Skip to content

Commit

Permalink
Add ImagePolicy CRD
Browse files Browse the repository at this point in the history 
Add API for ImagePolicy CRD

Signed-off-by: Qi Wang <[email protected]>
  • Loading branch information
@QiWang19
QiWang19 committed Jun 2, 2023
1 parent 2346bf9 commit eb77406
Show file tree
Hide file tree
Showing 7 changed files with 1,000 additions and 0 deletions.
147 changes: 147 additions & 0 deletions config/v1alpha1/0000_10_config-operator_01_imagepolicy.crd.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/1457
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/feature-set: TechPreviewNoUpgrade
name: imagepolicies.config.openshift.io
spec:
group: config.openshift.io
names:
kind: ImagePolicy
listKind: ImagePolicyList
plural: imagepolicies
singular: imagepolicy
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: "ImagePolicy holds namespace-wide configuration configuration for image signature verification \n Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support."
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: spec holds user settable values for configuration
type: object
required:
- images
- policy
properties:
images:
description: 'images defines the list of images assigned to a policy. Each item refers to an image or repository in a registry implementing the "Docker Registry HTTP API V2". "images" uses one of the following scopes: - complete image name, either using a tag or digest - prefixes of individual-image scopes - a wildcarded expression for matching all subdomains, the wildcard only presents at the beginning, *.example.com is a valid case, but example*.*.com is not. For more information about the format, see the document about the docker transport field: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#docker'
type: array
items:
description: ImageScope is the item of the images list.
type: string
pattern: ^\*(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$|^((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?)(?::([\w][\w.-]{0,127}))?(?:@([A-Za-z][A-Za-z0-9]*(?:[-_+.][A-Za-z][A-Za-z0-9]*)*[:][[:xdigit:]]{32,}))?$
x-kubernetes-list-type: set
policy:
description: policy defines the verification policy for the images in the images list
type: object
properties:
fulcioCAData:
description: fulcioCAData contains inline base64 data for the fulcio CA certificate.
type: string
keyData:
description: keyData contains inline base64 data of the public key. keyData can be empty if the image got signed keyless. Requires oidcIssuer, subjectEmail, and fulcioCAData to be empty if keyData is set.
type: string
oidcIssuer:
description: 'oidcIssuer contains the expected OIDC issuer. Example: "https://expected.OIDC.issuer/" Required if fulcioCAData is set. subjectEmail must be set and keyData must be empty if oidcIssuer is set'
type: string
rekorKeyData:
description: rekorKeyData contains inline base64 data of the rekor public key. Required if fulcioCAData is set.
type: string
signedIdentity:
description: signedIdentity specifies what image identity the signature. claims about the image.
type: object
properties:
dockerRepository:
description: dockerReference is the reference of the image identity to be matched. This field is required if identityMatchPolicy is set to "exactReference".
type: string
identityMatchPolicy:
description: identityMatchPolicy set the type of matching to be used. Valid values are "MatchRepository", "ExactRepository". When omitted, the default value is "MatchRepoDigestOrExact". If set identityMatchPolicy to ExactRepository, then the dockerRepository must be specified. If set identityMatchPolicy to remapIdentity, then the prefix, and signedPrefix must be specified. "MatchRepository" means that the identity in the signature must be in the same repository as the image identity. "ExactRepository" means that the identity in the signature must be in the same repository as a specific identity specified by "dockerRepository". "remapIdentity" means that the signature must be in the same as the remapped image identity. Remapped image identity is obtained by replacing the "prefix" with the specified “signed prefix” if the the image identity matches the specified prefix.
type: string
enum:
- MatchRepository
- ExactRepository
- RemapIdentity
prefix:
description: prefix is the prefix of the image identity to be matched. This field is required if identityMatchPolicy is set to "remapIdentity".
type: string
signedPrefix:
description: signedPrefix is the prefix of the image identity to be matched in the signature. This field is required if identityMatchPolicy is set to "remapIdentity".
type: string
x-kubernetes-validations:
- rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''ExactRepository'' ? self.dockerRepository != '''' : true'
message: must set dockerRepository if identityMatchPolicy is ExactRepository
- rule: 'has(self.identityMatchPolicy) && self.identityMatchPolicy == ''RemapIdentity'' ? self.prefix != '''' && self.signedPrefix != '''' : true'
message: must set prefix and signedPrefix if identityMatchPolicy is RemapIdentity
subjectEmail:
description: 'subjectEmail holds the email address of the subject. Example: "[email protected]" Required if fulcioCAData is set. oidcIssuer must be set and keyData must be empty if subjectEmail is set.'
type: string
x-kubernetes-validations:
- rule: (self.keyData != '' && self.oidcIssuer == '' && self.subjectEmail == '' && self.fulcioCAData == '' && self.rekorKeyData == '') || (self.keyData == '' && self.oidcIssuer != '' && self.subjectEmail != '' && self.fulcioCAData != '' && self.rekorKeyData != '')
status:
description: status contains the observed state of the resource.
type: object
properties:
conditions:
description: conditions provide details on the status of the gatherer job.
type: array
items:
description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
type: object
required:
- lastTransitionTime
- message
- reason
- status
- type
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
type: string
format: date-time
message:
description: message is a human readable message indicating details about the transition. This may be an empty string.
type: string
maxLength: 32768
observedGeneration:
description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
type: integer
format: int64
minimum: 0
reason:
description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
type: string
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
status:
description: status of the condition, one of True, False, Unknown.
type: string
enum:
- "True"
- "False"
- Unknown
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
type: string
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
policyJSON:
description: policyJSON contains the whole policy applied to the namespace which got written to disk. This includes cluster-wide policies from the `openshift-config` namespace as well.
type: string
22 changes: 22 additions & 0 deletions config/v1alpha1/techpreview.imagepolicy.testsuite.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "[TechPreviewNoUpgrade] ImagePolicy"
crd: 0000_10_config-operator_01_imagepolicy.crd.yaml
tests:
onCreate:
- name: Should be able to create a minimal ImagePolicy
initial: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
images:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
keyData: Zm9vIGJhcg==
expected: |
apiVersion: config.openshift.io/v1alpha1
kind: ImagePolicy
spec:
images:
- hostname:5000/myns/sigstore-signed-with-full-references
policy:
keyData: Zm9vIGJhcg==
Loading

0 comments on commit eb77406

Please sign in to comment.