Kubernetes Examples Release ff326952 (#1224)

Co-authored-by: Azure Policy Bot <[email protected]>

Author: pilor

samples/KubernetesService/image-integrity-notation-verification/examples/scenario-inline-cert/good/pass-example.yaml

@@ -7,24 +7,24 @@ spec:
   parameters:
     value: |
       -----BEGIN CERTIFICATE-----
-      MIIDWDCCAkCgAwIBAgIBUTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL
-      MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb
-      MBkGA1UEAxMSd2FiYml0LW5ldHdvcmtzLmlvMCAXDTIyMTIwMjA4MDg0NFoYDzIx
-      MjIxMjAzMDgwODQ0WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNV
-      BAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSd2FiYml0LW5l
-      dHdvcmtzLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnoskJWB0
-      ZsYcfbTvCYQMLqWaB/yN3Jf7Ryxvndrij83fWEQPBQJi8Mk8SpNqm2x9uP3gsQDc
-      L/73a0p6/D+hza2jQQVhebe/oB0LJtUoD5LXlJ83UQdZETLMYAzeBNcBR4kMecrY
-      CnE6yjHeiEWdAH+U7Mt39zJh+9lGIcbk0aUE5UOp8o3t5RWFDcl9hQ7QOXROwmpO
-      thLUIiY/bcPpsg/2nH1nzFjqiBef3sgopFCTgtJ7qF8B83Xy/+hJ5vD29xsbSwuB
-      3iLE7qLxu2NxdIa4oL0Y2QKMh/getjI0xnvwAmPkFiFbzC7LFdDfd6+gA5GpUXxL
-      u6UmwucAgiljGQIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
-      KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAFvRW/mGjnnMNFKJc/e3o/+yiJor
-      dcrq/1UzyD7eNmOaASXz8rrrFT/6/TBXExPuB2OIf9OgRJFfPGLxmzCwVgaWQbK0
-      VfTN4MQzRrSwPmNYsBAAwLxXbarYlMbm4DEmdJGyVikq08T2dZI51GC/YXEwzlnv
-      ldN0dBflb/FKkY5rAp0JgpHLGKeStxFvB62noBjWfrm7ShCf9gkn1CjmgvP/sYK0
-      pJgA1FHPd6EeB6yRBpLV4EJgQYUJoOpbHz+us62jKj5fAXsX052LPmk9ArmP0uJ1
-      CJLNdj+aShCs4paSWOObDmIyXHwCx3MxCvYsFk/Wsnwura6jGC+cNsjzSx4=
+      MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL
+      BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X
+      DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5
+      MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+      MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8
+      3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4
+      FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo
+      ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa
+      gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo
+      3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci
+      EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE
+      ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL
+      BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt
+      BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ
+      hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF
+      90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync
+      cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp
+      Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg=
       -----END CERTIFICATE-----
 ---
 apiVersion: config.ratify.deislabs.io/v1beta1
@@ -39,7 +39,7 @@ kind: Verifier
 metadata:
   name: verifier-notary-inline
 spec:
-  name: notaryv2
+  name: notation
   artifactTypes: application/vnd.cncf.notary.signature
   parameters:
     verificationCertStores:  # certificates for validating signatures
@@ -69,4 +69,4 @@ spec:
     kubernetes.io/os: linux
   containers:
   - name: image-singed
-    image: wabbitnetworks.azurecr.io/test/notary-image:signed
+    image: ghcr.io/deislabs/ratify/notary-image:signed

samples/KubernetesService/image-integrity-notation-verification/examples/scenario-inline-cert/violations/violation-examples.yaml

@@ -9,4 +9,4 @@ spec:
     kubernetes.io/os: linux
   containers:
   - name: image-unsinged
-    image: wabbitnetworks.azurecr.io/test/notary-image:unsigned
+    image: ghcr.io/deislabs/ratify/notary-image:unsigned

samples/KubernetesService/image-integrity-notation-verification/examples/scenario-inline-cert/violations/violation-incorrect-cert.yaml

@@ -0,0 +1,55 @@
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: CertificateStore
+metadata:
+  name: certstore-incorrect-cert
+spec:
+  provider: inline
+  parameters: # incorrect cert
+    value: |
+      -----BEGIN CERTIFICATE-----
+      aW5jb3JyZWN0Cg== 
+      -----END CERTIFICATE-----
+---
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Store
+metadata:
+  name: store-oras-incorrect-cert
+spec:
+  name: oras
+---
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Verifier
+metadata:
+  name: verifier-notary-inline-incorrect-cert
+spec:
+  name: notation
+  artifactTypes: application/vnd.cncf.notary.signature
+  parameters:
+    verificationCertStores:  # certificates for validating signatures
+      certs: # name of the trustStore
+        - certstore-incorrect-cert # name of the certificate store CRD to include in this trustStore
+    trustPolicyDoc: # policy language that indicates which identities are trusted to produce artifacts
+      version: "1.0"
+      trustPolicies:
+        - name: default
+          registryScopes:
+            - "*"
+          signatureVerification:
+            level: strict
+          trustStores:
+            - ca:certs
+          trustedIdentities:
+            - "*"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pass-incorrect-cert
+  labels:
+    app: scenario-inline-cert
+spec:
+  nodeSelector:
+    kubernetes.io/os: linux
+  containers:
+  - name: image-singed
+    image: ghcr.io/deislabs/ratify/notary-image:signed

samples/KubernetesService/image-integrity-notation-verification/template.yaml

@@ -53,9 +53,19 @@ spec:
             remote_data.system_error == ""
             subject_validation := remote_data.responses[_]
             verifierReport := subject_validation[1].verifierReports[_]
+            # for ratify < v1.0.0-rc.7
             verifierReport.name == "notaryv2"
             not verifierReport.isSuccess
-            result := sprintf("Subject %s failed notation verification, please check ratify verifier configuration. Error: %s", [verifierReport.subject, verifierReport.message])
+            result := sprintf("Subject %s failed notation verification, please check ratify verifier configuration. Error: %s", [subject_validation[0], verifierReport.message])
+        }
+        general_violation[{"result": result}] {
+            remote_data.system_error == ""
+            subject_validation := remote_data.responses[_]
+            verifierReport := subject_validation[1].verifierReports[_]
+            # for ratify >= v1.0.0-rc.7
+            verifierReport.name == "notation"
+            not verifierReport.isSuccess
+            result := sprintf("Subject %s failed notation verification, please check ratify verifier configuration. Error: %s", [subject_validation[0], verifierReport.message])
         }
 
         # Check if the success criteria is true
@@ -66,7 +76,7 @@ spec:
             not verifierReport.name # oras error
             not verifierReport.isSuccess
             reword_msg := reword_oras_error_msg(verifierReport.message)
-            result := sprintf("%s; Subject: %s; Error: %s", [reword_msg, verifierReport.subject, verifierReport.message])
+            result := sprintf("%s; Subject: %s; Error: %s", [reword_msg, subject_validation[0], verifierReport.message])
         }
 
         reword_oras_error_msg(message) = res {
@@ -107,7 +117,18 @@ spec:
             hasContainerStatus(c.name)
             containerStatus := input.review.object.status.containerStatuses[_]
             containerStatus.name == c.name
-            digest := containerStatus.imageID
+            digest_temp := containerStatus.imageID
+            digest_temp != "" # imageID will be empty string if the container is imagePullBackOff
+            digest := digest_temp
+        }
+        get_image_digest(c) = digest {
+            not regex.match(DIGEST_REGEX, c.image)
+            hasContainerStatus(c.name)
+            containerStatus := input.review.object.status.containerStatuses[_]
+            containerStatus.name == c.name
+            digest_temp := containerStatus.imageID
+            digest_temp == ""
+            digest := c.image
         }
         get_image_digest(c) = digest {
             # fail to fetch digest