policies
policies copied to clipboard
kyverno
[Bug] Verify Image with Multiple Keys
Kyverno Version
1.7.x
Kubernetes Version
1.23.x
Kubernetes Platform
K3d
Description
The Verify Images with Multiple Keys policy, as it's written currently, doesn't work and from my testing I don't see how it's possible to make it work in the current implementation of verifyImages rules. For reference, this is the current policy which as of this PR has been replaced:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-with-multi-keys
annotations:
policies.kyverno.io/title: Verify Image with Multiple Keys
policies.kyverno.io/category: Sample
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.5.0
policies.kyverno.io/description: >-
There may be multiple keys used to sign images based on
the parties involved in the creation process. This image
verification policy looks like a global key in a ConfigMap
and also an image-specific key in the same ConfigMap.
spec:
validationFailureAction: enforce
background: false
rules:
- name: check-image-with-two-keys
match:
any:
- resources:
kinds:
- Pod
context:
- name: keys
configMap:
name: keys
namespace: default
verifyImages:
# check global key
- image: "*"
key: "{{ keys.data.org }}"
# check image specific key - lookup via image name
- image: "ghcr.io/kyverno/*"
key: "{{ keys.data.{{ images.name }} }}"
Steps to reproduce
The problem with this policy is in the nested JMESPath lookup {{images.name}}. Firstly, this isn't the correct path using the pre-built variables from container images. The correct path would be images.containers.*.name. However, the problem in using this is the return type will be array/string. Even if that gets piped to [0] to select the first entry, it's problematic. The lookup for the second key will work, but obviously only for the first container in a Pod. I don't see it's possible to iterate over all images in a Pod with the current functionality because foreach isn't implemented in verifyImages.
Expected behavior
Some method to iteratively loop over all images in a Pod, regardless of which type of container in which they're specified, and fetch the corresponding key from a ConfigMap.
Screenshots
No response
Kyverno logs
No response
Slack discussion
https://kubernetes.slack.com/archives/CLGR9BJU9/p1659947828853659
Troubleshooting
- [X] I have read and followed the documentation AND the troubleshooting guide.
- [X] I have searched other issues in this repository and mine is not recorded.
The variable path should be {{ image.name }}.
The images variable contains all images as specified in the docs: https://main.kyverno.io/docs/writing-policies/variables/#variables-from-container-images.
The image verification rule additionally adds an image variable, as each image is processed. This does not seem to be documented, so something we should add to the docs.
This fails to create throwing a "invalid variables" error:
verifyImages:
# check global key
- image: "*"
key: "{{ keys.data.org }}"
# check image specific key - lookup via image name
- image: "ghcr.io/chipzoller/*"
key: "{{ keys.data.{{image.name}}}}"
Error from server: error when creating "multi.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: policy contains invalid variables: variable substitution failed for rule check-image-with-two-keys: variable image.name must match regex "request\.|serviceAccountName|serviceAccountNamespace|element|elementIndex|@|images\.|target\.|([a-z_0-9]+\()[^{}]" or patterns [keys.data.*]
Is this specified correctly? If so, bug?