-
Notifications
You must be signed in to change notification settings - Fork 521
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add API for ImagePolicy CRD Signed-off-by: Qi Wang <[email protected]>
- Loading branch information
Showing
6 changed files
with
887 additions
and
0 deletions.
There are no files selected for viewing
136 changes: 136 additions & 0 deletions
136
config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
api-approved.openshift.io: https://github.com/openshift/api/pull/1457 | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
release.openshift.io/feature-set: TechPreviewNoUpgrade | ||
name: imagepolicy.config.openshift.io | ||
spec: | ||
group: config.openshift.io | ||
names: | ||
kind: ImagePolicy | ||
listKind: ImagePolicyList | ||
plural: imagepolicies | ||
singular: imagepolicy | ||
scope: Namespaced | ||
versions: | ||
- name: v1alpha1 | ||
schema: | ||
openAPIV3Schema: | ||
description: "ImagePolicy holds namespace-wide configuration configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support." | ||
type: object | ||
required: | ||
- spec | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: spec holds user settable values for configuration | ||
type: object | ||
required: | ||
- images | ||
properties: | ||
images: | ||
description: 'images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". "images" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker' | ||
type: array | ||
items: | ||
description: ImageScope is the item of the images list. | ||
type: string | ||
pattern: ^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$ | ||
x-kubernetes-list-type: set | ||
policy: | ||
description: policy defines the verification policy for the images in the images list | ||
type: object | ||
properties: | ||
keyData: | ||
description: keyData contains inline base64 data of the public key. Can be empty if the image got signed keyless. Requires OIDCIssuer and SubjectEmail to be empty. the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) will be used to verify the sigstore signature. the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) will be used to verify the sigstore signature. | ||
type: string | ||
oidcIssuer: | ||
description: 'oidcIssuer contains the expected OIDC issuer. Example: "https://expected.OIDC.issuer/" subjectEmail must be set and keyData must be empty if oidcIssuer is set' | ||
type: string | ||
signedIdentity: | ||
description: signedIdentity specifies what image identity the signature. claims about the image. | ||
type: object | ||
properties: | ||
dockerRepository: | ||
description: dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference". | ||
type: string | ||
identityMatchPolicy: | ||
description: identityMatchPolicy set the type of matching to be used. Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepository". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". | ||
type: string | ||
enum: | ||
- MatchRepository | ||
- ExactRepository | ||
x-kubernetes-validations: | ||
- rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''ExactRepository'' ? self.dockerRepository != '''' : true' | ||
message: must set dockerRepository if identityMatchPolicy is ExactRepository | ||
subjectEmail: | ||
description: 'subjectEmail holds the email address of the subject. Example: "[email protected]" oidcIssuer must be set and keyData must be empty if subjectEmail is set.' | ||
type: string | ||
x-kubernetes-validations: | ||
- rule: 'self.oidcIssuer != '''' ? (self.subjectEmail != '''' && self.keyData == '''') : true' | ||
message: subjectEmail must be set and keyData must be empty if oidcIssuer is set | ||
- rule: 'self.subjectEmail != '''' ? (self.oidcIssuer != '''' && self.keyData == '''') : true' | ||
message: oidcIssuer must be set and keyData must be empty if subjectEmail is set | ||
- rule: 'self.keyData != '''' ? (self.oidcIssuer == '''' && self.subjectEmail == '''') : true' | ||
message: cannot set both oidcIssuer and subjectEmail if keyData is set | ||
status: | ||
description: status contains the observed state of the resource. | ||
type: object | ||
properties: | ||
conditions: | ||
description: conditions provide details on the status of the gatherer job. | ||
type: array | ||
items: | ||
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" | ||
type: object | ||
required: | ||
- lastTransitionTime | ||
- message | ||
- reason | ||
- status | ||
- type | ||
properties: | ||
lastTransitionTime: | ||
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. | ||
type: string | ||
format: date-time | ||
message: | ||
description: message is a human readable message indicating details about the transition. This may be an empty string. | ||
type: string | ||
maxLength: 32768 | ||
observedGeneration: | ||
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. | ||
type: integer | ||
format: int64 | ||
minimum: 0 | ||
reason: | ||
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. | ||
type: string | ||
maxLength: 1024 | ||
minLength: 1 | ||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ | ||
status: | ||
description: status of the condition, one of True, False, Unknown. | ||
type: string | ||
enum: | ||
- "True" | ||
- "False" | ||
- Unknown | ||
type: | ||
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) | ||
type: string | ||
maxLength: 316 | ||
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ | ||
policyJSON: | ||
description: policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well. | ||
type: string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
package v1alpha1 | ||
|
||
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
|
||
// +genclient | ||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
|
||
// ImagePolicy holds namespace-wide configuration configuration for image signature verification | ||
// | ||
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. | ||
// +openshift:compatibility-gen:level=4 | ||
// +openshift:enable:FeatureSets=TechPreviewNoUpgrade | ||
type ImagePolicy struct { | ||
metav1.TypeMeta `json:",inline"` | ||
|
||
// metadata is the standard object's metadata. | ||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | ||
metav1.ObjectMeta `json:"metadata,omitempty"` | ||
|
||
// spec holds user settable values for configuration | ||
// +kubebuilder:validation:Required | ||
// +required | ||
Spec ImagePolicySpec `json:"spec"` | ||
// status contains the observed state of the resource. | ||
// +optional | ||
Status ImagePolicyStatus `json:"status,omitempty"` | ||
} | ||
|
||
// ImagePolicySpec is the specification of the ImagePolicy CRD. | ||
type ImagePolicySpec struct { | ||
// images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". | ||
// "images" uses one of the following scopes: | ||
// - complete image name, either using a tag or digest | ||
// - prefixes of individual-image scopes | ||
// - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. | ||
// For more information about the format, see the document | ||
// about the docker transport field: | ||
// https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker | ||
// +kubebuilder:validation:Required | ||
// +required | ||
// +listType=set | ||
Images []ImageScope `json:"images"` | ||
// policy defines the verification policy for the images in the images list | ||
// +optional | ||
Policy Policy `json:"policy"` | ||
} | ||
|
||
// ImageScope is the item of the images list. | ||
// +kubebuilder:validation:Pattern=`^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$` | ||
type ImageScope string | ||
|
||
// Policy defines the verification policy for the images in the images list. | ||
// +kubebuilder:validation:XValidation:rule="self.oidcIssuer != '' ? (self.subjectEmail != '' && self.keyData == '') : true",message="subjectEmail must be set and keyData must be empty if oidcIssuer is set" | ||
// +kubebuilder:validation:XValidation:rule="self.subjectEmail != '' ? (self.oidcIssuer != '' && self.keyData == '') : true",message="oidcIssuer must be set and keyData must be empty if subjectEmail is set" | ||
// +kubebuilder:validation:XValidation:rule="self.keyData != '' ? (self.oidcIssuer == '' && self.subjectEmail == '') : true",message="cannot set both oidcIssuer and subjectEmail if keyData is set" | ||
type Policy struct { | ||
// oidcIssuer contains the expected OIDC issuer. | ||
// Example: "https://expected.OIDC.issuer/" | ||
// subjectEmail must be set and keyData must be empty if oidcIssuer is set | ||
// +optional | ||
OIDCIssuer string `json:"oidcIssuer,omitempty"` | ||
|
||
// subjectEmail holds the email address of the subject. | ||
// Example: "[email protected]" | ||
// oidcIssuer must be set and keyData must be empty if subjectEmail is set. | ||
// +optional | ||
SubjectEmail string `json:"subjectEmail,omitempty"` | ||
|
||
// keyData contains inline base64 data of the public key. | ||
// Can be empty if the image got signed keyless. | ||
// Requires OIDCIssuer and SubjectEmail to be empty. | ||
// the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) | ||
// will be used to verify the sigstore signature. | ||
// the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) | ||
// will be used to verify the sigstore signature. | ||
// +optional | ||
KeyData string `json:"keyData,omitempty"` | ||
|
||
// signedIdentity specifies what image identity the signature. | ||
// claims about the image. | ||
// +optional | ||
SignedIdentity Identity `json:"signedIdentity,omitempty"` | ||
} | ||
|
||
// +kubebuilder:validation:XValidation:rule="has(self.identityMatchPolicy) && self.identityMatchPolicy == 'ExactRepository' ? self.dockerRepository != '' : true",message="must set dockerRepository if identityMatchPolicy is ExactRepository" | ||
type Identity struct { | ||
// identityMatchPolicy set the type of matching to be used. | ||
// Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepository". | ||
// If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. | ||
// "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. | ||
// "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". | ||
// +kubebuilder:validation:Enum=MatchRepository;ExactRepository | ||
// +optional | ||
IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"` | ||
// dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference". | ||
// +optional | ||
DockerRepository string `json:"dockerRepository,omitempty"` | ||
} | ||
|
||
// IdentityMatchPolicy defines the type of matching to be used. | ||
type IdentityMatchPolicy string | ||
|
||
const ( | ||
IdentityMatchPolicyMatchRepository = "MatchRepository" | ||
IdentityMatchPolicyExactRepository = "ExactRepository" | ||
) | ||
|
||
// +k8s:deepcopy-gen=true | ||
type ImagePolicyStatus struct { | ||
|
||
// policyJSON contains the whole policy applied to the namespace | ||
// which got written to disk. This includes cluster-wide policies | ||
// from the `openshift-config` namespace as well. | ||
PolicyJSON string `json:"policyJSON,omitempty"` | ||
|
||
// conditions provide details on the status of the gatherer job. | ||
// +patchMergeKey=type | ||
// +patchStrategy=merge | ||
Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"` | ||
} | ||
|
||
// ImagePolicyStatusConditionType is the state of the operator's reconciliation functionality. | ||
type ImagePolicyStatusConditionType string | ||
|
||
const ( | ||
// ImagePolicySuccess designates a successful application of a ContainerRuntimeConfig CR. | ||
ImagePolicySuccess ImagePolicyStatusConditionType = "Success" | ||
|
||
// ImagePolicyFailure designates a failure applying a ContainerRuntimeConfig CR. | ||
ImagePolicyFailure ImagePolicyStatusConditionType = "Failure" | ||
) | ||
|
||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object | ||
|
||
// ImagePolicyList is a list of ImagePolicy resources | ||
// | ||
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. | ||
// +openshift:compatibility-gen:level=4 | ||
type ImagePolicyList struct { | ||
metav1.TypeMeta `json:",inline"` | ||
|
||
// metadata is the standard list's metadata. | ||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | ||
metav1.ListMeta `json:"metadata"` | ||
|
||
Items []ImagePolicy `json:"items"` | ||
} |
Oops, something went wrong.