Skip to content

wip #29915

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

wip #29915

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 23 additions & 58 deletions test/extended/imagepolicy/imagepolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,11 @@ import (
"k8s.io/client-go/util/retry"
e2e "k8s.io/kubernetes/test/e2e/framework"
e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
e2eskipper "k8s.io/kubernetes/test/e2e/framework/skipper"
admissionapi "k8s.io/pod-security-admission/api"
)

const (
testReleaseImageScope = "quay.io/openshift-release-dev/ocp-release@sha256:fbad931c725b2e5b937b295b58345334322bdabb0b67da1c800a53686d7397da"
testReferenceImageScope = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:4db234f37ae6712e2f7ed8d13f7fb49971c173d0e4f74613d0121672fa2e01f5"
testSignedPolicyScope = "quay.io/openshifttest/busybox-testsigstoresigned@sha256:c5439d7db88ab5423999530349d327b04279ad3161d7596d2126dfb5b02bfd1f"
registriesWorkerPoolMachineConfig = "99-worker-generated-registries"
registriesMasterPoolMachineConfig = "99-master-generated-registries"
testPodName = "signature-validation-test-pod"
Expand Down Expand Up @@ -52,12 +50,6 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
if !exutil.IsTechPreviewNoUpgrade(tctx, oc.AdminConfigClient()) {
g.Skip("skipping, this feature is only supported on TechPreviewNoUpgrade clusters")
}

outStr, err := oc.Run("adm", "release", "info", testReleaseImageScope).Args("-o=go-template", "--template={{.digest}}").Output()
if err != nil || outStr == "" {
o.Expect(err).ToNot(o.HaveOccurred())
e2eskipper.Skipf("can't validate %s release image for testing, consider updating the test", testReleaseImageScope)
}
})

g.It("Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature", func() {
Expand All @@ -66,7 +58,7 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][

waitForPoolComplete(oc)

pod, err := launchTestPod(tctx, clif, testPodName, testReleaseImageScope)
pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)

Expand All @@ -75,8 +67,8 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
})

g.It("Should fail clusterimagepolicy signature validation when scope in allowedRegistries list does not skip signature verification", func() {
// Ensure allowedRegistries do not skip signature verification by adding testReleaseImageScope to the list
allowedRegistries := []string{"quay.io", "registry.redhat.io", "image-registry.openshift-image-registry.svc:5000", testReleaseImageScope}
// Ensure allowedRegistries do not skip signature verification by adding testSignedPolicyScope to the list.
allowedRegistries := []string{"quay.io", "registry.redhat.io", "image-registry.openshift-image-registry.svc:5000", testSignedPolicyScope}
updateImageConfig(oc, allowedRegistries)
g.DeferCleanup(cleanupImageConfig, oc)

Expand All @@ -85,7 +77,7 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][

waitForPoolComplete(oc)

pod, err := launchTestPod(tctx, clif, testPodName, testReleaseImageScope)
pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)

Expand All @@ -99,7 +91,7 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][

waitForPoolComplete(oc)

pod, err := launchTestPod(tctx, clif, testPodName, testReleaseImageScope)
pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)

Expand All @@ -110,20 +102,21 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
g.It("Should fail imagepolicy signature validation in different namespaces root of trust does not match the identity in the signature", func() {
createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], imgpolicyClif.Namespace.Name)
g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, imgpolicyClif.Namespace.Name)
waitForPoolComplete(oc)

createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], clif.Namespace.Name)
g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, clif.Namespace.Name)

waitForPoolComplete(oc)

pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testReferenceImageScope)
pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)

err = waitForTestPodContainerToFailSignatureValidation(tctx, imgpolicyClif, pod)
o.Expect(err).NotTo(o.HaveOccurred())

pod, err = launchTestPod(tctx, clif, testPodName, testReferenceImageScope)
pod, err = launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)

Expand All @@ -134,20 +127,21 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
g.It("Should pass imagepolicy signature validation with signed image in namespaces", func() {
createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], clif.Namespace.Name)
g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, clif.Namespace.Name)
waitForPoolComplete(oc)

createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], imgpolicyClif.Namespace.Name)
g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, imgpolicyClif.Namespace.Name)

waitForPoolComplete(oc)

pod, err := launchTestPod(tctx, clif, testPodName, testReferenceImageScope)
pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, clif, testPodName)

err = e2epod.WaitForPodSuccessInNamespace(tctx, clif.ClientSet, pod.Name, pod.Namespace)
o.Expect(err).NotTo(o.HaveOccurred())

pod, err = launchTestPod(tctx, imgpolicyClif, testPodName, testReferenceImageScope)
pod, err = launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
o.Expect(err).NotTo(o.HaveOccurred())
g.DeferCleanup(deleteTestPod, tctx, imgpolicyClif, testPodName)

Expand Down Expand Up @@ -215,6 +209,7 @@ func launchTestPod(ctx context.Context, f *e2e.Framework, podName, image string)
Name: contName,
Image: image,
ImagePullPolicy: kapiv1.PullAlways,
Command: []string{"/bin/sh", "-c", "exit 0"},
},
},
RestartPolicy: kapiv1.RestartPolicyNever,
Expand Down Expand Up @@ -263,7 +258,7 @@ func generateClusterImagePolicies() map[string]configv1alpha1.ClusterImagePolicy
invalidPublicKeyClusterImagePolicyName: {
ObjectMeta: metav1.ObjectMeta{Name: invalidPublicKeyClusterImagePolicyName},
Spec: configv1alpha1.ClusterImagePolicySpec{
Scopes: []configv1alpha1.ImageScope{testReleaseImageScope},
Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
Policy: configv1alpha1.Policy{
RootOfTrust: configv1alpha1.PolicyRootOfTrust{
PolicyType: configv1alpha1.PublicKeyRootOfTrust,
Expand All @@ -280,34 +275,19 @@ func generateClusterImagePolicies() map[string]configv1alpha1.ClusterImagePolicy
publiKeyRekorClusterImagePolicyName: {
ObjectMeta: metav1.ObjectMeta{Name: publiKeyRekorClusterImagePolicyName},
Spec: configv1alpha1.ClusterImagePolicySpec{
Scopes: []configv1alpha1.ImageScope{testReleaseImageScope},
Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
Policy: configv1alpha1.Policy{
RootOfTrust: configv1alpha1.PolicyRootOfTrust{
PolicyType: configv1alpha1.PublicKeyRootOfTrust,
PublicKey: &configv1alpha1.PublicKey{
KeyData: []byte(`-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
-----END PUBLIC KEY-----`),
RekorKeyData: []byte(`-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDk0ElgGvMrsJULkg/ji1XX7EngDl2WY7
c75kKKy/SwWQ8n3Zymomy4DtkXzjsju204Mgjtdc7dVSPGSBn7VLLdDIzqSd1mLE
2ybPRzY8g742Mn/5hgH4eBzNKBjZ3wv1
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
60l1/qUU0fRATNSCVORCog5PDFo5z0ZLeblWgwbn4c8xpvuo9jQFwpeOsg==
-----END PUBLIC KEY-----`),
},
},
SignedIdentity: configv1alpha1.PolicyIdentity{
MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepoDigestOrExact,
MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepository,
},
},
},
Expand All @@ -321,7 +301,7 @@ func generateImagePolicies() map[string]configv1alpha1.ImagePolicy {
invalidPublicKeyImagePolicyName: {
ObjectMeta: metav1.ObjectMeta{Name: invalidPublicKeyImagePolicyName},
Spec: configv1alpha1.ImagePolicySpec{
Scopes: []configv1alpha1.ImageScope{testReferenceImageScope},
Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
Policy: configv1alpha1.Policy{
RootOfTrust: configv1alpha1.PolicyRootOfTrust{
PolicyType: configv1alpha1.PublicKeyRootOfTrust,
Expand All @@ -338,34 +318,19 @@ func generateImagePolicies() map[string]configv1alpha1.ImagePolicy {
publiKeyRekorImagePolicyName: {
ObjectMeta: metav1.ObjectMeta{Name: publiKeyRekorImagePolicyName},
Spec: configv1alpha1.ImagePolicySpec{
Scopes: []configv1alpha1.ImageScope{testReferenceImageScope},
Scopes: []configv1alpha1.ImageScope{testSignedPolicyScope},
Policy: configv1alpha1.Policy{
RootOfTrust: configv1alpha1.PolicyRootOfTrust{
PolicyType: configv1alpha1.PublicKeyRootOfTrust,
PublicKey: &configv1alpha1.PublicKey{
KeyData: []byte(`-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip
75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7
M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p
RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP
tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ
XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg
ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM
BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f
VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF
p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT
gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d
secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ==
-----END PUBLIC KEY-----`),
RekorKeyData: []byte(`-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDk0ElgGvMrsJULkg/ji1XX7EngDl2WY7
c75kKKy/SwWQ8n3Zymomy4DtkXzjsju204Mgjtdc7dVSPGSBn7VLLdDIzqSd1mLE
2ybPRzY8g742Mn/5hgH4eBzNKBjZ3wv1
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKvZH0CXTk8XQkETuxkzkl3Bi4ms5
60l1/qUU0fRATNSCVORCog5PDFo5z0ZLeblWgwbn4c8xpvuo9jQFwpeOsg==
-----END PUBLIC KEY-----`),
},
},
SignedIdentity: configv1alpha1.PolicyIdentity{
MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepoDigestOrExact,
MatchPolicy: configv1alpha1.IdentityMatchPolicyMatchRepository,
},
},
},
Expand Down