#6055 Add JMESPath support to imageExtractors

[bdun1013]

Signed-off-by: Brian Dunnigan bdunnigan@clarityinnovates.com

Explanation

This PR adds an optional JMESPath to policy rule image extractors along with the new trim_prefix JMESPath function. This will allow verifyImages to work with KubeVirt registry image DataVolumes or any other CRD that includes a scheme with an image. A policy validation check has been added to ensure that if a JMESPath is used to extract an image, image digest mutation must be disabled.

Related issue

Closes #6055

@JimBugwadia
@eddycharly

Milestone of this PR

What type of PR is this

/kind feature

Proposed Changes

Added an optional spec.rules.*.imageExtractors.*.jmesPath to Policy and ClusterPolicy along with a trim_prefix JMESPath function to allow extracting images with schemes from CRDs for compatibility with verifyImages.

Proof Manifests

The following ClusterPolicy will fail admission validation because it uses an image extractor JMESPath and has mutateDigest set to true:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-data-volume-image
spec:
  background: false
  validationFailureAction: Enforce
  rules:
    - name: verify-data-volume-image
      match:
        any:
        - resources:
            kinds:
              - DataVolume
      imageExtractors:
        DataVolume:
          - path: /spec/source/registry/url
            jmesPath: "trim_prefix(@, 'docker://')"
      verifyImages:
      - imageReferences:
        - "*"
        mutateDigest: true
        verifyDigest: true
        attestors:
        - entries:
          - keys:
              publicKeys: |
                -----BEGIN PUBLIC KEY-----
                ...
                -----END PUBLIC KEY-----

The ClusterPolicy will be admitted when mutateDigest is set to false:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-data-volume-image
spec:
  background: false
  validationFailureAction: Enforce
  rules:
    - name: verify-data-volume-image
      match:
        any:
        - resources:
            kinds:
              - DataVolume
      imageExtractors:
        DataVolume:
          - path: /spec/source/registry/url
            jmesPath: "trim_prefix(@, 'docker://')"
      verifyImages:
      - imageReferences:
        - "*"
        mutateDigest: false
        verifyDigest: true
        attestors:
        - entries:
          - keys:
              publicKeys: |
                -----BEGIN PUBLIC KEY-----
                ...
                -----END PUBLIC KEY-----

A KubeVirt DataVolume will now have its image correctly extracted:

apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
  name: registry-image-datavolume
spec:
  source:
    registry:
      url: "docker://kubevirt/fedora-cloud-registry-disk-demo"
  pvc:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 5Gi

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
  • CLI support should be added and my PR doesn't contain that functionality.
  • I have added or changed the documentation myself in an existing PR and the link is:
  • I have raised an issue in kyverno/website to track the documentation update and the link is:
  [Enhancement] Add documentation for new JMESPath imageExtractors feature website#755

Further Comments

[welcome]

Thanks for opening your first Pull Request here! Please check out our Contributing guidelines and confirm that you Signed off.

[codecov]

Codecov Report

Merging #6183 (22d61ff) into main (cfd4501) will increase coverage by 0.13%.
The diff coverage is 78.08%.

@@            Coverage Diff             @@
##             main    #6183      +/-   ##
==========================================
+ Coverage   37.15%   37.28%   +0.13%     
==========================================
  Files         201      201              
  Lines       20540    20604      +64     
==========================================
+ Hits         7632     7683      +51     
- Misses      12142    12151       +9     
- Partials      766      770       +4     

Impacted Files	Coverage Δ
api/kyverno/v1/rule_types.go	54.66% <ø> (ø)
pkg/utils/api/image.go	66.10% <50.00%> (-3.81%)	⬇️
pkg/policy/validate.go	52.48% <85.18%> (+0.92%)	⬆️
pkg/engine/jmespath/functions.go	80.76% <100.00%> (+0.50%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[eddycharly]

Good work !
I will review in more depth tomorrow but could you add unit tests covering error cases (like in #6202) ?

[eddycharly]

The implementation in image.go looks wrong to me, see my comments.

[bdun1013]

Good work ! I will review in more depth tomorrow but could you add unit tests covering error cases (like in #6202) ?

Added additional unit tests

[bdun1013]

The implementation in image.go looks wrong to me, see my comments.

@eddycharly Updated with your suggestions

[eddycharly]

Nice work @bdun1013 !

[welcome]

Congratulations! 🎉

Great job merging your first Pull Request here! How awesome! If you are new to this project, feel free to join our Slack community