[Feature] Add imageExtractors support for trimming image scheme

[bdun1013]

Problem Statement

I would like to verify a KubeVirt Containerized Data Importer DataVolume's source image from a registry using the Verify Images Policy.

A DataVolume's spec.source.registry.url is "the url of the registry source (starting with the scheme: docker, oci-archive)". The scheme (docker://) is the problem when verifying the DataVolume custom resource using this feature.

For example, with this ClusterPolicy in place:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-cdi-image
spec:
  validationFailureAction: enforce
  rules:
  - name: verify-cdi-image
    match:
      any:
      - resources:
          kinds:
          - DataVolume
    imageExtractors:
      DataVolume:
      - path: /spec/source/registry/url
    verifyImages:
    - imageReferences:
      - "*"
      attestors:
      - entries:
        - keys: ...

applying the example registry image DataVolume

# This example assumes you are using a default storage class
apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
  name: registry-image-datavolume
spec:
  source:
    registry:
      url: "docker://kubevirt/fedora-cloud-registry-disk-demo"
  pvc:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 5Gi

produces the following error:

Error from server: error when creating "https://raw.githubusercontent.com/kubevirt/containerized-data-importer/main/manifests/example/registry-image-datavolume.yaml": admission webhook "mutate.kyverno.svc-fail" denied the request: 

policy DataVolume/gatekeeper-system/registry-image-datavolume for resource error: 

verify-cdi-image:
  verify-cdi-image: 'failed to extract images: failed to extract images: invalid image
    docker://kubevirt/fedora-cloud-registry-disk-demo'

Solution Description

I would like to see the the image extractor code updated to trim the scheme for an image if the image has a scheme. If the image value parses to a URI, then trim the scheme and return the rest of the image value.

Alternatives

Alternatives to trimming the scheme could be:

• Trim a hardcoded docker:// from the image string if it starts with docker://
• Add rules.imageExtractors.trimPrefix to the ClusterPolicy spec and optional trim that prefix it is there for the image

Additional Context

No response

Slack discussion

No response

Research

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[bdun1013]

Happy to work on this if approved.

[eddycharly]

Could we do that with jmespath ?

[eddycharly]

I guess we need to add the prefix back when mutating the resource though.

[JimBugwadia]

I like the idea of adding an optional rules.imageExtractors.jmesPath to allow any transformation.

@bdun1013 - would that work?

However, we would still need to address @eddycharly's question on how to handle mutate digest, when the image reference is transformed.

[bdun1013]

@JimBugwadia Adding an optional jmesPath works for me.

In regards to image digest mutation, we could add a caveat that if jmesPath is used, then mutateDigest must be set to false.

[JimBugwadia]

Sounds good. We should also be able to add a validation check for that.

I've assigned the issue to you - let us know if you need any help.

[bdun1013]

@JimBugwadia @eddycharly #6183 should be good to go.