Documentation ¶
Index ¶
- func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, ...) (map[string][]PolicySignature, error)
- type AuthorityMatch
- type GithubExtensions
- type PolicyResult
- type PolicySignature
- type Validator
- func (v *Validator) ResolveCronJob(ctx context.Context, c *duckv1.CronJob)
- func (v *Validator) ResolvePod(ctx context.Context, p *duckv1.Pod)
- func (v *Validator) ResolvePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable)
- func (v *Validator) ResolvePodSpecable(ctx context.Context, wp *duckv1.WithPod)
- func (v *Validator) ValidateCronJob(ctx context.Context, c *duckv1.CronJob) *apis.FieldError
- func (v *Validator) ValidatePod(ctx context.Context, p *duckv1.Pod) *apis.FieldError
- func (v *Validator) ValidatePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable) *apis.FieldError
- func (v *Validator) ValidatePodSpecable(ctx context.Context, wp *duckv1.WithPod) *apis.FieldError
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ValidatePolicyAttestationsForAuthority ¶
func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) (map[string][]PolicySignature, error)
ValidatePolicyAttestationsForAuthority takes the Authority and tries to verify attestations against it.
Types ¶
type AuthorityMatch ¶
type AuthorityMatch struct { // All of the matching signatures for this authority // Wonder if for consistency this should also have the matching // attestations name, aka, make this into a map. Signatures []PolicySignature `json:"signatures"` // Mapping from attestation name to all of verified attestations Attestations map[string][]PolicySignature `json:"attestations"` // Static indicates whether this authority matched due to static // e.g. static: { action: pass } Static bool `json:"static,omitempty"` }
AuthorityMatch returns either Signatures (if there are no Attestations specified), or Attestations if there are Attestations specified.
type GithubExtensions ¶ added in v0.2.1
type GithubExtensions struct { // OID: 1.3.6.1.4.1.57264.1.2 WorkflowTrigger string `json:"githubWorkflowTrigger,omitempty"` // OID: 1.3.6.1.4.1.57264.1.3 WorkflowSHA string `json:"githubWorkflowSha,omitempty"` // OID: 1.3.6.1.4.1.57264.1.4 WorkflowName string `json:"githubWorkflowName,omitempty"` // OID: 1.3.6.1.4.1.57264.1.5 WorkflowRepo string `json:"githubWorkflowRepo,omitempty"` // OID: 1.3.6.1.4.1.57264.1.6 WorkflowRef string `json:"githubWorkflowRef,omitempty"` }
GithubExtensions holds the Github-related OID extensions. See also: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md NOTE: these field correlate with the names given in the cosign CertExtensionMap and must be prefixed with "github" to avoid ambiguity.
type PolicyResult ¶
type PolicyResult struct { // AuthorityMatches will have an entry for each successful Authority check // on it. Key in the map is the Attestation.Name AuthorityMatches map[string]AuthorityMatch `json:"authorityMatches"` }
PolicyResult is the result of a successful ValidatePolicy call. These are meant to be consumed by a higher level Policy engine that can reason about validated results. The 'first' level pass will verify signatures and attestations, and make the results then available for a policy that can be used to gate a passing of a ClusterImagePolicy. Some examples are, at least 'vulnerability' has to have been done and the scan must have been attested by a particular entity (sujbect/issuer) or a particular key. Other examples are N-of-M must be satisfied and so forth. We do not expose the low level details of signatures / attestations here since they have already been validated as per the Authority configuration and optionally by the Attestations which contain a particular policy that can be used to validate the Attestations (say vulnerability scanner must not have any High sev issues).
func ValidatePolicy ¶
func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, cip webhookcip.ClusterImagePolicy, remoteOpts ...ociremote.Option) (*PolicyResult, []error)
ValidatePolicy will go through all the Authorities for a given image/policy and return validated authorities if at least one of the Authorities validated the signatures OR attestations if atttestations were specified. Returns PolicyResult if one or more authorities matched, otherwise nil. In any case returns all errors encountered if none of the authorities passed.
type PolicySignature ¶
type PolicySignature struct { // Subject that was found to match on the Cert. Subject string `json:"subject"` // Issure that was found to match on the Cert. Issuer string `json:"issuer"` // GithubExtensions holds the Github-related OID extensions. // See also: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md GithubExtensions `json:",inline"` }
PolicySignature contains a normalized result of a validated signature, where signature could be a signature on the Image (.sig) or on an Attestation (.att).
func ValidatePolicySignaturesForAuthority ¶
func ValidatePolicySignaturesForAuthority(ctx context.Context, ref name.Reference, authority webhookcip.Authority, remoteOpts ...ociremote.Option) ([]PolicySignature, error)
ValidatePolicySignaturesForAuthority takes the Authority and tries to verify a signature against it.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
func (*Validator) ResolveCronJob ¶
ResolveCronJob implements duckv1.CronJobValidator
func (*Validator) ResolvePod ¶
ResolvePod implements duckv1.PodValidator
func (*Validator) ResolvePodScalable ¶
func (v *Validator) ResolvePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable)
ResolvePodScalable implements policyduckv1beta1.PodScalableValidator
func (*Validator) ResolvePodSpecable ¶
ResolvePodSpecable implements duckv1.PodSpecValidator
func (*Validator) ValidateCronJob ¶
ValidateCronJob implements duckv1.CronJobValidator
func (*Validator) ValidatePod ¶
ValidatePod implements duckv1.PodValidator
func (*Validator) ValidatePodScalable ¶
func (v *Validator) ValidatePodScalable(ctx context.Context, ps *policyduckv1beta1.PodScalable) *apis.FieldError
ValidatePodScalable implements policyduckv1beta1.PodScalableValidator It is very similar to ValidatePodSpecable, but allows for spec.replicas to be decremented. This allows for scaling down pods with non-compliant images that would otherwise be forbidden.
func (*Validator) ValidatePodSpecable ¶
ValidatePodSpecable implements duckv1.PodSpecValidator