Skip to content

Commit

Permalink
Add fields in policy CRD (#1540)
Browse files Browse the repository at this point in the history
* Add fields in policy CRD

Signed-off-by: Kavitha Krishnan <[email protected]>

* [1417] Update policy type

Signed-off-by: Kavitha Krishnan <[email protected]>

* Fix lint errors;incorporate PR feedback

Signed-off-by: Kavitha Krishnan <[email protected]>
  • Loading branch information
kkavitha authored Mar 3, 2022
1 parent 2abb3a9 commit 9b5f432
Show file tree
Hide file tree
Showing 4 changed files with 354 additions and 26 deletions.
108 changes: 92 additions & 16 deletions config/300-clusterimagepolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand All @@ -23,21 +22,98 @@ spec:
plural: clusterimagepolicies
singular: clusterimagepolicy
categories:
- all
- sigstore
- all
- sigstore
shortNames:
- cip
- cip
scope: Cluster
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
# This is the output of:
# go run ./cmd/schema/ dump ClusterImagePolicy
type: object
properties:
spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
properties:
images:
type: array
items:
type: object
properties:
authorities:
type: array
items:
type: object
properties:
ctlog:
type: object
required:
- url
properties:
url:
type: string
key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
keyless:
type: object
properties:
ca-key:
type: object
properties:
data:
description: Data contains the inline public key
type: string
kms:
description: KMS contains the KMS url of the public key
type: string
secretRef:
type: object
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
identities:
type: array
items:
type: object
properties:
issuer:
type: string
subject:
type: string
url:
type: string
source:
type: array
items:
type: object
properties:
oci:
type: string
glob:
type: string
regex:
type: string
6 changes: 6 additions & 0 deletions hack/update-codegen.sh
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ ${KNATIVE_CODEGEN_PKG}/hack/generate-knative.sh "injection" \
"cosigned:v1alpha1" \
--go-header-file ${REPO_ROOT_DIR}/hack/boilerplate/boilerplate.go.txt

group "Update CRD Schema"

go run $(dirname $0)/../cmd/schema/ dump ClusterImagePolicy \
| yq eval-all --inplace 'select(fileIndex == 0).spec.versions[0].schema.openAPIV3Schema = select(fileIndex == 1) | select(fileIndex == 0)' \
$(dirname $0)/../config/300-clusterimagepolicy.yaml -

group "Update deps post-codegen"

# Make sure our dependencies are up-to-date
Expand Down
91 changes: 82 additions & 9 deletions pkg/apis/cosigned/v1alpha1/clusterimagepolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,30 +15,31 @@
package v1alpha1

import (
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"knative.dev/pkg/apis"
"knative.dev/pkg/kmeta"
)

// ClusterImagePolicy defines...
// ClusterImagePolicy defines the images that go through verification
// and the authorities used for verification
//
// +genclient
// +genclient:nonNamespaced
// +genclient:noStatus
// +genreconciler:krshapedlogic=false

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type ClusterImagePolicy struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ObjectMeta `json:"metadata,omitempty"`
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata"`

// Spec holds the desired state of the ClusterImagePolicy (from the client).
// +optional
Spec ClusterImagePolicySpec `json:"spec,omitempty"`
Spec ClusterImagePolicySpec `json:"spec"`
}

var (
// Check that ClusterImagePolicy can be validated and defaulted.
_ apis.Validatable = (*ClusterImagePolicy)(nil)
_ apis.Defaultable = (*ClusterImagePolicy)(nil)
_ kmeta.OwnerRefable = (*ClusterImagePolicy)(nil)
Expand All @@ -49,9 +50,81 @@ func (*ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersionKind {
return SchemeGroupVersion.WithKind("ClusterImagePolicy")
}

// ClusterImagePolicySpec holds the desired state of the ClusterImagePolicy (from the client).
// ClusterImagePolicySpec defines a list of images that should be verified
type ClusterImagePolicySpec struct {
// TODO(#1417): Flesh out the specification from the API spec.
Images []ImagePattern `json:"images"`
}

// ImagePattern defines a pattern and its associated authorties
// If multiple patterns match a particular image, then ALL of
// those authorities must be satisfied for the image to be admitted.
type ImagePattern struct {
Glob string `json:"glob"`
Regex string `json:"regex"`
Authorities []Authority `json:"authorities"`
}

// The authorities block defines the rules for discovering and
// validating signatures. Signatures are
// cryptographically verified using one of the "key" or "keyless"
// fields.
// When multiple authorities are specified, any of them may be used
// to source the valid signature we are looking for to admit an
// image.

type Authority struct {
// +optional
Key *KeyRef `json:"key,omitempty"`
// +optional
Keyless *KeylessRef `json:"keyless,omitempty"`
// +optional
Sources []Source `json:"source,omitempty"`
// +optional
CTLog *TLog `json:"ctlog,omitempty"`
}

// This references a public verification key stored in
// a secret in the cosign-system namespace.
// A KeyRef must specify only one of SecretRef, Data or KMS
type KeyRef struct {
// +optional
SecretRef *v1.SecretReference `json:"secretRef,omitempty"`
// Data contains the inline public key
// +optional
Data string `json:"data,omitempty"`
// KMS contains the KMS url of the public key
// +optional
KMS string `json:"kms,omitempty"`
}

// Source specifies the location of the signature
type Source struct {
OCI string `json:"oci"`
}

// TLog specifies the URL to a transparency log that holds
// the signature and public key information
type TLog struct {
URL *apis.URL `json:"url,omitempty"`
}

// KeylessRef contains location of the validating certificate and the identities
// against which to verify. KeylessRef will contain either the URL to the verifying
// certificate, or it will contain the certificate data inline or in a secret.
type KeylessRef struct {
// +optional
URL *apis.URL `json:"url,omitempty"`
// +optional
Identities []Identity `json:"identities,omitempty"`
// +optional
CAKey *KeyRef `json:"ca-key,omitempty"`
}

// Identity may contain the issue and/or the subject found in the transparency log.
// Either field supports a pattern glob.
type Identity struct {
Issuer string `json:"issuer"`
Subject string `json:"subject"`
}

// ClusterImagePolicyList is a list of ClusterImagePolicy resources
Expand Down
Loading

0 comments on commit 9b5f432

Please sign in to comment.