From f69ffe12ec1745a347489c77cfdcd1e01cf8a637 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Fri, 16 Aug 2024 12:33:59 +0530 Subject: [PATCH] feat: add full regexp support to cosign (#10815) Signed-off-by: Vishal Choudhary --- api/kyverno/v1/image_verification_types.go | 8 + .../kyverno.io_clusterpolicies.yaml | 136 +++++++++ .../kyverno.io/kyverno.io_policies.yaml | 136 +++++++++ .../data/crds/kyverno.io_clusterpolicies.yaml | 136 +++++++++ .../data/crds/kyverno.io_policies.yaml | 136 +++++++++ .../kyverno/kyverno.io_clusterpolicies.yaml | 136 +++++++++ config/crds/kyverno/kyverno.io_policies.yaml | 136 +++++++++ config/install-latest-testing.yaml | 272 ++++++++++++++++++ docs/user/crd/index.html | 22 ++ docs/user/crd/kyverno.v1.html | 58 ++++ .../kyverno/v1/keylessattestor.go | 18 ++ pkg/cosign/cosign.go | 68 +++-- pkg/cosign/cosign_test.go | 53 +++- pkg/engine/internal/imageverifier.go | 2 + pkg/images/verifier.go | 2 + .../keyless-attestation-regexp/README.md | 8 + .../chainsaw-test.yaml | 21 ++ .../pod-assert.yaml | 5 + .../keyless-attestation-regexp/pod.yaml | 9 + .../policy-assert.yaml | 7 + .../keyless-attestation-regexp/policy.yaml | 33 +++ 21 files changed, 1377 insertions(+), 25 deletions(-) create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 30925a772cd0..5d2800edae1d 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -256,10 +256,18 @@ type KeylessAttestor struct { // +kubebuilder:validation:Optional Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"` + // IssuerRegExp is the regular expression to match certificate issuer used for keyless signing. + // +kubebuilder:validation:Optional + IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"` + // Subject is the verified identity used for keyless signing, for example the email address. // +kubebuilder:validation:Optional Subject string `json:"subject,omitempty" yaml:"subject,omitempty"` + // SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address. + // +kubebuilder:validation:Optional + SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"` + // Roots is an optional set of PEM encoded trusted root certificates. // If not provided, the system roots are used. // +kubebuilder:validation:Optional diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 6cc6fe94c0f1..bdf66e154a1e 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -3169,6 +3169,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3200,6 +3205,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3669,6 +3680,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3700,6 +3716,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4046,6 +4068,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4076,6 +4103,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7539,6 +7572,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7570,6 +7608,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8044,6 +8088,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8077,6 +8127,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8427,6 +8484,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8458,6 +8520,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11713,6 +11781,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11744,6 +11817,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12202,6 +12281,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12233,6 +12317,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12579,6 +12669,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12609,6 +12704,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16052,6 +16153,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16083,6 +16189,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16557,6 +16669,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16590,6 +16708,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16940,6 +17065,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16971,6 +17101,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 244acd44e166..ac323e628b7a 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -3170,6 +3170,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3201,6 +3206,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3670,6 +3681,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3701,6 +3717,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4047,6 +4069,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4077,6 +4104,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7541,6 +7574,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7572,6 +7610,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8046,6 +8090,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8079,6 +8129,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8429,6 +8486,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8460,6 +8522,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11716,6 +11784,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11747,6 +11820,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12205,6 +12284,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12236,6 +12320,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12582,6 +12672,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12612,6 +12707,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16055,6 +16156,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16086,6 +16192,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16560,6 +16672,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16593,6 +16711,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16943,6 +17068,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16974,6 +17104,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index f47d88288348..86c37dd3e937 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3163,6 +3163,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3194,6 +3199,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3663,6 +3674,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3694,6 +3710,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4040,6 +4062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4070,6 +4097,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7533,6 +7566,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7564,6 +7602,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8038,6 +8082,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8071,6 +8121,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8421,6 +8478,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8452,6 +8514,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11707,6 +11775,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11738,6 +11811,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12196,6 +12275,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12227,6 +12311,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12573,6 +12663,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12603,6 +12698,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16046,6 +16147,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16077,6 +16183,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16551,6 +16663,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16584,6 +16702,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16934,6 +17059,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16965,6 +17095,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 1e7589b40732..3bb6f5c6108c 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3164,6 +3164,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3195,6 +3200,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3664,6 +3675,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3695,6 +3711,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4041,6 +4063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4071,6 +4098,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7535,6 +7568,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7566,6 +7604,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8040,6 +8084,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8073,6 +8123,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8423,6 +8480,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8454,6 +8516,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11710,6 +11778,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11741,6 +11814,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12199,6 +12278,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12230,6 +12314,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12576,6 +12666,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12606,6 +12701,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16049,6 +16150,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16080,6 +16186,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16554,6 +16666,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16587,6 +16705,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16937,6 +17062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16968,6 +17098,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index f47d88288348..86c37dd3e937 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -3163,6 +3163,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3194,6 +3199,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3663,6 +3674,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3694,6 +3710,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4040,6 +4062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4070,6 +4097,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7533,6 +7566,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7564,6 +7602,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8038,6 +8082,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8071,6 +8121,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8421,6 +8478,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8452,6 +8514,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11707,6 +11775,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11738,6 +11811,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12196,6 +12275,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12227,6 +12311,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12573,6 +12663,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12603,6 +12698,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16046,6 +16147,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16077,6 +16183,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16551,6 +16663,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16584,6 +16702,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16934,6 +17059,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16965,6 +17095,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 1e7589b40732..3bb6f5c6108c 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -3164,6 +3164,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3195,6 +3200,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -3664,6 +3675,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3695,6 +3711,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4041,6 +4063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4071,6 +4098,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -7535,6 +7568,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -7566,6 +7604,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8040,6 +8084,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8073,6 +8123,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -8423,6 +8480,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8454,6 +8516,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -11710,6 +11778,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -11741,6 +11814,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -12199,6 +12278,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12230,6 +12314,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12576,6 +12666,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12606,6 +12701,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -16049,6 +16150,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16080,6 +16186,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16554,6 +16666,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16587,6 +16705,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -16937,6 +17062,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16968,6 +17098,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 8e6a37856d19..6cedf4eb5897 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -8361,6 +8361,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8392,6 +8397,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -8861,6 +8872,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8892,6 +8908,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -9238,6 +9260,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9268,6 +9295,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -12731,6 +12764,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12762,6 +12800,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13236,6 +13280,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13269,6 +13319,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -13619,6 +13676,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13650,6 +13712,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16905,6 +16973,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16936,6 +17009,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -17394,6 +17473,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17425,6 +17509,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -17771,6 +17861,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17801,6 +17896,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -21244,6 +21345,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -21275,6 +21381,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -21749,6 +21861,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -21782,6 +21900,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -22132,6 +22257,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -22163,6 +22293,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -25927,6 +26063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -25958,6 +26099,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -26427,6 +26574,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -26458,6 +26610,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -26804,6 +26962,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -26834,6 +26997,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -30298,6 +30467,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -30329,6 +30503,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -30803,6 +30983,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -30836,6 +31022,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -31186,6 +31379,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -31217,6 +31415,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -34473,6 +34677,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -34504,6 +34713,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -34962,6 +35177,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -34993,6 +35213,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -35339,6 +35565,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -35369,6 +35600,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -38812,6 +39049,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -38843,6 +39085,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -39317,6 +39565,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -39350,6 +39604,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -39700,6 +39961,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -39731,6 +39997,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 47308c9ebf63..e5724029ca65 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -2700,6 +2700,17 @@

KeylessAttestor +issuerRegExp
+ +string + + + +

IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.

+ + + + subject
string @@ -2711,6 +2722,17 @@

KeylessAttestor +subjectRegExp
+ +string + + + +

SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.

+ + + + roots
string diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 433baef7a551..fc2ae141c887 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -5436,6 +5436,35 @@

KeylessAttestor + + issuerRegExp + + * + +
+ + + + + string + + + + + + +

IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.

+ + + + + + + + + + + subject @@ -5465,6 +5494,35 @@

KeylessAttestor + + subjectRegExp + + * + +
+ + + + + string + + + + + + +

SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.

+ + + + + + + + + + + roots diff --git a/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go b/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go index 9604052ca0ac..f3861678fa6e 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go +++ b/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go @@ -24,7 +24,9 @@ type KeylessAttestorApplyConfiguration struct { Rekor *RekorApplyConfiguration `json:"rekor,omitempty"` CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"` Issuer *string `json:"issuer,omitempty"` + IssuerRegExp *string `json:"issuerRegExp,omitempty"` Subject *string `json:"subject,omitempty"` + SubjectRegExp *string `json:"subjectRegExp,omitempty"` Roots *string `json:"roots,omitempty"` AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty"` } @@ -59,6 +61,14 @@ func (b *KeylessAttestorApplyConfiguration) WithIssuer(value string) *KeylessAtt return b } +// WithIssuerRegExp sets the IssuerRegExp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IssuerRegExp field is set to the value of the last call. +func (b *KeylessAttestorApplyConfiguration) WithIssuerRegExp(value string) *KeylessAttestorApplyConfiguration { + b.IssuerRegExp = &value + return b +} + // WithSubject sets the Subject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Subject field is set to the value of the last call. @@ -67,6 +77,14 @@ func (b *KeylessAttestorApplyConfiguration) WithSubject(value string) *KeylessAt return b } +// WithSubjectRegExp sets the SubjectRegExp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SubjectRegExp field is set to the value of the last call. +func (b *KeylessAttestorApplyConfiguration) WithSubjectRegExp(value string) *KeylessAttestorApplyConfiguration { + b.SubjectRegExp = &value + return b +} + // WithRoots sets the Roots field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Roots field is set to the value of the last call. diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 3cf8c8d584b5..16ae87d3c855 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -8,6 +8,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "regexp" "strings" "github.com/google/go-containerregistry/pkg/name" @@ -74,7 +75,7 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option return nil, err } - if err := matchSignatures(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + if err := matchSignatures(signatures, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil { return nil, err } @@ -308,7 +309,7 @@ func (v *cosignVerifier) FetchAttestations(ctx context.Context, opts images.Opti continue } - if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil { return nil, err } } @@ -500,7 +501,7 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (strin return "", fmt.Errorf("digest not found for %s", imgRef) } -func matchSignatures(signatures []oci.Signature, subject, issuer string, extensions map[string]string) error { +func matchSignatures(signatures []oci.Signature, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error { if subject == "" && issuer == "" && len(extensions) == 0 { return nil } @@ -516,7 +517,7 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi return fmt.Errorf("certificate not found") } - if err := matchCertificateData(cert, subject, issuer, extensions); err != nil { + if err := matchCertificateData(cert, subject, subjectRegExp, issuer, issuerRegExp, extensions); err != nil { errs = append(errs, err) } else { // only one signature certificate needs to match the required subject, issuer, and extensions @@ -532,31 +533,66 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi return fmt.Errorf("invalid signature") } -func matchCertificateData(cert *x509.Certificate, subject, issuer string, extensions map[string]string) error { - if subject != "" { - s := "" +func matchCertificateData(cert *x509.Certificate, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error { + if subject != "" || subjectRegExp != "" { if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { - s = sans[0] - } - if !wildcard.Match(subject, s) { - return fmt.Errorf("subject mismatch: expected %s, received %s", subject, s) + subjectMatched := false + if subject != "" { + for _, s := range sans { + if wildcard.Match(subject, s) { + subjectMatched = true + break + } + } + } + if subjectRegExp != "" { + regex, err := regexp.Compile(subjectRegExp) + if err != nil { + return fmt.Errorf("invalid regexp for subject: %s : %w", subjectRegExp, err) + } + for _, s := range sans { + if regex.MatchString(s) { + subjectMatched = true + break + } + } + } + + if !subjectMatched { + sub := "" + if subject != "" { + sub = subject + } else if subjectRegExp != "" { + sub = subjectRegExp + } + return fmt.Errorf("subject mismatch: expected %s, received %s", sub, strings.Join(sans, ", ")) + } } } - if err := matchExtensions(cert, issuer, extensions); err != nil { + if err := matchExtensions(cert, issuer, issuerRegExp, extensions); err != nil { return err } return nil } -func matchExtensions(cert *x509.Certificate, issuer string, extensions map[string]string) error { +func matchExtensions(cert *x509.Certificate, issuer, issuerRegExp string, extensions map[string]string) error { ce := cosign.CertExtensions{Cert: cert} - if issuer != "" { + if issuer != "" || issuerRegExp != "" { val := ce.GetIssuer() - if !wildcard.Match(issuer, val) { - return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val) + if issuer != "" { + if !wildcard.Match(issuer, val) { + return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val) + } + } + if issuerRegExp != "" { + if regex, err := regexp.Compile(issuerRegExp); err != nil { + return fmt.Errorf("invalid regexp for issuer: %s : %w", issuerRegExp, err) + } else if !regex.MatchString(val) { + return fmt.Errorf("issuer mismatch: expected %s, received %s", issuerRegExp, val) + } } } diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 053bbac018d6..d102ecac5095 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -227,7 +227,10 @@ func TestCosignMatchCertificateData(t *testing.T) { assert.NilError(t, err) subject1 := "https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/*" + subject1RegExp := `https://github\.com/JimBugwadia/demo-java-tomcat/.+` issuer1 := "https://token.actions.githubusercontent.com" + issuer1RegExp := `https://token\.actions\..+` + extensions := map[string]string{ "githubWorkflowTrigger": "push", "githubWorkflowSha": "c7645284fa7aebe554618eee879b4d6947f8564e", @@ -235,20 +238,41 @@ func TestCosignMatchCertificateData(t *testing.T) { "githubWorkflowRepository": "JimBugwadia/demo-java-tomcat", } - matchErr := matchCertificateData(cert1, subject1, issuer1, extensions) + matchErr := matchCertificateData(cert1, subject1, "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, "", "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", nil) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, "", subject1RegExp, "", issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, "", issuer1, extensions) + matchErr = matchCertificateData(cert1, "", "", "", issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, subject1, issuer1, nil) + matchErr = matchCertificateData(cert1, subject1, subject1RegExp, issuer1, issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, "wrong-subject", issuer1, extensions) + matchErr = matchCertificateData(cert1, "", `^wrong-regex$`, issuer1, issuer1RegExp, nil) + assert.Error(t, matchErr, "subject mismatch: expected ^wrong-regex$, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22") + + matchErr = matchCertificateData(cert1, "", "", "", `^wrong-regex$`, nil) + assert.Error(t, matchErr, "issuer mismatch: expected ^wrong-regex$, received https://token.actions.githubusercontent.com") + + matchErr = matchCertificateData(cert1, "wrong-subject", "", issuer1, "", extensions) assert.Error(t, matchErr, "subject mismatch: expected wrong-subject, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22") + matchErr = matchCertificateData(cert1, "", "*", "", issuer1RegExp, nil) + assert.Error(t, matchErr, "invalid regexp for subject: * : error parsing regexp: missing argument to repetition operator: `*`") + + matchErr = matchCertificateData(cert1, "", subject1RegExp, "", "?", nil) + assert.Error(t, matchErr, "invalid regexp for issuer: ? : error parsing regexp: missing argument to repetition operator: `?`") + extensions["githubWorkflowTrigger"] = "pull" - matchErr = matchCertificateData(cert1, subject1, issuer1, extensions) + matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", extensions) assert.Error(t, matchErr, "extension mismatch: expected pull for key githubWorkflowTrigger, received push") } @@ -431,17 +455,28 @@ func TestCosignMatchSignatures(t *testing.T) { } subject2 := "*@nirmata.com" + subject2RegExp := `.+@nirmata\.com` issuer2 := "https://github.com/login/oauth" + issuer2RegExp := `https://github\.com/login/.+` + + matchErr := matchSignatures(sigs, subject1, "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchSignatures(sigs, subject2, "", issuer2, "", nil) + assert.NilError(t, matchErr) - matchErr := matchSignatures(sigs, subject1, issuer1, extensions) + matchErr = matchSignatures(sigs, "", subject2RegExp, issuer2, "", nil) assert.NilError(t, matchErr) - matchErr = matchSignatures(sigs, subject2, issuer2, nil) + matchErr = matchSignatures(sigs, "", "", "", issuer2RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchSignatures(sigs, subject2, issuer1, nil) + matchErr = matchSignatures(sigs, subject2, "", issuer1, "", nil) assert.Error(t, matchErr, "subject mismatch: expected *@nirmata.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth") - matchErr = matchSignatures(sigs, subject2, issuer2, extensions) + matchErr = matchSignatures(sigs, "", subject2RegExp, issuer1, "", nil) + assert.Error(t, matchErr, `subject mismatch: expected .+@nirmata\.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth`) + + matchErr = matchSignatures(sigs, subject2, "", issuer2, "", extensions) assert.ErrorContains(t, matchErr, "extension mismatch") } diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index c3d6c908bc0d..d248c47b0b4f 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -639,7 +639,9 @@ func (iv *ImageVerifier) buildCosignVerifier( opts.Roots = attestor.Keyless.Roots opts.Issuer = attestor.Keyless.Issuer + opts.IssuerRegExp = attestor.Keyless.IssuerRegExp opts.Subject = attestor.Keyless.Subject + opts.SubjectRegExp = attestor.Keyless.SubjectRegExp opts.AdditionalExtensions = attestor.Keyless.AdditionalExtensions } diff --git a/pkg/images/verifier.go b/pkg/images/verifier.go index 5deead8097f1..13e8f6421ff5 100644 --- a/pkg/images/verifier.go +++ b/pkg/images/verifier.go @@ -29,7 +29,9 @@ type Options struct { CertChain string Roots string Subject string + SubjectRegExp string Issuer string + IssuerRegExp string AdditionalExtensions map[string]string Annotations map[string]string Repository string diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md new file mode 100644 index 000000000000..5c342638ffad --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md @@ -0,0 +1,8 @@ +## Description + +Verify image attestations with regexp subject + +## Expected Behavior + +The pod creation should pass. + diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml new file mode 100644 index 000000000000..29271af436b1 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestation-invalid-attestor +spec: + timeouts: + delete: 2m + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml new file mode 100644 index 000000000000..e47387521843 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml new file mode 100644 index 000000000000..921f8ee74797 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml new file mode 100644 index 000000000000..0556cd0c33b3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-invalid-attestors-in-attestations + annotations: + pod-policies.kyverno.io/autogen-controllers: none diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml new file mode 100644 index 000000000000..93e3c7b91235 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-invalid-attestors-in-attestations + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-invalid-attestation-attestor + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - validationFailureAction: Enforce + imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - type: https://slsa.dev/provenance/v0.2 + attestors: + - count: 1 + entries: + - keyless: + subjectRegExp: https://github\.com/slsa-framework/slsa-github-generator/\.github/workflows/generator_container_slsa3\.yml@.+ + issuerRegExp: https://token\.actions\.githubusercontent.+ + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true