[Bug] [CLI] Bypass verifyImage with container order in a Pod #6115
Description
Kyverno Version
1.8.5
Description
🔍 Scenario
- Generate warnings for every unsigned image in a specific namespace
☑️ Expected Behaviors
- All containers in the POD are verified
- A warning violation is generated for each container in the POD
- The order of the containers defined in the POD should not affect the validation
🚫 Unexpected Behaviors
- Only one container image is being verified
- Only one violation warning is being generated
- The order of the containers defined in the POD affects the validation
Given a policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image-signature
annotations:
policies.kyverno.io/title: Check Image Signature
policies.kyverno.io/category: ImageSignature
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/minversion: 1.7.0
policies.kyverno.io/description: >-
Using the Cosign project, OCI images may be signed to ensure supply chain
security is maintained. Those signatures can be verified before pulling into
a cluster. This policy checks the signature of an image repo called
ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying
its signature against the provided public key. This policy serves as an illustration for
how to configure a similar rule and will require replacing with your image(s) and keys.
spec:
webhookTimeoutSeconds: 15
validationFailureAction: audit
background: false
rules:
- name: verify-image-signature
match:
resources: {}
any:
- resources:
kinds:
- Pod
namespaces:
- "cool-namespace"
verifyImages:
- imageReferences:
- "*"
mutateDigest: true
required: true
verifyDigest: true
attestors:
- entries:
- keys:
publicKeys: |
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# BC: https://github.com/kyverno/kyverno/issues/5738
mutate: {}
validate: {}
exclude:
resources: {}
generate:
clone: {}
cloneList: {}The following test POD would pass the test:
apiVersion: v1
kind: Pod
metadata:
name: bad-check-image-no-signature
namespace: cool-namespace
spec:
containers:
- name: bar-good
image: registry.something/foo/bar:good-signature
imagePullPolicy: Always
- name: bar-bad
image: registry.something/foo/bar:bad-signature
imagePullPolicy: Always
restartPolicy: Always│───│───────────────────────│────────────────────────│───────────────────────────────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│───────────────────────│────────────────────────│───────────────────────────────────│────────│
│ 1 │ check-image-signature │ verify-image-signature │ /Pod/bad-check-image-no-signature │ Pass │
│───│───────────────────────│────────────────────────│───────────────────────────────────│────────│
The following test POD would fail the test:
apiVersion: v1
kind: Pod
metadata:
name: bad-check-image-no-signature
namespace: cool-namespace
spec:
containers:
- name: bar-bad
image: registry.something/foo/bar:bad-signature
imagePullPolicy: Always
- name: bar-good
image: registry.something/foo/bar:good-signature
imagePullPolicy: Always
restartPolicy: Always│───│───────────────────────│────────────────────────│───────────────────────────────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│───────────────────────│────────────────────────│───────────────────────────────────│────────│
│ 1 │ check-image-signature │ verify-image-signature │ /Pod/bad-check-image-no-signature │ Fail │
│───│───────────────────────│────────────────────────│───────────────────────────────────│────────│
Slack discussion
No response
Troubleshooting
- I have read and followed the documentation AND the troubleshooting guide.
- I have searched other issues in this repository and mine is not recorded.