fix: the entry length validation for the verify image rule

[realshuting]

Signed-off-by: ShutingZhao shuting@nirmata.com

Explanation

A verifyImage policy specifying multiple entries should be allowed to create. Prior to this PR the policy creation is blocked.

Related issue

Closes #5379.

Milestone of this PR

1.9.0

What type of PR is this

/bug

Proposed Changes

Proof Manifests

The policy with multiple entries can be created/updated successfully.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-with-multi-keys
  annotations:
    policies.kyverno.io/title: Verify Image with Multiple Keys
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kyverno-version: 1.7.2
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: >-
      There may be multiple keys used to sign images based on
      the parties involved in the creation process. This image
      verification policy requires the named image be signed by
      two separate keys. It will search for a global "production"
      key in a ConfigMap called `key` in the `default` Namespace
      and also a Namespace key in the same ConfigMap.
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: check-image-with-two-keys
      match:
        any:
        - resources:
            kinds:
              - Pod
      context:
      - name: keys
        configMap:
          name: keys
          namespace: default
      verifyImages:
      - imageReferences:
        - "ghcr.io/myorg/myimage*"
        required: true
        attestors:
        - count: 1
          entries:
          - keys: 
              publicKeys: "{{ keys.data.production }}"
          - keys: 
              publicKeys: "{{ keys.data.{{request.namespace}} }}"

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
  • CLI support should be added and my PR doesn't contain that functionality.
  • I have added or changed the documentation myself in an existing PR and the link is:
  • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

[codecov]

Codecov Report

Merging #5384 (146baa1) into main (6fe8a4a) will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #5384      +/-   ##
==========================================
+ Coverage   36.10%   36.11%   +0.01%     
==========================================
  Files         169      169              
  Lines       18972    18965       -7     
==========================================
+ Hits         6849     6850       +1     
+ Misses      11332    11325       -7     
+ Partials      791      790       -1     

Impacted Files	Coverage Δ
api/kyverno/v1/image_verification_types.go	72.09% <ø> (+1.86%)	⬆️
pkg/policy/validate.go	51.26% <ø> (+0.29%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more