-
Notifications
You must be signed in to change notification settings - Fork 501
/
image_policies.go
111 lines (99 loc) · 3.53 KB
/
image_policies.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
//
// Copyright 2022 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package config
import (
"encoding/json"
"errors"
"fmt"
"regexp"
webhookcip "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook/clusterimagepolicy"
corev1 "k8s.io/api/core/v1"
"sigs.k8s.io/yaml"
)
const (
// ImagePoliciesConfigName is the name of ConfigMap created by the
// reconciler and consumed by the admission webhook.
ImagePoliciesConfigName = "config-image-policies"
)
type ImagePolicyConfig struct {
// This is the list of ImagePolicies that a admission controller uses
// to make policy decisions.
Policies map[string]webhookcip.ClusterImagePolicy
}
// NewImagePoliciesConfigFromMap creates an ImagePolicyConfig from the supplied
// Map
func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicyConfig, error) {
ret := &ImagePolicyConfig{Policies: make(map[string]webhookcip.ClusterImagePolicy, len(data))}
// Spin through the ConfigMap. Each key will point to resolved
// ImagePatterns.
for k, v := range data {
// This is the example that we use to document / test the ConfigMap.
if k == "_example" {
continue
}
if v == "" {
return nil, fmt.Errorf("configmap has an entry %q but no value", k)
}
clusterImagePolicy := &webhookcip.ClusterImagePolicy{}
if err := parseEntry(v, clusterImagePolicy); err != nil {
return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err)
}
ret.Policies[k] = *clusterImagePolicy
}
return ret, nil
}
// NewImagePoliciesConfigFromConfigMap creates a Features from the supplied ConfigMap
func NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*ImagePolicyConfig, error) {
return NewImagePoliciesConfigFromMap(config.Data)
}
func parseEntry(entry string, out interface{}) error {
j, err := yaml.YAMLToJSON([]byte(entry))
if err != nil {
return fmt.Errorf("config's value could not be converted to JSON: %w : %s", err, entry)
}
return json.Unmarshal(j, &out)
}
// GetMatchingPolicies returns all matching Policies and their Authorities that
// need to be matched for the given Image.
// Returned map contains the name of the CIP as the key, and a normalized
// ClusterImagePolicy for it.
func (p *ImagePolicyConfig) GetMatchingPolicies(image string) (map[string]webhookcip.ClusterImagePolicy, error) {
if p == nil {
return nil, errors.New("config is nil")
}
var lastError error
ret := make(map[string]webhookcip.ClusterImagePolicy)
// TODO(vaikas): this is very inefficient, we should have a better
// way to go from image to Authorities, but just seeing if this is even
// workable so fine for now.
for k, v := range p.Policies {
for _, pattern := range v.Images {
if pattern.Glob != "" {
if matched, err := GlobMatch(pattern.Glob, image); err != nil {
lastError = err
} else if matched {
ret[k] = v
}
} else if pattern.Regex != "" {
if regex, err := regexp.Compile(pattern.Regex); err != nil {
lastError = err
} else if regex.MatchString(image) {
ret[k] = v
}
}
}
}
return ret, lastError
}