Merge branch 'main' into image-build

nirmata · Jul 24, 2023 · aed3a09 · aed3a09
2 parents 89ec821 + c394e43
commit aed3a09
Show file tree

Hide file tree

Showing 8 changed files with 196 additions and 579 deletions.
diff --git a/auth.go b/auth.go
@@ -11,9 +11,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/google/go-containerregistry/pkg/authn"
-	kauth "github.com/google/go-containerregistry/pkg/authn/kubernetes"
 	"github.com/pkg/errors"
-	corev1 "k8s.io/api/core/v1"
 	"oras.land/oras-go/v2/registry"
 )
 
@@ -23,22 +21,6 @@ const (
 
 var ecrPattern = regexp.MustCompile(`(^[a-zA-Z0-9][a-zA-Z0-9-_]*)\.dkr\.ecr(-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.amazonaws\.com(\.cn)?$`)
 
-func (v *verifier) getAuthConfig(ctx context.Context, ref registry.Reference) (authn.AuthConfig, error) {
-	if v.imagePullSecrets != "" {
-		return v.getAuthFromSecret(ctx, ref)
-	}
-
-	ecrRegion, err := getRegion(ref.Registry)
-	if err == nil {
-		v.logger.Infof("using region: %s", ecrRegion)
-	} else {
-		ecrRegion = os.Getenv("AWS_REGION")
-		v.logger.Infof("using default region '%s': %v", ecrRegion, err)
-	}
-
-	return v.getAuthFromIRSA(ctx, ecrRegion)
-}
-
 func getRegion(registry string) (string, error) {
 	if registry == ecrPublicName {
 		return "", nil
@@ -54,7 +36,12 @@ func getRegion(registry string) (string, error) {
 	return ecrRegion, nil
 }
 
-func (v *verifier) getAuthFromIRSA(ctx context.Context, awsEcrRegion string) (authn.AuthConfig, error) {
+func getAuthFromIRSA(ctx context.Context, ref registry.Reference) (authn.AuthConfig, error) {
+	awsEcrRegion, err := getRegion(ref.Registry)
+	if err != nil {
+		awsEcrRegion = os.Getenv("AWS_REGION")
+	}
+
 	var authConfig authn.AuthConfig
 	cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(awsEcrRegion))
 	if err != nil {
@@ -92,49 +79,3 @@ func (v *verifier) getAuthFromIRSA(ctx context.Context, awsEcrRegion string) (au
 
 	return authConfig, nil
 }
-
-func (v *verifier) getAuthFromSecret(ctx context.Context, ref registry.Reference) (authn.AuthConfig, error) {
-	if v.imagePullSecrets == "" {
-		return authn.AuthConfig{}, errors.Errorf("secret not configured")
-	}
-
-	v.logger.Infof("fetching credentials from secret %s...", v.imagePullSecrets)
-	var secrets []corev1.Secret
-	for _, imagePullSecret := range strings.Split(v.imagePullSecrets, ",") {
-		secret, err := v.secretLister.Get(imagePullSecret)
-		if err != nil {
-			return authn.AuthConfig{}, err
-		}
-
-		secrets = append(secrets, *secret)
-	}
-
-	keychain, err := kauth.NewFromPullSecrets(ctx, secrets)
-	if err != nil {
-		return authn.AuthConfig{}, err
-	}
-
-	authenticator, err := keychain.Resolve(&imageResource{ref})
-	if err != nil {
-		return authn.AuthConfig{}, err
-	}
-
-	authConfig, err := authenticator.Authorization()
-	if err != nil {
-		return authn.AuthConfig{}, errors.Wrapf(err, "failed to get auth config for %s", ref.String())
-	}
-
-	return *authConfig, nil
-}
-
-type imageResource struct {
-	ref registry.Reference
-}
-
-func (ir *imageResource) String() string {
-	return ir.ref.String()
-}
-
-func (ir *imageResource) RegistryStr() string {
-	return ir.ref.Registry
-}
diff --git a/configs/samples/kyverno-policy.yaml b/configs/samples/kyverno-policy.yaml
@@ -5,6 +5,7 @@ metadata:
 spec:
   validationFailureAction: Enforce
   webhookTimeoutSeconds: 30
+  schemaValidation: false
   rules:
   - name: call-aws-signer-extension
     match:
@@ -15,12 +16,12 @@ spec:
           kinds:
           - Pod
     context:
-    - name: result
+    - name: response
       apiCall:
         method: POST
         data:
         - key: images
-          value: "{{ request.object.spec.[ephemeralContainers, initContainers, containers][].image }}"
+          value: "{{images}}"
         service:
           url: https://svc.kyverno-notation-aws/checkimages
           caBundle: |-
@@ -51,10 +52,17 @@ spec:
             Ufv4SgD7neECIHLb+BDvRFPJ77FpfIYxBO70AHB7Kp0nWKCqyv3FK4aT
             -----END CERTIFICATE-----
     validate:
-      message: "not allowed"
+      message: "{{ response.message }}"
       deny:
         conditions:
           all:
-          - key: "{{ result.verified }}"
+          - key: "{{ response.verified }}"
             operator: EQUALS
-            value: false
+            value: false
+    # mutate:
+    #   foreach:
+    #   - list: "response.results"
+    #     patchesJson6902: |-
+    #         - path: {{ element.path }}
+    #           op: replace
+    #           value: {{ element.image }}
diff --git a/go.mod b/go.mod
@@ -5,23 +5,19 @@ go 1.19
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.18.21
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.7
-	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/google/go-containerregistry v0.14.0
-	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230403180904-b8d1c0a1df12
+	github.com/nirmata/kyverno-notation-verifier v0.3.3
 	github.com/notaryproject/notation-core-go v1.0.0-rc.4
-	github.com/notaryproject/notation-go v1.0.0-rc.6
-	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/pkg/errors v0.9.1
-	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.24.0
-	k8s.io/api v0.26.3
-	k8s.io/client-go v0.26.3
+	gotest.tools v2.2.0+incompatible
 	oras.land/oras-go/v2 v2.2.0
-	sigs.k8s.io/controller-runtime v0.14.6
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/IGLOU-EU/go-wildcard v1.0.3 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.17.8 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.20 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.2 // indirect
@@ -33,11 +29,13 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.8 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.18.9 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/distribution v2.8.1+incompatible // indirect
 	github.com/docker/cli v23.0.2+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v23.0.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
@@ -46,67 +44,85 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.4 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-logr/zapr v1.2.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230403180904-b8d1c0a1df12 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kyverno/kyverno v1.10.0 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.2 // indirect
-	github.com/onsi/gomega v1.27.6 // indirect
+	github.com/notaryproject/notation-go v1.0.0-rc.6 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.15.0 // indirect
-	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
+	github.com/prometheus/client_model v0.4.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.11.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.8.2 // indirect
 	github.com/veraison/go-cose v1.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
-	go.uber.org/goleak v1.2.1 // indirect
-	golang.org/x/crypto v0.9.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.10.0 // indirect
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/oauth2 v0.7.0 // indirect
+	golang.org/x/net v0.11.0 // indirect
+	golang.org/x/oauth2 v0.9.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/sys v0.9.0 // indirect
+	golang.org/x/term v0.9.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools v2.2.0+incompatible // indirect
-	k8s.io/apiextensions-apiserver v0.26.3 // indirect
-	k8s.io/apimachinery v0.26.3 // indirect
-	k8s.io/component-base v0.26.3 // indirect
-	k8s.io/klog/v2 v2.90.1 // indirect
+	k8s.io/api v0.27.1 // indirect
+	k8s.io/apiextensions-apiserver v0.27.1 // indirect
+	k8s.io/apimachinery v0.27.1 // indirect
+	k8s.io/cli-runtime v0.27.1 // indirect
+	k8s.io/client-go v0.27.1 // indirect
+	k8s.io/component-base v0.27.1 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c // indirect
-	k8s.io/utils v0.0.0-20230313181309-38a27ef9d749 // indirect
+	k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
+	sigs.k8s.io/controller-runtime v0.15.0-alpha.1 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/kustomize/api v0.13.2 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )