policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add policy-controller annotations

Open elfotografo007 opened this issue 1 year ago • 12 comments

Summary

Add annotations to a resource with the validation results. Closes #611

Example Output

Given the following policy, and enabling the policy-controller in the namespace my-secure-namespace:

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy
spec:
  images:
  - glob: "gcr.io/projectsigstore/cosign*"
  authorities:
  - name: official-cosign-key
    key:
      data: |
        -----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
        IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
        -----END PUBLIC KEY-----

Creating a pod with kubectl run cosign --image=gcr.io/projectsigstore/cosign:v1.2.1 --dry-run=server -n my-secure-namespace -o yaml will generate the following annotation:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    policy.sigstore.dev/policy-controller-results: '{"containerResults":[{"index":0,"name":"cosign","image":"gcr.io/projectsigstore/cosign@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498","field":"containers","result":"allow","resultMsg":"Validated 1 policies for image gcr.io/projectsigstore/cosign@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498","policyResults":{"image-policy":{"authorityMatches":{"official-cosign-key":{"signatures":[{"id":"fe11e4e3fc2d0b19518341289fabcb3d36102308bf8b5d773a2eefd1251df086"},{"id":"9da9bce3022befe4f55e9dea0680a2ae48141570c98df6c541c557fa533fe2f1"}]}}}}}]}'
  creationTimestamp: "2023-04-13T16:56:25Z"
  labels:
    run: cosign
  name: cosign
  namespace: my-secure-namespace
...

The annotations are in JSON format.

Release Note

Added annotations to validated resources.

Documentation

Docs PR

elfotografo007 avatar Apr 13 '23 18:04 elfotografo007

Codecov Report

Attention: Patch coverage is 65.26316% with 99 lines in your changes missing coverage. Please review.

Project coverage is 55.94%. Comparing base (4b62311) to head (93ed0c1). Report is 1049 commits behind head on main.

Files with missing lines Patch % Lines
pkg/webhook/validator.go 66.41% 77 Missing and 11 partials :warning:
cmd/webhook/main.go 0.00% 11 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #732      +/-   ##
==========================================
+ Coverage   55.37%   55.94%   +0.57%     
==========================================
  Files          45       45              
  Lines        4791     5069     +278     
==========================================
+ Hits         2653     2836     +183     
- Misses       1934     2018      +84     
- Partials      204      215      +11

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Apr 13 '23 19:04 codecov[bot]

@elfotografo007 Let me know if you have any questions or need help.

hectorj2f avatar May 02 '23 18:05 hectorj2f

@hectorj2f Can you re-run the tests? I believe they failed due to a GH outage.

elfotografo007 avatar May 16 '23 15:05 elfotografo007

@elfotografo007 Done

hectorj2f avatar May 16 '23 18:05 hectorj2f

Thanks, @hectorj2f Everything is passing now 😃

elfotografo007 avatar May 17 '23 13:05 elfotografo007

Just to make sure I understand, does this mean that we run through the policy evaluations twice if the annotations are enabled? Once during defaulting (and that's when the annotation gets applied), and again once all the defaultings are done and the actual admission check happens we run through the same evaluations again? If that's the case it creates 2x the load on registries, but more importantly there is a chance that what gets written to the annotation is not what gets evaluated. Just wanted to check my understanding.

vaikas avatar May 24 '23 22:05 vaikas

You are totally right, everything you are mentioning is what is happening. Is there a way to evaluate and create annotations at the same time?

elfotografo007 avatar May 26 '23 14:05 elfotografo007

You are totally right, everything you are mentioning is what is happening. Is there a way to evaluate and create annotations at the same time?

I don't believe so in a sense that you want to do the admission / create annotations at the same time. I thought there was a way to return more information along the admission webhook response. It really depends on what behaviour we want to provide.

One option that I was thinking was using the 'AuditAnnotations' from here: https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionResponse

vaikas avatar May 30 '23 18:05 vaikas

Looking forward to this feature 🤞🏻

evenh avatar Jul 03 '23 11:07 evenh

@elfotografo007 Do you have any update about this one ? Are you still working on these changes ? :)

hectorj2f avatar Jul 03 '23 11:07 hectorj2f

@elfotografo007 @hectorj2f Did someone look at this part of the admission controller documentation? Where you could do a JSON Patch to an admitted object. I really need this feature so I tried looking in the code where a response is returned but didn't manage to understand.

Basically Base64 encoding this [{"op": "add", "path": "/spec/replicas", "value": 3}] for example:

{
  "apiVersion": "admission.k8s.io/v1",
  "kind": "AdmissionReview",
  "response": {
    "uid": "<value from request.uid>",
    "allowed": true,
    "patchType": "JSONPatch",
    "patch": "W3sib3AiOiAiYWRkIiwgInBhdGgiOiAiL3NwZWMvcmVwbGljYXMiLCAidmFsdWUiOiAzfV0="
  }
}

ElementTech avatar Aug 31 '23 15:08 ElementTech

@ElementTech no, we didn't. How do you want to use it?

hectorj2f avatar Sep 03 '23 05:09 hectorj2f