16968,6 +17098,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index f47d88288348..86c37dd3e937 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -3163,6 +3163,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3194,6 +3199,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3663,6 +3674,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3694,6 +3710,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4040,6 +4062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4070,6 +4097,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7533,6 +7566,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7564,6 +7602,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8038,6 +8082,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8071,6 +8121,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8421,6 +8478,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8452,6 +8514,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11707,6 +11775,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11738,6 +11811,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12196,6 +12275,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12227,6 +12311,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12573,6 +12663,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12603,6 +12698,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16046,6 +16147,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16077,6 +16183,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16551,6 +16663,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16584,6 +16702,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16934,6 +17059,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16965,6 +17095,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 1e7589b40732..3bb6f5c6108c 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -3164,6 +3164,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3195,6 +3200,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3664,6 +3675,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3695,6 +3711,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4041,6 +4063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4071,6 +4098,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7535,6 +7568,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7566,6 +7604,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8040,6 +8084,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8073,6 +8123,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8423,6 +8480,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8454,6 +8516,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11710,6 +11778,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11741,6 +11814,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12199,6 +12278,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12230,6 +12314,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12576,6 +12666,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12606,6 +12701,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16049,6 +16150,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16080,6 +16186,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16554,6 +16666,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16587,6 +16705,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16937,6 +17062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16968,6 +17098,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 8e6a37856d19..6cedf4eb5897 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -8361,6 +8361,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8392,6 +8397,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -8861,6 +8872,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8892,6 +8908,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -9238,6 +9260,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9268,6 +9295,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -12731,6 +12764,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12762,6 +12800,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13236,6 +13280,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13269,6 +13319,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -13619,6 +13676,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13650,6 +13712,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16905,6 +16973,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16936,6 +17009,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -17394,6 +17473,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17425,6 +17509,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -17771,6 +17861,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17801,6 +17896,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -21244,6 +21345,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -21275,6 +21381,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -21749,6 +21861,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -21782,6 +21900,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -22132,6 +22257,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -22163,6 +22293,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -25927,6 +26063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -25958,6 +26099,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -26427,6 +26574,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -26458,6 +26610,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -26804,6 +26962,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -26834,6 +26997,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -30298,6 +30467,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -30329,6 +30503,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -30803,6 +30983,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -30836,6 +31022,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -31186,6 +31379,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -31217,6 +31415,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -34473,6 +34677,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -34504,6 +34713,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -34962,6 +35177,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -34993,6 +35213,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -35339,6 +35565,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -35369,6 +35600,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -38812,6 +39049,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -38843,6 +39085,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -39317,6 +39565,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -39350,6 +39604,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -39700,6 +39961,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -39731,6 +39997,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 47308c9ebf63..e5724029ca65 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -2700,6 +2700,17 @@

KeylessAttestor +issuerRegExp
+ +string + + + +

IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.

+ + + + subject
string @@ -2711,6 +2722,17 @@

KeylessAttestor +subjectRegExp
+ +string + + + +

SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.

+ + + + roots
string diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 433baef7a551..fc2ae141c887 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -5436,6 +5436,35 @@

KeylessAttestor + + issuerRegExp + + * + +
+ + + + + string + + + + + + +

IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.

+ + + + + + + + + + + subject @@ -5465,6 +5494,35 @@

KeylessAttestor + + subjectRegExp + + * + +
+ + + + + string + + + + + + +

SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.

+ + + + + + + + + + + roots diff --git a/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go b/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go index 9604052ca0ac..f3861678fa6e 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go +++ b/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go @@ -24,7 +24,9 @@ type KeylessAttestorApplyConfiguration struct { Rekor *RekorApplyConfiguration `json:"rekor,omitempty"` CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"` Issuer *string `json:"issuer,omitempty"` + IssuerRegExp *string `json:"issuerRegExp,omitempty"` Subject *string `json:"subject,omitempty"` + SubjectRegExp *string `json:"subjectRegExp,omitempty"` Roots *string `json:"roots,omitempty"` AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty"` } @@ -59,6 +61,14 @@ func (b *KeylessAttestorApplyConfiguration) WithIssuer(value string) *KeylessAtt return b } +// WithIssuerRegExp sets the IssuerRegExp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IssuerRegExp field is set to the value of the last call. +func (b *KeylessAttestorApplyConfiguration) WithIssuerRegExp(value string) *KeylessAttestorApplyConfiguration { + b.IssuerRegExp = &value + return b +} + // WithSubject sets the Subject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Subject field is set to the value of the last call. @@ -67,6 +77,14 @@ func (b *KeylessAttestorApplyConfiguration) WithSubject(value string) *KeylessAt return b } +// WithSubjectRegExp sets the SubjectRegExp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SubjectRegExp field is set to the value of the last call. +func (b *KeylessAttestorApplyConfiguration) WithSubjectRegExp(value string) *KeylessAttestorApplyConfiguration { + b.SubjectRegExp = &value + return b +} + // WithRoots sets the Roots field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Roots field is set to the value of the last call. diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 3cf8c8d584b5..16ae87d3c855 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -8,6 +8,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "regexp" "strings" "github.com/google/go-containerregistry/pkg/name" @@ -74,7 +75,7 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option return nil, err } - if err := matchSignatures(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + if err := matchSignatures(signatures, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil { return nil, err } @@ -308,7 +309,7 @@ func (v *cosignVerifier) FetchAttestations(ctx context.Context, opts images.Opti continue } - if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil { return nil, err } } @@ -500,7 +501,7 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (strin return "", fmt.Errorf("digest not found for %s", imgRef) } -func matchSignatures(signatures []oci.Signature, subject, issuer string, extensions map[string]string) error { +func matchSignatures(signatures []oci.Signature, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error { if subject == "" && issuer == "" && len(extensions) == 0 { return nil } @@ -516,7 +517,7 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi return fmt.Errorf("certificate not found") } - if err := matchCertificateData(cert, subject, issuer, extensions); err != nil { + if err := matchCertificateData(cert, subject, subjectRegExp, issuer, issuerRegExp, extensions); err != nil { errs = append(errs, err) } else { // only one signature certificate needs to match the required subject, issuer, and extensions @@ -532,31 +533,66 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi return fmt.Errorf("invalid signature") } -func matchCertificateData(cert *x509.Certificate, subject, issuer string, extensions map[string]string) error { - if subject != "" { - s := "" +func matchCertificateData(cert *x509.Certificate, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error { + if subject != "" || subjectRegExp != "" { if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { - s = sans[0] - } - if !wildcard.Match(subject, s) { - return fmt.Errorf("subject mismatch: expected %s, received %s", subject, s) + subjectMatched := false + if subject != "" { + for _, s := range sans { + if wildcard.Match(subject, s) { + subjectMatched = true + break + } + } + } + if subjectRegExp != "" { + regex, err := regexp.Compile(subjectRegExp) + if err != nil { + return fmt.Errorf("invalid regexp for subject: %s : %w", subjectRegExp, err) + } + for _, s := range sans { + if regex.MatchString(s) { + subjectMatched = true + break + } + } + } + + if !subjectMatched { + sub := "" + if subject != "" { + sub = subject + } else if subjectRegExp != "" { + sub = subjectRegExp + } + return fmt.Errorf("subject mismatch: expected %s, received %s", sub, strings.Join(sans, ", ")) + } } } - if err := matchExtensions(cert, issuer, extensions); err != nil { + if err := matchExtensions(cert, issuer, issuerRegExp, extensions); err != nil { return err } return nil } -func matchExtensions(cert *x509.Certificate, issuer string, extensions map[string]string) error { +func matchExtensions(cert *x509.Certificate, issuer, issuerRegExp string, extensions map[string]string) error { ce := cosign.CertExtensions{Cert: cert} - if issuer != "" { + if issuer != "" || issuerRegExp != "" { val := ce.GetIssuer() - if !wildcard.Match(issuer, val) { - return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val) + if issuer != "" { + if !wildcard.Match(issuer, val) { + return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val) + } + } + if issuerRegExp != "" { + if regex, err := regexp.Compile(issuerRegExp); err != nil { + return fmt.Errorf("invalid regexp for issuer: %s : %w", issuerRegExp, err) + } else if !regex.MatchString(val) { + return fmt.Errorf("issuer mismatch: expected %s, received %s", issuerRegExp, val) + } } } diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 053bbac018d6..d102ecac5095 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -227,7 +227,10 @@ func TestCosignMatchCertificateData(t *testing.T) { assert.NilError(t, err) subject1 := "https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/*" + subject1RegExp := `https://github\.com/JimBugwadia/demo-java-tomcat/.+` issuer1 := "https://token.actions.githubusercontent.com" + issuer1RegExp := `https://token\.actions\..+` + extensions := map[string]string{ "githubWorkflowTrigger": "push", "githubWorkflowSha": "c7645284fa7aebe554618eee879b4d6947f8564e", @@ -235,20 +238,41 @@ func TestCosignMatchCertificateData(t *testing.T) { "githubWorkflowRepository": "JimBugwadia/demo-java-tomcat", } - matchErr := matchCertificateData(cert1, subject1, issuer1, extensions) + matchErr := matchCertificateData(cert1, subject1, "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, "", "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", nil) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, "", subject1RegExp, "", issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, "", issuer1, extensions) + matchErr = matchCertificateData(cert1, "", "", "", issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, subject1, issuer1, nil) + matchErr = matchCertificateData(cert1, subject1, subject1RegExp, issuer1, issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, "wrong-subject", issuer1, extensions) + matchErr = matchCertificateData(cert1, "", `^wrong-regex$`, issuer1, issuer1RegExp, nil) + assert.Error(t, matchErr, "subject mismatch: expected ^wrong-regex$, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22") + + matchErr = matchCertificateData(cert1, "", "", "", `^wrong-regex$`, nil) + assert.Error(t, matchErr, "issuer mismatch: expected ^wrong-regex$, received https://token.actions.githubusercontent.com") + + matchErr = matchCertificateData(cert1, "wrong-subject", "", issuer1, "", extensions) assert.Error(t, matchErr, "subject mismatch: expected wrong-subject, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22") + matchErr = matchCertificateData(cert1, "", "*", "", issuer1RegExp, nil) + assert.Error(t, matchErr, "invalid regexp for subject: * : error parsing regexp: missing argument to repetition operator: `*`") + + matchErr = matchCertificateData(cert1, "", subject1RegExp, "", "?", nil) + assert.Error(t, matchErr, "invalid regexp for issuer: ? : error parsing regexp: missing argument to repetition operator: `?`") + extensions["githubWorkflowTrigger"] = "pull" - matchErr = matchCertificateData(cert1, subject1, issuer1, extensions) + matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", extensions) assert.Error(t, matchErr, "extension mismatch: expected pull for key githubWorkflowTrigger, received push") } @@ -431,17 +455,28 @@ func TestCosignMatchSignatures(t *testing.T) { } subject2 := "*@nirmata.com" + subject2RegExp := `.+@nirmata\.com` issuer2 := "https://github.com/login/oauth" + issuer2RegExp := `https://github\.com/login/.+` + + matchErr := matchSignatures(sigs, subject1, "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchSignatures(sigs, subject2, "", issuer2, "", nil) + assert.NilError(t, matchErr) - matchErr := matchSignatures(sigs, subject1, issuer1, extensions) + matchErr = matchSignatures(sigs, "", subject2RegExp, issuer2, "", nil) assert.NilError(t, matchErr) - matchErr = matchSignatures(sigs, subject2, issuer2, nil) + matchErr = matchSignatures(sigs, "", "", "", issuer2RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchSignatures(sigs, subject2, issuer1, nil) + matchErr = matchSignatures(sigs, subject2, "", issuer1, "", nil) assert.Error(t, matchErr, "subject mismatch: expected *@nirmata.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth") - matchErr = matchSignatures(sigs, subject2, issuer2, extensions) + matchErr = matchSignatures(sigs, "", subject2RegExp, issuer1, "", nil) + assert.Error(t, matchErr, `subject mismatch: expected .+@nirmata\.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth`) + + matchErr = matchSignatures(sigs, subject2, "", issuer2, "", extensions) assert.ErrorContains(t, matchErr, "extension mismatch") } diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index c3d6c908bc0d..d248c47b0b4f 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -639,7 +639,9 @@ func (iv *ImageVerifier) buildCosignVerifier( opts.Roots = attestor.Keyless.Roots opts.Issuer = attestor.Keyless.Issuer + opts.IssuerRegExp = attestor.Keyless.IssuerRegExp opts.Subject = attestor.Keyless.Subject + opts.SubjectRegExp = attestor.Keyless.SubjectRegExp opts.AdditionalExtensions = attestor.Keyless.AdditionalExtensions } diff --git a/pkg/images/verifier.go b/pkg/images/verifier.go index 5deead8097f1..13e8f6421ff5 100644 --- a/pkg/images/verifier.go +++ b/pkg/images/verifier.go @@ -29,7 +29,9 @@ type Options struct { CertChain string Roots string Subject string + SubjectRegExp string Issuer string + IssuerRegExp string AdditionalExtensions map[string]string Annotations map[string]string Repository string diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md new file mode 100644 index 000000000000..5c342638ffad --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md @@ -0,0 +1,8 @@ +## Description + +Verify image attestations with regexp subject + +## Expected Behavior + +The pod creation should pass. + diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml new file mode 100644 index 000000000000..29271af436b1 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestation-invalid-attestor +spec: + timeouts: + delete: 2m + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml new file mode 100644 index 000000000000..e47387521843 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml new file mode 100644 index 000000000000..921f8ee74797 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml new file mode 100644 index 000000000000..0556cd0c33b3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-invalid-attestors-in-attestations + annotations: + pod-policies.kyverno.io/autogen-controllers: none diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml new file mode 100644 index 000000000000..93e3c7b91235 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-invalid-attestors-in-attestations + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-invalid-attestation-attestor + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - validationFailureAction: Enforce + imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - type: https://slsa.dev/provenance/v0.2 + attestors: + - count: 1 + entries: + - keyless: + subjectRegExp: https://github\.com/slsa-framework/slsa-github-generator/\.github/workflows/generator_container_slsa3\.yml@.+ + issuerRegExp: https://token\.actions\.githubusercontent.+ + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true