-
Notifications
You must be signed in to change notification settings - Fork 798
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#6055 Add JMESPath support to imageExtractors #6183
#6055 Add JMESPath support to imageExtractors #6183
Conversation
Thanks for opening your first Pull Request here! Please check out our Contributing guidelines and confirm that you Signed off. |
Codecov Report
@@ Coverage Diff @@
## main #6183 +/- ##
==========================================
+ Coverage 37.15% 37.28% +0.13%
==========================================
Files 201 201
Lines 20540 20604 +64
==========================================
+ Hits 7632 7683 +51
- Misses 12142 12151 +9
- Partials 766 770 +4
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
33ff1cb
to
3ce9fee
Compare
3ce9fee
to
2e1db36
Compare
3b716af
to
0b5612b
Compare
Good work ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The implementation in image.go
looks wrong to me, see my comments.
0b5612b
to
cfc8936
Compare
Added additional unit tests |
@eddycharly Updated with your suggestions |
Signed-off-by: Brian Dunnigan <bdunnigan@clarityinnovates.com>
cfc8936
to
3b46453
Compare
Nice work @bdun1013 ! |
Congratulations! 🎉Great job merging your first Pull Request here! How awesome! If you are new to this project, feel free to join our Slack community |
Signed-off-by: Brian Dunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: bdunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Brian Dunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: bdunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Abhishek Sawan <sawanabhi157@gmail.com>
Signed-off-by: Brian Dunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: bdunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Abhishek Sawan <sawanabhi157@gmail.com>
Signed-off-by: Brian Dunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: bdunnigan <bdunnigan@clarityinnovates.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Brian Dunnigan bdunnigan@clarityinnovates.com
Explanation
This PR adds an optional JMESPath to policy rule image extractors along with the new
trim_prefix
JMESPath function. This will allowverifyImages
to work with KubeVirt registry image DataVolumes or any other CRD that includes a scheme with an image. A policy validation check has been added to ensure that if a JMESPath is used to extract an image, image digest mutation must be disabled.Related issue
Closes #6055
@JimBugwadia
@eddycharly
Milestone of this PR
What type of PR is this
/kind feature
Proposed Changes
Added an optional
spec.rules.*.imageExtractors.*.jmesPath
toPolicy
andClusterPolicy
along with atrim_prefix
JMESPath function to allow extracting images with schemes from CRDs for compatibility with verifyImages.Proof Manifests
The following
ClusterPolicy
will fail admission validation because it uses an image extractor JMESPath and hasmutateDigest
set totrue
:The
ClusterPolicy
will be admitted whenmutateDigest
is set tofalse
:A KubeVirt DataVolume will now have its image correctly extracted:
Checklist
Further Comments