feat: update policy definition

Signed-off-by: Vishal Choudhary <[email protected]>

pkg/policy/policy_types.go

@@ -1,16 +1,69 @@
 package policy
 
-import "fmt"
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
 
 var (
 	multipleAttestorError = fmt.Errorf("mutliple attestor cannot be added in the same entry")
 )
 
-// VerificationPolicies is a set of VerificationPolicy
-type VerificationPolicies []VerificationPolicy
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:storageversion
+
+// ImageVerificationPolicy defines rules to verify images used in matching resources
+type ImageVerificationPolicy struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+
+	// Standard object's metadata.
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	// ImageVerificationPolicy spec.
+	Spec ImageVerificationPolicySpec `json:"spec" yaml:"spec"`
+}
+
+type ImageVerificationPolicySpec struct {
+	Match          any                  `json:"match"`
+	ImageExtractor ImageExtractorConfig `json:"imageExtractor"`
+	Rules          VerificationRules    `json:"rules"`
+}
+
+type ImageExtractorConfig struct {
+	// Path is the path to the object containing the image field in a custom resource.
+	// It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+	// Wildcard keys are expanded in case of arrays or objects.
+	Path string `json:"path" yaml:"path"`
+	// Value is an optional name of the field within 'path' that points to the image URI.
+	// This is useful when a custom 'key' is also defined.
+	// +optional
+	Value string `json:"value,omitempty" yaml:"value,omitempty"`
+	// Name is the entry the image will be available under 'images.<name>' in the context.
+	// If this field is not defined, image entries will appear under 'images.custom'.
+	// +optional
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	// Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+	// Note - this field MUST be unique.
+	// +optional
+	Key string `json:"key,omitempty" yaml:"key,omitempty"`
+	// JMESPath is an optional JMESPath expression to apply to the image value.
+	// This is useful when the extracted image begins with a prefix like 'docker://'.
+	// The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+	// Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+	// +optional
+	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
+}
+
+// VerificationRules is a set of VerificationPolicy
+type VerificationRules []VerificationRule
 
-// VerificationPolicy is a rule against which images are validated.
-type VerificationPolicy struct {
+// VerificationRule is a rule against which images are validated.
+type VerificationRule struct {
 	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
 	// list must match the image for the rule to apply. Each image reference consists of a registry
 	// address, repository, image, and tag (defaults to latest). Wildcards ('*' and '?') are allowed.
@@ -72,7 +125,7 @@ type Attestation struct {
 	Type string `json:"type"`
 }
 
-func (v *VerificationPolicy) Validate() error {
+func (v *VerificationRule) Validate() error {
 	for _, v := range v.Cosign {
 		if v != nil {
 			attestorAlreadyExists := false