Skip to content

Commit

Permalink
Fix #1592 move authorities as siblings of images. (#1593)
Browse files Browse the repository at this point in the history 
Signed-off-by: Ville Aikas <[email protected]>
  • Loading branch information
@vaikas
vaikas authored Mar 11, 2022
1 parent c0f8e37 commit 0d7bace
Show file tree
Hide file tree
Showing 21 changed files with 280 additions and 297 deletions.
132 changes: 66 additions & 66 deletions config/300-clusterimagepolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,80 +39,80 @@ spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
properties:
images:
authorities:
type: array
items:
type: object
properties:
authorities:
type: array
items:
type: object
properties:
ctlog:
type: object
required:
- url
properties:
url:
type: string
key:
ctlog:
type: object
required:
- url
properties:
url:
type: string
key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
keyless:
type: object
properties:
ca-key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
identities:
type: array
items:
type: object
properties:
data:
description: Data contains the inline public key
issuer:
type: string
kms:
description: KMS contains the KMS url of the public key
subject:
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
keyless:
type: object
properties:
ca-key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
identities:
type: array
items:
type: object
properties:
issuer:
type: string
subject:
type: string
url:
type: string
source:
type: array
items:
type: object
properties:
oci:
type: string
url:
type: string
source:
type: array
items:
type: object
properties:
oci:
type: string
images:
type: array
items:
type: object
properties:
glob:
type: string
regex:
Expand Down
3 changes: 1 addition & 2 deletions config/config-image-policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,5 +25,4 @@ data:
# EXAMPLE CONFIGURATION #
# #
################################
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\",\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}]}"
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"
2 changes: 1 addition & 1 deletion pkg/apis/config/image_policies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ func (p *ImagePolicyConfig) GetAuthorities(image string) ([]v1alpha1.Authority,
for _, v := range p.Policies {
for _, pattern := range v.Images {
if GlobMatch(image, pattern.Glob) {
ret = append(ret, pattern.Authorities...)
ret = append(ret, v.Authorities...)
}
}
}
Expand Down
48 changes: 24 additions & 24 deletions pkg/apis/config/testdata/config-image-policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,37 +30,37 @@ data:
cluster-image-policy-0: |
images:
- glob: rando
authorities:
- key:
data: inlinedata here
- key:
kms: whatevs
authorities:
- key:
data: inlinedata here
- key:
kms: whatevs
cluster-image-policy-1: |
images:
- glob: randomstuff*
authorities:
- key:
data: otherinline here
authorities:
- key:
data: otherinline here
cluster-image-policy-2: |
images:
- glob: rando3
authorities:
- keyless:
ca-key:
data: cakey chilling here
url: http://keylessurl.here
identities:
- issuer: issuer
subject: subject
authorities:
- keyless:
ca-key:
data: cakey chilling here
url: http://keylessurl.here
identities:
- issuer: issuer
subject: subject
cluster-image-policy-3: |
images:
- glob: inlinecert
authorities:
- key:
data: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
-----END PUBLIC KEY-----
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\",\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}]}"
authorities:
- key:
data: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J
RCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==
-----END PUBLIC KEY-----
cluster-image-policy-json: "{\"images\":[{\"glob\":\"ghcr.io/example/*\",\"regex\":\"\"}],\"authorities\":[{\"key\":{\"data\":\"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExB6+H6054/W1SJgs5JR6AJr6J35J\\nRCTfQ5s1kD+hGMSE1rH7s46hmXEeyhnlRnaGF8eMU/SBJE/2NKPnxE7WzQ==\\n-----END PUBLIC KEY-----\"}}]}"
8 changes: 4 additions & 4 deletions pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,16 +52,16 @@ func (*ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind {

// ClusterImagePolicySpec defines a list of images that should be verified
type ClusterImagePolicySpec struct {
Images []ImagePattern `json:"images"`
Images []ImagePattern `json:"images"`
Authorities []Authority `json:"authorities"`
}

// ImagePattern defines a pattern and its associated authorties
// If multiple patterns match a particular image, then ALL of
// those authorities must be satisfied for the image to be admitted.
type ImagePattern struct {
Glob string `json:"glob"`
Regex string `json:"regex"`
Authorities []Authority `json:"authorities"`
Glob string `json:"glob"`
Regex string `json:"regex"`
}

// The authorities block defines the rules for discovering and
Expand Down
18 changes: 10 additions & 8 deletions pkg/apis/cosigned/v1alpha1/clusterimagepolicy_validation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,17 @@ func (policy *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldError
}

func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (errors *apis.FieldError) {
if len(spec.Images) == 0 {
errors = errors.Also(apis.ErrGeneric("At least one image should be defined").ViaField("images"))
}
for i, image := range spec.Images {
errors = errors.Also(image.Validate(ctx)).ViaFieldIndex("images", i)
errors = errors.Also(image.Validate(ctx).ViaFieldIndex("images", i))
}
if len(spec.Authorities) == 0 {
errors = errors.Also(apis.ErrGeneric("At least one authority should be defined").ViaField("authorities"))
}
for i, authority := range spec.Authorities {
errors = errors.Also(authority.Validate(ctx).ViaFieldIndex("authorities", i))
}
return
}
Expand All @@ -51,13 +60,6 @@ func (image *ImagePattern) Validate(ctx context.Context) *apis.FieldError {
errs = errs.Also(apis.ErrDisallowedFields("regex"))
}

if len(image.Authorities) == 0 {
errs = errs.Also(apis.ErrGeneric("At least one authority should be defined").ViaField("authorities"))
}
for i := range image.Authorities {
errs = errs.Also(image.Authorities[i].Validate(ctx).ViaFieldIndex("authorities", i))
}

return errs
}

Expand Down
Loading

0 comments on commit 0d7bace

Please sign in to comment.