[OCPNODE-1639] Add ClusterImagePolicy, ImagePolicy to support signature verification #1402
Conversation
QiWang19
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
QiWang19
force-pushed
the
imagepolicy
branch
6 times, most recently
from
6b828c3 to
4e757d5
Compare
|
@saschagrunert could you take a look? I'm not sure how to best define the Graduation Criteria. |
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
QiWang19
changed the title
|
@saschagrunert PTAL |
There was a problem hiding this comment.
LGTM, just the open point with the Hostname requires change from my point of view.
QiWang19
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@mrunalp @yuqi-zhang PTAL |
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
QiWang19
force-pushed
the
imagepolicy
branch
2 times, most recently
from
45ba130 to
3453044
Compare
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
enhancements/api-review/add-ImagePolicy-to-config.openshift.io-v1alpha1.md
Outdated
Show resolved
Hide resolved
QiWang19
force-pushed
the
imagepolicy
branch
2 times, most recently
from
922554d to
edacd13
Compare
enhancements/api-review/add-ClusterImagePolicy-and-ImagePolicy-for-Signature-Verification.md
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| // Policy defines the verification policy for the items in the scopes list. | ||
| // +kubebuilder:validation:XValidation:rule="(has(self.rootOfTrust) && has(self.rootOfTrust.policyType) && self.rootOfTrust.policyType == 'FulcioCAWithRekor') == has(self.fulcioSubject)",message="fulcioSubject must be set exactly when policyType is FulcioCAWithRekor" |
There was a problem hiding this comment.
This validation suggests to me that the discriminated union should be one level higher than it is. If there are types structs that need to be duplicated across the different union values that's something we can do
There was a problem hiding this comment.
This isn't resolved, can be resolved in API review
enhancements/api-review/add-ClusterImagePolicy-and-ImagePolicy-for-Signature-Verification.md
Show resolved
Hide resolved
enhancements/api-review/add-ClusterImagePolicy-and-ImagePolicy-for-Signature-Verification.md
Show resolved
Hide resolved
| Enhance the MCO container runtime config controller to manage ClusterImagePolicy and ImagePolicy CRs, and update the signature verification configurations: | ||
| - Retrieves all the ClusterImagePolicy and ImagePolicy instances on the cluster. | ||
| - Pre-validation: | ||
| - Ensure that there are no scopes under the OCP image payload. If any are found, add an info-level log message to the machine config controller about the error encountered while adding an OCP image payload. Update the `status` of the CR to indicate that the policy will not be applied. |
There was a problem hiding this comment.
Can this be prevented by an admission webhook and/or CEL validation preventing certain strings?
There was a problem hiding this comment.
Added the semantic validation using CEL expression.
There was a problem hiding this comment.
I don't see this, can you expand this comment to explain that it will be validated at the API level
enhancements/api-review/add-ClusterImagePolicy-and-ImagePolicy-for-Signature-Verification.md
Outdated
Show resolved
Hide resolved
| - Retrieves all the ClusterImagePolicy and ImagePolicy instances on the cluster. | ||
| - Pre-validation: | ||
| - Ensure that there are no scopes under the OCP image payload. If any are found, add an info-level log message to the machine config controller about the error encountered while adding an OCP image payload. Update the `status` of the CR to indicate that the policy will not be applied. | ||
| - Check for conflicts between cluster scope and namespace scope policies. If the namespaced ImagePolicy scope is equal to or nests inside an existing cluster-scoped ClusterImagePolicy CR, do not deploy the namespaced policy. |
There was a problem hiding this comment.
Can you provide an example of the feedback. Could this not be done via an admission webhook and prevent the object from even being stored in etcd?
There was a problem hiding this comment.
I added the feedback to the example. https://github.com/openshift/enhancements/pull/1402/files#diff-fb631ca70e56b7e72dcd1e5e0880976a7a916abf88d8c3c220b7fc2599415f57R378
We have discussed avoiding the admission validation in the first version.
There was a problem hiding this comment.
Can you add a note that this will be validated by an admission webhook before the feature is marked GA
QiWang19
force-pushed
the
imagepolicy
branch
4 times, most recently
from
850bc41 to
c6c69bc
Compare
|
@JoelSpeed PTAL |
|
@JoelSpeed could you give another round of review? |
There was a problem hiding this comment.
I think in general I'm happy with the enhancement, but I would like it noted that the validations I've marked outside of the API section should be included and noted that this will be done.
The API itself I think will still need a few round of reviews. Each field should have a good level of godoc and validations applied, plus the comments I made about the level of the discriminated union are not yet resolved.
The API content while included here we can continue in the API repo PR now, we can retrospectively update this enhancement should it merge before the API is ready
| // +kubebuilder:validation:XValidation:rule="self.matches('^[a-zA-Z0-9-_+.*@:/]+$')",message="invalid | ||
| // image scope format, scope contained invalid characters, valid characters are [a-zA-Z0-9-*.@_]" | ||
| // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, | ||
| // scope must contain a fully qualified domain name or 'localhost'" | ||
| // +kubebuilder:validation:XValidation:rule=`self.contains('*') ? self.matches('^\\*(?:\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+$') : true`,message="invalid image scope with wildcard, a wildcard | ||
| // can only be at the start of the domain and does not contain subdomains" | ||
| // +kubebuilder:validation:MaxLength=512 | ||
| type ImageScope string |
There was a problem hiding this comment.
Do you still have the original regex handy? I don't think these cover all of the cases, I just gave a couple of examples of the sort of validations i expected, this can be resolved in API review but we should make sure as many of the regex rules are covered as possible
| } | ||
|
|
||
| // Policy defines the verification policy for the items in the scopes list. | ||
| // +kubebuilder:validation:XValidation:rule="(has(self.rootOfTrust) && has(self.rootOfTrust.policyType) && self.rootOfTrust.policyType == 'FulcioCAWithRekor') == has(self.fulcioSubject)",message="fulcioSubject must be set exactly when policyType is FulcioCAWithRekor" |
There was a problem hiding this comment.
This isn't resolved, can be resolved in API review
| type PolicyRootOfTrust struct { | ||
| // policyType serves as the union's discriminator. Users are required to assign a value to this field, choosing one of the policy types that define the root of trust. | ||
| // "PublicKey" indicates that the policy relies on a PGP publicKey and may optionally use a Rekor verification. | ||
| // "FulcioCAWithRekor" indicates that the policy is based on the Fulcio certification and incorporates a Rekor verification. |
There was a problem hiding this comment.
You don't need to state Rekor here if there's no option to have Fulcio without, what about FulcioCA instead?
| type PublicKey struct { | ||
| // keyData contains inline base64 encoded data of the public key. | ||
| // +kubebuilder:validation:Required | ||
| KeyData string `json:"keyData"` |
There was a problem hiding this comment.
Will need a maximum length, what's a reasonable maximum length for this? 8192?
| KeyData string `json:"keyData"` | ||
| // rekorKeyData contains inline base64 data of the Rekor public key. | ||
| // +optional | ||
| RekorKeyData string `json:"rekorKeyData,omitempty"` |
There was a problem hiding this comment.
Will need a maximum length
| // fulcioCAData contains inline base64 data for the fulcio CA certificate. | ||
| // +kubebuilder:validation:Required | ||
| FulcioCAData string `json:"fulcioCAData"` | ||
| // rekorKeyData contains inline base64 data of the Rekor public key. | ||
| // +kubebuilder:validation:Required | ||
| RekorKeyData string `json:"rekorKeyData"` |
There was a problem hiding this comment.
Maximum lengths on these too
| // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'ExactRepository') ? has(self.exactRepository) : true",message="must set exactRepository if matchPolicy is ExactRepository" | ||
| // +kubebuilder:validation:XValidation:rule="(has(self.matchPolicy) && self.matchPolicy == 'RemapIdentity') ? has(self.remapIdentity) : true",message="must set remapIdentity if matchPolicy is RemapIdentity" |
There was a problem hiding this comment.
The other unionmembers should be forbidden otherwise, see the examples in the API repo examples API group
| Enhance the MCO container runtime config controller to manage ClusterImagePolicy and ImagePolicy CRs, and update the signature verification configurations: | ||
| - Retrieves all the ClusterImagePolicy and ImagePolicy instances on the cluster. | ||
| - Pre-validation: | ||
| - Ensure that there are no scopes under the OCP image payload. If any are found, add an info-level log message to the machine config controller about the error encountered while adding an OCP image payload. Update the `status` of the CR to indicate that the policy will not be applied. |
There was a problem hiding this comment.
I don't see this, can you expand this comment to explain that it will be validated at the API level
| - Retrieves all the ClusterImagePolicy and ImagePolicy instances on the cluster. | ||
| - Pre-validation: | ||
| - Ensure that there are no scopes under the OCP image payload. If any are found, add an info-level log message to the machine config controller about the error encountered while adding an OCP image payload. Update the `status` of the CR to indicate that the policy will not be applied. | ||
| - Check for conflicts between cluster scope and namespace scope policies. If the namespaced ImagePolicy scope is equal to or nests inside an existing cluster-scoped ClusterImagePolicy CR, do not deploy the namespaced policy. |
There was a problem hiding this comment.
Can you add a note that this will be validated by an admission webhook before the feature is marked GA
|
@JoelSpeed PTAL, Fixed the reviews for the enhancement and will address the API changes in the API PR. |
|
|
||
| ### Graduation Criteria | ||
|
|
||
| Before GA, we should explore relocating CRD validations to the admission webhook to ensure the scopes are not under OCP image payload repository are configured. |
There was a problem hiding this comment.
This isn't quite what I thought we had agreed, I would have said we agreed on
| Before GA, we should explore relocating CRD validations to the admission webhook to ensure the scopes are not under OCP image payload repository are configured. | |
| Before GA, validation will be implemented to make sure that scopes cannot be committed to an ImagePolicy that are under the scope of a ClusterImagePolicy, this will prevent conflicts between cluster scoped and namespace scoped policy and prevent namespaces attempting to override the global policy. | |
| Additionally, it will be validated that neither an ImagePolicy nor ClusterImagePolicy sets a scope that could conflict with pulling from an OpenShift image payload repository. |
The important part is that this validation isn't in the CRD, it's additional validation that we cannot currently do within the CRD IIUC
This enhancement propose ClusterImagePolicy and ImagePolicy CRDs to provide a way to set image signature verification configuration on Openshift. Signed-off-by: Qi Wang <[email protected]>
QiWang19
changed the title
|
I'm happy to LGTM this at this point, with the caveats that the API still needs review, and that will be continued in the API PR itself, and that I would like to see this introduced as tech preview and the validations we've discussed in the graduation criteria are honoured as we move to GA, but I think we are all on the same page there. Is there any more feedback required from SMEs before this merges? |
|
No, there is no more feedback required from SMEs before this merges. |
|
@JoelSpeed are we happy to /lgtm and /approve? |
|
No objections from me, but @mrunalp is down as the approve so he should be the one to merge this |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mrunalp, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@QiWang19: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This enhancement proposes ClusterImagePolicy and ImagePolicy CRDs to provide a way to set image signature verification configuration on Openshift.
Epic: OCPNODE-1628: Sigstore Support - OpenShift Container Image Validation (Dev Preview)