added issue-6115 tests

Author: hackeramitkumar

clusterPolicy.yml

@@ -52,4 +52,4 @@ spec:
       mutateDigest: false
       required: true
       verifyDigest: false
-  validationFailureAction: enforce
+  validationFailureAction: enforce

kyverno-test.yaml

@@ -0,0 +1,18 @@
+name: verify_multiple_resources
+policies:
+  - policy3.yml
+resources:
+  # - pod3.yml
+  - pod4.yml
+variables: values.yml
+results:
+  # - policy: check-image
+  #   rule: check-image
+  #   resource: pod-3
+  #   kind: Pod
+  #   result: pass
+  - policy: check-image
+    rule: check-image
+    resource: pod-4
+    kind: Pod
+    result: pass

minikube-linux-amd64

@@ -1,9 +1,10 @@
+# verified
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-deployment
   labels:
     app: nginx
+  name: nginx-deployment
 spec:
   replicas: 1
   selector:
@@ -14,10 +15,7 @@ spec:
       labels:
         app: nginx
     spec:
-      imagePullSecrets:
-      - name: regcred
       containers:
-      - name: nginx
-        image: ghcr.io/hackeramitkumar/test5:app
-        ports:
-        - containerPort: 80
+      - image: ghcr.io/hackeramitkumar/test5:app
+        name: nginx
+        resources: {}

pod.yml

@@ -1,9 +1,10 @@
+# verfied image
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: nginx-deployment
   labels:
     app: nginx
+  name: nginx-deployment
 spec:
   replicas: 1
   selector:
@@ -14,10 +15,7 @@ spec:
       labels:
         app: nginx
     spec:
-      imagePullSecrets:
-      - name: regcred
       containers:
-      - name: nginx
-        image: ghcr.io/hackeramitkumar/test5:app2 # NEW VERSION of image
-        ports:
-        - containerPort: 80
+      - image: ghcr.io/hackeramitkumar/test5:app2
+        name: nginx
+        resources: {}

pod2.yml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-3
+  namespace: default
+spec:
+  containers:
+    - image: ghcr.io/hackeramitkumar/test6:app
+      name: bad-container
+      imagePullPolicy: Always
+    - image: ghcr.io/hackeramitkumar/test5:app
+      name: good-container
+      imagePullPolicy: Always

pod3.yml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-4
+  namespace: default
+spec:
+  containers:
+    - image: ghcr.io/hackeramitkumar/test5:app
+      name: good-container
+      imagePullPolicy: Always
+    - image: ghcr.io/hackeramitkumar/test6:app
+      name: bad-container
+      imagePullPolicy: Always

pod4.yml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: nginx-deployment-5
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: ghcr.io/hackeramitkumar/test5:app
+        name: good-container
+        resources: {}
+      - image: ghcr.io/hackeramitkumar/test6:app
+        name: bad-container
+        resources: {}

pod5.yml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: nginx-deployment-6
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: ghcr.io/hackeramitkumar/test6:app
+        name: bad-container
+        resources: {}
+      - image: ghcr.io/hackeramitkumar/test5:app
+        name: good-container
+        resources: {}

pod6.yml

@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image
+spec:
+  validationFailureAction: Enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail
+  rules:
+    - name: check-image
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/hackeramitkumar*"
+        attestors:
+        - count: 1
+          entries:
+          - keys:
+              publicKeys: |-
+                -----BEGIN PUBLIC KEY-----
+                MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL
+                bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg==
+                -----END PUBLIC KEY-----                

policy3.yml

@@ -0,0 +1,52 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-signature
+  annotations: 
+    policies.kyverno.io/title: Check Image Signature
+    policies.kyverno.io/category: ImageSignature
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.7.0
+    policies.kyverno.io/description: >-
+      Using the Cosign project, OCI images may be signed to ensure supply chain
+      security is maintained. Those signatures can be verified before pulling into
+      a cluster. This policy checks the signature of an image repo called
+      ghcr.io/kyverno/test-verify-image to ensure it has been signed by verifying
+      its signature against the provided public key. This policy serves as an illustration for
+      how to configure a similar rule and will require replacing with your image(s) and keys.
+spec:
+  webhookTimeoutSeconds: 15
+  validationFailureAction: audit
+  background: false
+  rules:
+    - name: verify-image-signature
+      match:
+        resources: {}
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaces:
+                - "cool-namespace"
+      verifyImages:
+        - imageReferences:
+          - "*"
+          mutateDigest: true
+          required: true
+          verifyDigest: true
+          attestors:
+            - entries:
+                - keys:
+                    publicKeys: |
+                      -----BEGIN PUBLIC KEY-----
+                      ...
+                      -----END PUBLIC KEY-----
+      # BC: https://github.com/kyverno/kyverno/issues/5738
+      mutate: {}
+      validate: {}
+      exclude:
+        resources: {}
+      generate:
+        clone: {}
+        cloneList: {}

policy4.yml

@@ -0,0 +1,5 @@
+policies:
+- name: check-image
+  resources:
+  # - name: pod-3
+    - name: pod-4