Skip to content

Commit

Permalink
Add ImagePolicy CRD
Browse files Browse the repository at this point in the history
Add API for ImagePolicy CRD

Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
QiWang19 committed May 23, 2023
1 parent f6e7dff commit c804735
Show file tree
Hide file tree
Showing 6 changed files with 887 additions and 0 deletions.
136 changes: 136 additions & 0 deletions config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/1457
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/feature-set: TechPreviewNoUpgrade
name: imagepolicy.config.openshift.io
spec:
group: config.openshift.io
names:
kind: ImagePolicy
listKind: ImagePolicyList
plural: imagepolicies
singular: imagepolicy
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: "ImagePolicy holds namespace-wide configuration configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: spec holds user settable values for configuration
type: object
required:
- images
properties:
images:
description: 'images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". "images" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker'
type: array
items:
description: ImageScope is the item of the images list.
type: string
pattern: ^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$
x-kubernetes-list-type: set
policy:
description: policy defines the verification policy for the images in the images list
type: object
properties:
keyData:
description: keyData contains inline base64 data of the public key. Can be empty if the image got signed keyless. Requires OIDCIssuer and SubjectEmail to be empty. the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem) will be used to verify the sigstore signature. the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub) will be used to verify the sigstore signature.
type: string
oidcIssuer:
description: 'oidcIssuer contains the expected OIDC issuer. Example: "https://expected.OIDC.issuer/" subjectEmail must be set and keyData must be empty if oidcIssuer is set'
type: string
signedIdentity:
description: signedIdentity specifies what image identity the signature. claims about the image.
type: object
properties:
dockerRepository:
description: dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference".
type: string
identityMatchPolicy:
description: identityMatchPolicy set the type of matching to be used. Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepository". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository".
type: string
enum:
- MatchRepository
- ExactRepository
x-kubernetes-validations:
- rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''ExactRepository'' ? self.dockerRepository != '''' : true'
message: must set dockerRepository if identityMatchPolicy is ExactRepository
subjectEmail:
description: 'subjectEmail holds the email address of the subject. Example: "[email protected]" oidcIssuer must be set and keyData must be empty if subjectEmail is set.'
type: string
x-kubernetes-validations:
- rule: 'self.oidcIssuer != '''' ? (self.subjectEmail != '''' && self.keyData == '''') : true'
message: subjectEmail must be set and keyData must be empty if oidcIssuer is set
- rule: 'self.subjectEmail != '''' ? (self.oidcIssuer != '''' && self.keyData == '''') : true'
message: oidcIssuer must be set and keyData must be empty if subjectEmail is set
- rule: 'self.keyData != '''' ? (self.oidcIssuer == '''' && self.subjectEmail == '''') : true'
message: cannot set both oidcIssuer and subjectEmail if keyData is set
status:
description: status contains the observed state of the resource.
type: object
properties:
conditions:
description: conditions provide details on the status of the gatherer job.
type: array
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
type: object
required:
- lastTransitionTime
- message
- reason
- status
- type
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
type: string
format: date-time
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
type: string
maxLength: 32768
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
type: integer
format: int64
minimum: 0
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
type: string
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
status:
description: status of the condition, one of True, False, Unknown.
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
type: string
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
policyJSON:
description: policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well.
type: string
147 changes: 147 additions & 0 deletions config/v1alpha1/types_image_policy.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
package v1alpha1

import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// ImagePolicy holds namespace-wide configuration configuration for image signature verification
//
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
// +openshift:compatibility-gen:level=4
// +openshift:enable:FeatureSets=TechPreviewNoUpgrade
type ImagePolicy struct {
metav1.TypeMeta `json:",inline"`

// metadata is the standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ObjectMeta `json:"metadata,omitempty"`

// spec holds user settable values for configuration
// +kubebuilder:validation:Required
// +required
Spec ImagePolicySpec `json:"spec"`
// status contains the observed state of the resource.
// +optional
Status ImagePolicyStatus `json:"status,omitempty"`
}

// ImagePolicySpec is the specification of the ImagePolicy CRD.
type ImagePolicySpec struct {
// images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2".
// "images" uses one of the following scopes:
// - complete image name, either using a tag or digest
// - prefixes of individual-image scopes
// - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not.
// For more information about the format, see the document
// about the docker transport field:
// https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker
// +kubebuilder:validation:Required
// +required
// +listType=set
Images []ImageScope `json:"images"`
// policy defines the verification policy for the images in the images list
// +optional
Policy Policy `json:"policy"`
}

// ImageScope is the item of the images list.
// +kubebuilder:validation:Pattern=`^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$`
type ImageScope string

// Policy defines the verification policy for the images in the images list.
// +kubebuilder:validation:XValidation:rule="self.oidcIssuer != '' ? (self.subjectEmail != '' && self.keyData == '') : true",message="subjectEmail must be set and keyData must be empty if oidcIssuer is set"
// +kubebuilder:validation:XValidation:rule="self.subjectEmail != '' ? (self.oidcIssuer != '' && self.keyData == '') : true",message="oidcIssuer must be set and keyData must be empty if subjectEmail is set"
// +kubebuilder:validation:XValidation:rule="self.keyData != '' ? (self.oidcIssuer == '' && self.subjectEmail == '') : true",message="cannot set both oidcIssuer and subjectEmail if keyData is set"
type Policy struct {
// oidcIssuer contains the expected OIDC issuer.
// Example: "https://expected.OIDC.issuer/"
// subjectEmail must be set and keyData must be empty if oidcIssuer is set
// +optional
OIDCIssuer string `json:"oidcIssuer,omitempty"`

// subjectEmail holds the email address of the subject.
// Example: "[email protected]"
// oidcIssuer must be set and keyData must be empty if subjectEmail is set.
// +optional
SubjectEmail string `json:"subjectEmail,omitempty"`

// keyData contains inline base64 data of the public key.
// Can be empty if the image got signed keyless.
// Requires OIDCIssuer and SubjectEmail to be empty.
// the sigstore community Fulcio instance(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/fulcio_v1.crt.pem)
// will be used to verify the sigstore signature.
// the sigstore community Rekor public key(https://raw.githubusercontent.com/sigstore/root-signing/main/targets/rekor.pub)
// will be used to verify the sigstore signature.
// +optional
KeyData string `json:"keyData,omitempty"`

// signedIdentity specifies what image identity the signature.
// claims about the image.
// +optional
SignedIdentity Identity `json:"signedIdentity,omitempty"`
}

// +kubebuilder:validation:XValidation:rule="has(self.identityMatchPolicy) && self.identityMatchPolicy == 'ExactRepository' ? self.dockerRepository != '' : true",message="must set dockerRepository if identityMatchPolicy is ExactRepository"
type Identity struct {
// identityMatchPolicy set the type of matching to be used.
// Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepository".
// If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified.
// "MatchRepository" means that the identity in the signature must be in the same repository as the image identity.
// "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository".
// +kubebuilder:validation:Enum=MatchRepository;ExactRepository
// +optional
IdentityMatchPolicy IdentityMatchPolicy `json:"identityMatchPolicy,omitempty"`
// dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference".
// +optional
DockerRepository string `json:"dockerRepository,omitempty"`
}

// IdentityMatchPolicy defines the type of matching to be used.
type IdentityMatchPolicy string

const (
IdentityMatchPolicyMatchRepository = "MatchRepository"
IdentityMatchPolicyExactRepository = "ExactRepository"
)

// +k8s:deepcopy-gen=true
type ImagePolicyStatus struct {

// policyJSON contains the whole policy applied to the namespace
// which got written to disk. This includes cluster-wide policies
// from the `openshift-config` namespace as well.
PolicyJSON string `json:"policyJSON,omitempty"`

// conditions provide details on the status of the gatherer job.
// +patchMergeKey=type
// +patchStrategy=merge
Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"`
}

// ImagePolicyStatusConditionType is the state of the operator's reconciliation functionality.
type ImagePolicyStatusConditionType string

const (
// ImagePolicySuccess designates a successful application of a ContainerRuntimeConfig CR.
ImagePolicySuccess ImagePolicyStatusConditionType = "Success"

// ImagePolicyFailure designates a failure applying a ContainerRuntimeConfig CR.
ImagePolicyFailure ImagePolicyStatusConditionType = "Failure"
)

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// ImagePolicyList is a list of ImagePolicy resources
//
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
// +openshift:compatibility-gen:level=4
type ImagePolicyList struct {
metav1.TypeMeta `json:",inline"`

// metadata is the standard list's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
metav1.ListMeta `json:"metadata"`

Items []ImagePolicy `json:"items"`
}
Loading

0 comments on commit c804735

Please sign in to comment.