Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add rekor opts to cosign certificate verification and make rekor url optional #101

Merged
merged 1 commit into from
Mar 29, 2024
Merged

fix: add rekor opts to cosign certificate verification and make rekor url optional #101

merged 1 commit into from
Mar 29, 2024

Conversation

vishal-chdhry
Copy link

@vishal-chdhry vishal-chdhry commented Mar 29, 2024
edited
Loading

Explanation

This PR

  1. Adds rekor and opts to cosign certificate verification.
  2. Make rekor url optional

Related issue

Milestone of this PR

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

Proposed Changes

Proof Manifests

Policy

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-venafi-key
spec:
  validationFailureAction: Enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail
  rules:
    - name: check-image-venafi-key
      match:
        resources:
          kinds:
            - Pod
      verifyImages:
        - imageReferences:
          - "*"
          attestors:
            - count: 1
              entries:
                - certificates:
                    cert: |-
                      -----BEGIN CERTIFICATE-----
                      MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
                      BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
                      Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
                      MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
                      dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
                      DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
                      b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
                      hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
                      Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
                      Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
                      ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
                      A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
                      CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
                      kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
                      Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
                      ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
                      5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
                      uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
                      -----END CERTIFICATE-----
                    rekor:
                      ignoreTlog: true
                    ctlog:
                      ignoreSCT: true
                - certificates:
                    cert: |-
                      -----BEGIN CERTIFICATE-----
                      MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
                      BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
                      Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
                      MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
                      dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
                      DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
                      b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
                      hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
                      Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
                      Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
                      ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
                      A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
                      CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
                      kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
                      Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
                      ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
                      5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
                      uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
                      -----END CERTIFICATE-----
                    rekor:
                      ignoreTlog: false
                    ctlog:
                      ignoreSCT: false

ignoreTlog and ignoreSCT are set correctly according to the policy, scroll to the end of the output

$ kubectl logs -n kyverno deploy/kyverno-admission-controller | grep "cosign verifier built"
Defaulted container "kyverno" out of: kyverno, kyverno-pre (init)
2024-03-28T15:08:41Z    LEVEL(-4)       engine.verify   internal/imageverifier.go:652   cosign verifier built{"policy.name": "check-image-venafi-key", "policy.namespace": "", "policy.apply": "All", "new.kind": "Pod", "new.namespace": "default", "new.name": "test", "rule.name": "check-image-venafi-key", "ignoreTlog": true, "ignoreSCT": true}
2024-03-28T15:08:42Z    LEVEL(-4)       engine.verify   internal/imageverifier.go:652   cosign verifier built{"policy.name": "check-image-venafi-key", "policy.namespace": "", "policy.apply": "All", "new.kind": "Pod", "new.namespace": "default", "new.name": "test", "rule.name": "check-image-venafi-key", "ignoreTlog": false, "ignoreSCT": false}

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

@vishal-chdhry vishal-chdhry changed the title fix: add rekor opts to cosign certificate verification and make rekor… fix: add rekor opts to cosign certificate verification and make rekor url optional Mar 29, 2024
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 33.49%. Comparing base (e975ae9) to head (a7abc09).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@                Coverage Diff                @@
##           release-1.11-n4k     #101   +/-   ##
=================================================
  Coverage             33.49%   33.49%           
=================================================
  Files                   313      313           
  Lines                 25455    25455           
=================================================
  Hits                   8525     8525           
  Misses                16116    16116           
  Partials                814      814

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pns-nirmata pns-nirmata merged commit fac8cb1 into release-1.11-n4k Mar 29, 2024
117 of 123 checks passed
@anushkamittal2001 anushkamittal2001 deleted the cosign-cert-ts-fix branch August 27, 2024 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pns-nirmata pns-nirmata pns-nirmata approved these changes

@realshuting realshuting Awaiting requested review from realshuting

@MariamFahmy98 MariamFahmy98 Awaiting requested review from MariamFahmy98

@eddycharly eddycharly Awaiting requested review from eddycharly

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vishal-chdhry @codecov-commenter @pns-nirmata