webhook

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 4, 2022 License: Apache-2.0 Imports: 35 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ValidatePolicyAttestationsForAuthority

func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) (map[string][]PolicySignature, error)

ValidatePolicyAttestationsForAuthority takes the Authority and tries to verify attestations against it.

Types

type AuthorityMatch

type AuthorityMatch struct {
	// All of the matching signatures for this authority
	// Wonder if for consistency this should also have the matching
	// attestations name, aka, make this into a map.
	Signatures []PolicySignature `json:"signatures"`

	// Mapping from attestation name to all of verified attestations
	Attestations map[string][]PolicySignature `json:"attestations"`

	// Static indicates whether this authority matched due to static
	// e.g. static: { action: pass }
	Static bool `json:"static,omitempty"`
}

AuthorityMatch returns either Signatures (if there are no Attestations specified), or Attestations if there are Attestations specified.

type GithubExtensions added in v0.2.1

type GithubExtensions struct {
	// OID: 1.3.6.1.4.1.57264.1.2
	WorkflowTrigger string `json:"githubWorkflowTrigger,omitempty"`
	// OID: 1.3.6.1.4.1.57264.1.3
	WorkflowSHA string `json:"githubWorkflowSha,omitempty"`
	// OID: 1.3.6.1.4.1.57264.1.4
	WorkflowName string `json:"githubWorkflowName,omitempty"`
	// OID: 1.3.6.1.4.1.57264.1.5
	WorkflowRepo string `json:"githubWorkflowRepo,omitempty"`
	// OID: 1.3.6.1.4.1.57264.1.6
	WorkflowRef string `json:"githubWorkflowRef,omitempty"`
}

GithubExtensions holds the Github-related OID extensions. See also: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md NOTE: these field correlate with the names given in the cosign CertExtensionMap and must be prefixed with "github" to avoid ambiguity.

type PolicyResult

type PolicyResult struct {
	// AuthorityMatches will have an entry for each successful Authority check
	// on it. Key in the map is the Attestation.Name
	AuthorityMatches map[string]AuthorityMatch `json:"authorityMatches"`
}

PolicyResult is the result of a successful ValidatePolicy call. These are meant to be consumed by a higher level Policy engine that can reason about validated results. The 'first' level pass will verify signatures and attestations, and make the results then available for a policy that can be used to gate a passing of a ClusterImagePolicy. Some examples are, at least 'vulnerability' has to have been done and the scan must have been attested by a particular entity (sujbect/issuer) or a particular key. Other examples are N-of-M must be satisfied and so forth. We do not expose the low level details of signatures / attestations here since they have already been validated as per the Authority configuration and optionally by the Attestations which contain a particular policy that can be used to validate the Attestations (say vulnerability scanner must not have any High sev issues).

func ValidatePolicy

func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, cip webhookcip.ClusterImagePolicy, remoteOpts ...ociremote.Option) (*PolicyResult, []error)

ValidatePolicy will go through all the Authorities for a given image/policy and return validated authorities if at least one of the Authorities validated the signatures OR attestations if atttestations were specified. Returns PolicyResult if one or more authorities matched, otherwise nil. In any case returns all errors encountered if none of the authorities passed.

type PolicySignature

type PolicySignature struct {
	// Subject that was found to match on the Cert.
	Subject string `json:"subject"`
	// Issure that was found to match on the Cert.
	Issuer string `json:"issuer"`

	// GithubExtensions holds the Github-related OID extensions.
	// See also: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
	GithubExtensions `json:",inline"`
}

PolicySignature contains a normalized result of a validated signature, where signature could be a signature on the Image (.sig) or on an Attestation (.att).

func ValidatePolicySignaturesForAuthority

func ValidatePolicySignaturesForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) ([]PolicySignature, error)

ValidatePolicySignaturesForAuthority takes the Authority and tries to verify a signature against it.

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

func NewValidator

func NewValidator(ctx context.Context, secretName string) *Validator

func (*Validator) ResolveCronJob

func (v *Validator) ResolveCronJob(ctx context.Context, c *duckv1.CronJob)

ResolveCronJob implements duckv1.CronJobValidator

func (*Validator) ResolvePod

func (v *Validator) ResolvePod(ctx context.Context, p *duckv1.Pod)

ResolvePod implements duckv1.PodValidator

func (*Validator) ResolvePodScalable

func (v *Validator) ResolvePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable)

ResolvePodScalable implements policyduckv1beta1.PodScalableValidator

func (*Validator) ResolvePodSpecable

func (v *Validator) ResolvePodSpecable(ctx context.Context, wp *duckv1.WithPod)

ResolvePodSpecable implements duckv1.PodSpecValidator

func (*Validator) ValidateCronJob

func (v *Validator) ValidateCronJob(ctx context.Context, c *duckv1.CronJob) *apis.FieldError

ValidateCronJob implements duckv1.CronJobValidator

func (*Validator) ValidatePod

func (v *Validator) ValidatePod(ctx context.Context, p *duckv1.Pod) *apis.FieldError

ValidatePod implements duckv1.PodValidator

func (*Validator) ValidatePodScalable

func (v *Validator) ValidatePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable) *apis.FieldError

ValidatePodScalable implements policyduckv1beta1.PodScalableValidator It is very similar to ValidatePodSpecable, but allows for spec.replicas to be decremented. This allows for scaling down pods with non-compliant images that would otherwise be forbidden.

func (*Validator) ValidatePodSpecable

func (v *Validator) ValidatePodSpecable(ctx context.Context, wp *duckv1.WithPod) *apis.FieldError

ValidatePodSpecable implements duckv1.PodSpecValidator

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL