New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require predicate type #5713
Require predicate type #5713
Conversation
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
…erno into fix_image_digest
|
@JimBugwadia does this need to be added to the forthcoming 1.8.5 patch release or is this an enhancement/feature? |
Its an enhancement, but would be good to pick up as it tightens the usage model. |
Codecov Report
@@ Coverage Diff @@
## main #5713 +/- ##
==========================================
- Coverage 34.66% 34.64% -0.02%
==========================================
Files 190 190
Lines 21059 21071 +12
==========================================
Hits 7300 7300
- Misses 12951 12961 +10
- Partials 808 810 +2
|
|
/cherry-pick release-1.8 |
| @@ -451,7 +463,6 @@ func (iv *imageVerifier) verifyAttestorSet( | |||
| imageVerify kyvernov1.ImageVerification, | |||
| imageInfo apiutils.ImageInfo, | |||
| path string, | |||
| predicateType string, | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How predicateType is used to verify attestations.attestors if we remove it here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the prior implementation, even though the predicateType was passed to verifyAttestorSet it was not used, except when a recursive call to verifyAttestorSet was made for nested attestors.
The predicateType is used in the verifyAttestations method:
- it gets passed to the buildOptionsAndPath method here https://github.com/kyverno/kyverno/pull/5713/files/5a236506126cb947968c6c394306888ac150d843#diff-d752e78274f7472fae120f3f51e21b4aa62c25162a295be400a771e190fe9bfdR421 which passes it to Cosign here https://github.com/JimBugwadia/kyverno/blob/5a236506126cb947968c6c394306888ac150d843/pkg/engine/imageVerify.go#L575.
- it gets passed to verifyAttestion here https://github.com/JimBugwadia/kyverno/blob/5a236506126cb947968c6c394306888ac150d843/pkg/engine/imageVerify.go#L575 which checks the attestations for the type https://github.com/JimBugwadia/kyverno/blob/5a236506126cb947968c6c394306888ac150d843/pkg/engine/imageVerify.go#L641.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
even though the predicateType was passed to verifyAttestorSet it was not used,
It was used to build and verify attestors if not empty:
kyverno/pkg/engine/imageVerify.go
Line 439 in ef63302
| opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, kyvernov1.Attestation{PredicateType: predicateType}) |
|
Cherry-pick failed with |
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* cherry-pick #5713 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix args Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* fix digest and verify logic Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow attestations with no attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * require predicateType Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix typo Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Md Sahil <Mohdssahil1@gmail.com>
* fix digest and verify logic Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow attestations with no attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * require predicateType Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix typo Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
* fix digest and verify logic Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow attestations with no attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * require predicateType Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix typo Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Explanation
Make attestations.predicateType required and add error handling
Related issue
Milestone of this PR
What type of PR is this
Proposed Changes
Proof Manifests
Checklist
Further Comments