Skip to content

Commit

Permalink
feat: add image registry to context
Browse files Browse the repository at this point in the history 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
@eddycharly
eddycharly committed Oct 2, 2023
1 parent b26d4cd commit 3563ba2
Show file tree
Hide file tree
Showing 14 changed files with 153 additions and 32 deletions.
63 changes: 53 additions & 10 deletions config/crds/json.kyverno.io_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,50 @@ spec:
description: ContextEntry adds variables and data sources
to a rule Context.
properties:
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
are provided. It can be of one of these values:
AWS, ACR, GCP, GHCR.'
items:
description: ImageRegistryCredentialsProvider
provides the list of credential providers
required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials. Secrets must
live in the Kyverno namespace.
items:
type: string
type: array
type: object
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
Expand All @@ -52,8 +96,7 @@ spec:
variable that can be defined inline.
properties:
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
description: Value is any arbitrary object.
x-kubernetes-preserve-unknown-fields: true
type: object
required:
Expand All @@ -68,10 +111,10 @@ spec:
properties:
all:
description: All allows specifying resources which will
be ANDed
be ANDed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand All @@ -82,10 +125,10 @@ spec:
type: array
any:
description: Any allows specifying resources which will
be ORed
be ORed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand All @@ -104,10 +147,10 @@ spec:
properties:
all:
description: All allows specifying resources which will
be ANDed
be ANDed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand All @@ -118,10 +161,10 @@ spec:
type: array
any:
description: Any allows specifying resources which will
be ORed
be ORed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand Down
3 changes: 3 additions & 0 deletions pkg/apis/v1alpha1/context_entry.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,7 @@ type ContextEntry struct {

// Variable defines an arbitrary JMESPath context variable that can be defined inline.
Variable *Variable `json:"variable,omitempty"`

// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
ImageRegistry *ImageRegistry `json:"imageRegistry,omitempty"`
}
11 changes: 11 additions & 0 deletions pkg/apis/v1alpha1/image_registry.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
package v1alpha1

// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
type ImageRegistry struct {
// Reference is image reference to a container image in the registry.
// Example: ghcr.io/kyverno/kyverno:latest
Reference string `json:"reference"`

// ImageRegistryCredentials provides credentials that will be used for authentication with registry.
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty"`
}
14 changes: 14 additions & 0 deletions pkg/apis/v1alpha1/image_registry_credentials.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package v1alpha1

type ImageRegistryCredentials struct {
// AllowInsecureRegistry allows insecure access to a registry.
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty"`

// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
// It can be of one of these values: AWS, ACR, GCP, GHCR.
Providers []ImageRegistryCredentialsProvider `json:"providers,omitempty"`

// Secrets specifies a list of secrets that are provided for credentials.
// Secrets must live in the Kyverno namespace.
Secrets []string `json:"secrets,omitempty"`
}
13 changes: 13 additions & 0 deletions pkg/apis/v1alpha1/image_registry_credentials_provider.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package v1alpha1

// ImageRegistryCredentialsProvider provides the list of credential providers required.
// +kubebuilder:validation:Enum=default;amazon;azure;google;github
type ImageRegistryCredentialsProvider string

const (
DEFAULT ImageRegistryCredentialsProvider = "default"
AWS ImageRegistryCredentialsProvider = "amazon"
ACR ImageRegistryCredentialsProvider = "azure"
GCP ImageRegistryCredentialsProvider = "google"
GHCR ImageRegistryCredentialsProvider = "github"
)
4 changes: 2 additions & 2 deletions pkg/apis/v1alpha1/match_resources.go
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
package v1alpha1

type MatchResources struct {
// Any allows specifying resources which will be ORed
// Any allows specifying resources which will be ORed.
// +optional
Any ResourceFilters `json:"any,omitempty"`

// All allows specifying resources which will be ANDed
// All allows specifying resources which will be ANDed.
// +optional
All ResourceFilters `json:"all,omitempty"`
}
3 changes: 1 addition & 2 deletions pkg/apis/v1alpha1/policy_spec.go
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
package v1alpha1

type PolicySpec struct {
// Rules is a list of Rule instances. A Policy contains multiple rules and
// each rule can validate, mutate, or generate resources.
// Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
Rules []Rule `json:"rules,omitempty"`
}
2 changes: 1 addition & 1 deletion pkg/apis/v1alpha1/resource_filter.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
package v1alpha1

// ResourceFilter allow users to "AND" or "OR" between resources
// ResourceFilter allow users to "AND" or "OR" between resources.
type ResourceFilter struct {
// ResourceDescription contains information about the resource being created or modified.
// +kubebuilder:validation:Type=object
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/v1alpha1/resource_filters.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package v1alpha1

// ResourceFilters is a slice of ResourceFilter
// ResourceFilters is a slice of ResourceFilter.
type ResourceFilters []ResourceFilter
3 changes: 0 additions & 3 deletions pkg/apis/v1alpha1/rule.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ type Rule struct {
Name string `json:"name"`

// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty"`

// MatchResources defines when this policy rule should be applied. The match
Expand All @@ -18,10 +17,8 @@ type Rule struct {
// ExcludeResources defines when this policy rule should not be applied. The exclude
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources *MatchResources `json:"exclude,omitempty"`

// Validation is used to validate matching resources.
// +optional
Validation *Validation `json:"validate,omitempty"`
}
1 change: 0 additions & 1 deletion pkg/apis/v1alpha1/validation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package v1alpha1
// Validation defines checks to be performed on matching resources.
type Validation struct {
// Message specifies a custom message to be displayed on failure.
// +optional
Message string `json:"message,omitempty"`

// Pattern specifies an overlay-style pattern used to check resources.
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/v1alpha1/variable.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ package v1alpha1

// Variable defines an arbitrary JMESPath context variable that can be defined inline.
type Variable struct {
// Value is any arbitrary JSON object representable in YAML or JSON form.
// Value is any arbitrary object.
// +kubebuilder:pruning:PreserveUnknownFields
// +kubebuilder:validation:Schemaless
Value interface{} `json:"value,omitempty"`
Expand Down
63 changes: 53 additions & 10 deletions pkg/data/crds/json.kyverno.io_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,50 @@ spec:
description: ContextEntry adds variables and data sources
to a rule Context.
properties:
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry.
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry.
type: boolean
providers:
description: 'Providers specifies a list of OCI
Registry names, whose authentication providers
are provided. It can be of one of these values:
AWS, ACR, GCP, GHCR.'
items:
description: ImageRegistryCredentialsProvider
provides the list of credential providers
required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials. Secrets must
live in the Kyverno namespace.
items:
type: string
type: array
type: object
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
Expand All @@ -52,8 +96,7 @@ spec:
variable that can be defined inline.
properties:
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
description: Value is any arbitrary object.
x-kubernetes-preserve-unknown-fields: true
type: object
required:
Expand All @@ -68,10 +111,10 @@ spec:
properties:
all:
description: All allows specifying resources which will
be ANDed
be ANDed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand All @@ -82,10 +125,10 @@ spec:
type: array
any:
description: Any allows specifying resources which will
be ORed
be ORed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand All @@ -104,10 +147,10 @@ spec:
properties:
all:
description: All allows specifying resources which will
be ANDed
be ANDed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand All @@ -118,10 +161,10 @@ spec:
type: array
any:
description: Any allows specifying resources which will
be ORed
be ORed.
items:
description: ResourceFilter allow users to "AND" or "OR"
between resources
between resources.
properties:
resource:
description: ResourceDescription contains information
Expand Down
1 change: 0 additions & 1 deletion pkg/engine/engine.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package engine
// TODO:
// - tracing
// - explain
// - assertion tree

type Engine[TREQUEST any, TRESPONSE any] interface {
Run(TREQUEST) []TRESPONSE
Expand Down

0 comments on commit 3563ba2

Please sign in to comment.