change resource-verification-mode to verification-no-match-policy

This commits changes trusted resources feature flag from resource-verification-mode to verification-no-match-policy. This is a backward imcompatiable change as discussed in TEP--0091. Before this commit the feature flag is used to skip/enforce the verification. This commit changes this to check the existence of matched VerificationPolicy. So to enable the verification, users just need to apply VerificationPolicy to match the resources. To disable the verification, users need to remove the policies and set the verification-no-match-policy to allow (by default). Signed-off-by: Yongxuan Zhang [email protected]
tektoncd · Mar 8, 2023 · 7d80953 · 7d80953
1 parent 82d59c8
commit 7d80953
Show file tree

Hide file tree

Showing 22 changed files with 334 additions and 306 deletions.
diff --git a/config/config-feature-flags.yaml b/config/config-feature-flags.yaml
@@ -76,10 +76,10 @@ data:
   # Setting this flag to "true" enables CloudEvents for CustomRuns and Runs, as long as a
   # CloudEvents sink is configured in the config-defaults config map
   send-cloudevents-for-runs: "false"
-  # Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify
-  # will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip"
-  # will skip the whole verification
-  resource-verification-mode: "skip"
+  # Setting this flag to "deny" will enforce verification of tasks/pipeline. Failing to verify
+  # will fail the taskrun/pipelinerun. "warn" will only log the err message and "allow"
+  # will skip the whole verification if no matching policies are found.
+  verification-no-match-policy: "allow"
   # Setting this flag to "true" enables populating the "provenance" field in TaskRun
   # and PipelineRun status. This field contains metadata about resources used
   # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline

diff --git a/docs/additional-configs.md b/docs/additional-configs.md
@@ -2,12 +2,12 @@
 ---
 title: "Additional Configuration Options"
 linkTitle: "Additional Configuration Options"
-weight: 109 
+weight: 109
 description: >
   Additional configurations when installing Tekton Pipelines
 ---
 -->
-  
+
 This document describes additional options to configure your Tekton Pipelines
 installation.
 
@@ -98,7 +98,7 @@ Environment variables can be configured in the following ways, mentioned in orde
 3. Environment variables specified via a `default` `PodTemplate`.
 4. Environment variables specified via a `PodTemplate`.
 
-The environment variables specified by a `PodTemplate` supercedes all other ways of specifying environment variables. However, there exists a configuration i.e. `default-forbidden-env`, the environment variable specified in this list cannot be updated via a `PodTemplate`. 
+The environment variables specified by a `PodTemplate` supercedes all other ways of specifying environment variables. However, there exists a configuration i.e. `default-forbidden-env`, the environment variable specified in this list cannot be updated via a `PodTemplate`.
 
 For example:
 
@@ -238,7 +238,7 @@ The default is `false`. For more information, see the [associated issue](https:/
 most stable features to be used. Set it to "alpha" to allow [alpha
 features](#alpha-features) to be used.
 
-- `resource-verification-mode`: Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip" will skip the whole verification.
+- `verification-no-match-policy`: Setting this flag to "enforce" will enforce verification of tasks/pipeline. Failing to verify will fail the taskrun/pipelinerun. "warn" will only log the err message and "skip" will skip the whole verification.
 - `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
 
 - `enable-provenance-in-status`: set this flag to "true" to enable recording
@@ -285,7 +285,7 @@ Features currently in "alpha" are:
 | [Matrix](./matrix.md)                                                                               | [TEP-0090](https://github.com/tektoncd/community/blob/main/teps/0090-matrix.md)                                            | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) |                               |
 | [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md)                   | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) |                               |
 | [Object Params and Results](pipelineruns.md#specifying-parameters)                                  | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md)                     | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) |                               |                             |
-| [Trusted Resources](./trusted-resources.md)                                                         | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md)                                 | N/A                                                                  | `resource-verification-mode`  |
+| [Trusted Resources](./trusted-resources.md)                                                         | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md)                                 | N/A                                                                  | `verification-no-match-policy`  |
 | [`Provenance` field in Status](pipeline-api.md#provenance)                                          | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550)                                                             | N/A                                                                  | `enable-provenance-in-status` |
 | [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs)                      | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md)                   | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from`                |
 
@@ -313,7 +313,7 @@ To exceed this limit of 4096 bytes, you can enable larger results using sidecar
 
 **Note**: to enable this feature, you need to grant `get` access to all `pods/log` to the `Tekton pipeline controller`. This means that the tekton pipeline controller has the ability to access the pod logs.
 
-1. Create a cluster role and rolebinding by applying the following spec to provide log access to `tekton-pipelines-controller`. 
+1. Create a cluster role and rolebinding by applying the following spec to provide log access to `tekton-pipelines-controller`.
 
 ```
 kubectl apply -f optional_config/enable-log-access-to-controller/
@@ -326,7 +326,7 @@ kubectl patch cm feature-flags -n tekton-pipelines -p '{"data":{"results-from":"
 ```
 
 3. If you want the size per result to be something other than 4096 bytes, you can set the `max-result-size` feature flag in bytes by setting `max-result-size: 8192(whatever you need here)`. **Note:** The value you can set here cannot exceed the size of the CRD limit of 1.5 MB.
- 
+
 ```
 kubectl patch cm feature-flags -n tekton-pipelines -p '{"data":{"max-result-size":"<VALUE-IN-BYTES>"}}'
 ```

diff --git a/docs/trusted-resources.md b/docs/trusted-resources.md
@@ -54,19 +54,21 @@ metadata:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-pipelines
 data:
-  resource-verification-mode: "enforce"
+  verification-no-match-policy: "deny"
 ```
 
-**Note:** `resource-verification-mode` needs to be set as `enforce` or `warn` to enable resource verification.
+`verification-no-match-policy` configurations:
+ * `allow`: Don't fail the taskrun/pipelinerun if no matching policies are found. Don't log.
+ * `warn`: Don't fail the taskrun/pipelinerun and log a warning if no matching policies are found.
+ * `deny`: Fail the taskrun/pipelinerun if no matching policies are found.
 
-`resource-verification-mode` configurations:
- * `enforce`: Failing verification will mark the taskruns/pipelineruns as failed.
- * `warn`: Log warning but don't fail the taskruns/pipelineruns.
- * `skip`: Directly skip the verification.
+ **Notes:**
+ * To skip the verification: make sure if no policies exist and `verification-no-match-policy` is set to `allow`.
+ * To enable the verification: install VerificationPolicy to match the resources.
 
 Or patch the new values:
 ```bash
-kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"resource-verification-mode":"enforce"}}
+kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"verification-no-match-policy":"deny"}}
 ```
 
 #### Config key at VerificationPolicy

diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
@@ -33,14 +33,14 @@ const (
 	AlphaAPIFields = "alpha"
 	// BetaAPIFields is the value used for "enable-api-fields" when beta APIs should be usable as well.
 	BetaAPIFields = "beta"
-	// EnforceResourceVerificationMode is the value used for "resource-verification-mode" when verification is applied and fail the
+	// DenyNoMatchPolicy is the value used for "verification-no-match-policy" when verification is applied and fail the
 	// TaskRun or PipelineRun when verification fails
-	EnforceResourceVerificationMode = "enforce"
-	// WarnResourceVerificationMode is the value used for "resource-verification-mode" when verification is applied but only log
+	DenyNoMatchPolicy = "deny"
+	// WarnNoMatchPolicy is the value used for "verification-no-match-policy" when verification is applied but only log
 	// the warning when verification fails
-	WarnResourceVerificationMode = "warn"
-	// SkipResourceVerificationMode is the value used for "resource-verification-mode" when verification is skipped
-	SkipResourceVerificationMode = "skip"
+	WarnNoMatchPolicy = "warn"
+	// AllowNoMatchPolicy is the value used for "verification-no-match-policy" when verification is skipped
+	AllowNoMatchPolicy = "allow"
 	// ResultExtractionMethodTerminationMessage is the value used for "results-from" as a way to extract results from tasks using kubernetes termination message.
 	ResultExtractionMethodTerminationMessage = "termination-message"
 	// ResultExtractionMethodSidecarLogs is the value used for "results-from" as a way to extract results from tasks using sidecar logs.
@@ -73,8 +73,8 @@ const (
 	EnforceNonfalsifiabilityNone = ""
 	// DefaultEnforceNonfalsifiability is the default value for "enforce-nonfalsifiability".
 	DefaultEnforceNonfalsifiability = EnforceNonfalsifiabilityNone
-	// DefaultResourceVerificationMode is the default value for "resource-verification-mode".
-	DefaultResourceVerificationMode = SkipResourceVerificationMode
+	// DefaultNoMatchPolicyConfig is the default value for "verification-no-match-policy".
+	DefaultNoMatchPolicyConfig = AllowNoMatchPolicy
 	// DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
 	DefaultEnableProvenanceInStatus = false
 	// DefaultResultExtractionMethod is the default value for ResultExtractionMethod
@@ -93,7 +93,7 @@ const (
 	enableAPIFields                     = "enable-api-fields"
 	sendCloudEventsForRuns              = "send-cloudevents-for-runs"
 	enforceNonfalsifiability            = "enforce-nonfalsifiability"
-	verificationMode                    = "resource-verification-mode"
+	verificationMode                    = "verification-no-match-policy"
 	enableProvenanceInStatus            = "enable-provenance-in-status"
 	resultExtractionMethod              = "results-from"
 	maxResultSize                       = "max-result-size"
@@ -113,7 +113,7 @@ type FeatureFlags struct {
 	SendCloudEventsForRuns           bool
 	AwaitSidecarReadiness            bool
 	EnforceNonfalsifiability         string
-	ResourceVerificationMode         string
+	VerificationNoMatchPolicy        string
 	EnableProvenanceInStatus         bool
 	ResultExtractionMethod           string
 	MaxResultSize                    int
@@ -182,7 +182,7 @@ func NewFeatureFlagsFromMap(cfgMap map[string]string) (*FeatureFlags, error) {
 	if err := setFeature(sendCloudEventsForRuns, DefaultSendCloudEventsForRuns, &tc.SendCloudEventsForRuns); err != nil {
 		return nil, err
 	}
-	if err := setResourceVerificationMode(cfgMap, DefaultResourceVerificationMode, &tc.ResourceVerificationMode); err != nil {
+	if err := setVerificationNoMatchPolicy(cfgMap, DefaultNoMatchPolicyConfig, &tc.VerificationNoMatchPolicy); err != nil {
 		return nil, err
 	}
 	if err := setFeature(enableProvenanceInStatus, DefaultEnableProvenanceInStatus, &tc.EnableProvenanceInStatus); err != nil {
@@ -292,15 +292,15 @@ func setMaxResultSize(cfgMap map[string]string, defaultValue int, feature *int)
 	return nil
 }
 
-// setResourceVerificationMode sets the "resource-verification-mode" flag based on the content of a given map.
+// setVerificationNoMatchPolicy sets the "verification-no-match-policy" flag based on the content of a given map.
 // If the value is invalid or missing then an error is returned.
-func setResourceVerificationMode(cfgMap map[string]string, defaultValue string, feature *string) error {
+func setVerificationNoMatchPolicy(cfgMap map[string]string, defaultValue string, feature *string) error {
 	value := defaultValue
 	if cfg, ok := cfgMap[verificationMode]; ok {
 		value = strings.ToLower(cfg)
 	}
 	switch value {
-	case EnforceResourceVerificationMode, WarnResourceVerificationMode, SkipResourceVerificationMode:
+	case DenyNoMatchPolicy, WarnNoMatchPolicy, AllowNoMatchPolicy:
 		*feature = value
 	default:
 		return fmt.Errorf("invalid value for feature flag %q: %q", verificationMode, value)
@@ -328,18 +328,25 @@ func EnableStableAPIFields(ctx context.Context) context.Context {
 	return setEnableAPIFields(ctx, StableAPIFields)
 }
 
-// CheckEnforceResourceVerificationMode returns true if the ResourceVerificationMode is EnforceResourceVerificationMode
+// CheckAllowVerificationNoMatchPolicy returns true if the VerificationNoMatchPolicy is AllowNoMatchPolicy
 // else returns false
-func CheckEnforceResourceVerificationMode(ctx context.Context) bool {
+func CheckAllowVerificationNoMatchPolicy(ctx context.Context) bool {
 	cfg := FromContextOrDefaults(ctx)
-	return cfg.FeatureFlags.ResourceVerificationMode == EnforceResourceVerificationMode
+	return cfg.FeatureFlags.VerificationNoMatchPolicy == AllowNoMatchPolicy
 }
 
-// CheckWarnResourceVerificationMode returns true if the ResourceVerificationMode is WarnResourceVerificationMode
+// CheckDenyVerificationNoMatchPolicy returns true if the VerificationNoMatchPolicy is DenyNoMatchPolicy
 // else returns false
-func CheckWarnResourceVerificationMode(ctx context.Context) bool {
+func CheckDenyVerificationNoMatchPolicy(ctx context.Context) bool {
 	cfg := FromContextOrDefaults(ctx)
-	return cfg.FeatureFlags.ResourceVerificationMode == WarnResourceVerificationMode
+	return cfg.FeatureFlags.VerificationNoMatchPolicy == DenyNoMatchPolicy
+}
+
+// CheckWarnVerificationNoMatchPolicy returns true if the VerificationNoMatchPolicy is WarnNoMatchPolicy
+// else returns false
+func CheckWarnVerificationNoMatchPolicy(ctx context.Context) bool {
+	cfg := FromContextOrDefaults(ctx)
+	return cfg.FeatureFlags.VerificationNoMatchPolicy == WarnNoMatchPolicy
 }
 
 // CheckAlphaOrBetaAPIFields return true if the enable-api-fields is either set to alpha or set to beta