-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkyverno-policy.yaml
61 lines (60 loc) · 1.91 KB
/
kyverno-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-venafi
spec:
validationFailureAction: Enforce
failurePolicy: Fail
webhookTimeoutSeconds: 30
schemaValidation: false
rules:
- name: call-venafi-signer-extension
match:
any:
- resources:
namespaces:
- test-venafi
kinds:
- Pod
operations:
- CREATE
- UPDATE
context:
- name: tlscerts
apiCall:
urlPath: "/api/v1/namespaces/kyverno-notation-venafi/secrets/svc.kyverno-notation-venafi.svc.tls-pair"
jmesPath: "base64_decode( data.\"tls.crt\" )"
- name: response
apiCall:
method: POST
data:
- key: images
value: "{{images}}"
- key: trustPolicy
value: "tp-venafi-test-notation"
- key: metadata
value: "{{ request.object.metadata.annotations.\"kyverno-notation-venafi.io/verify-images\" || '' }}"
- key: attestations
value:
- imageReference: "*"
type:
- name: sbom/example
conditions:
all:
- key: \{{components[?name=='busybox'].version}}
operator: AllIn
value: [ "3.17", "1.36.1-r2"]
message: unsupported busybox version
service:
url: https://svc.kyverno-notation-venafi/checkimages
caBundle: '{{ tlscerts }}'
mutate:
foreach:
- list: "response.results"
patchesJson6902: |-
- path: '{{ element.path }}'
op: '{{ element.op }}'
value: '{{ element.value }}'
# SIGNED IMAGE: ghcr.io/nirmata/kyverno-notation-venafi-demo:signed
# UNSIGNED IMAGE: ghcr.io/nirmata/kyverno-notation-venafi-demo:unsigned
# SBOM LAYER: ghcr.io/nirmata/kyverno-notation-venafi-demo:signed@sha256:4beaa3137602bf1a256355a1b7f0bd49b9079ea5041d249ce6362142c0fd031a