feat: Add Manifest Index to ImageRegistry context

[NetanelK]

Explanation

This PR adds the missing OCI Image Index to imageRegistry context, it adds the imageIndex field that contains the index.
Image Index can be used to evaluate an image's supported platforms.

Related issue

Closes #8273 @chipzoller

Milestone of this PR

/milestone 1.13.0

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

• I have sent the draft PR to add or update the documentation and the link is: [1.13] docs: Add imageIndex field to imageData website#1182

What type of PR is this

/kind feature

Proposed Changes

Fetching imageIndex from image registry and output its raw JSON, same way manifest and config are being handled

Proof Manifests

To test this PR, create cpol.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-tolerations
spec:
  rules:
    - context:
        - imageRegistry:
            jmesPath: manifestIndex.manifests[?platform.architecture == 'arm64'] | length(@)
            reference: '{{ request.object.spec.containers[0].image }}'
          name: imageARMPlatform
      match:
        any:
          - resources:
              kinds:
                - Pod
      mutate:
        patchesJson6902: |-
          - op: add
            path: "/spec/tolerations/-"
            value:
              key: kubernetes.io/arch
              operator: Equal
              value: arm64
              effect: NoSchedule
      name: pod-tolerations
      preconditions:
        all:
          - key: "{{ imageARMPlatform || `0` }}"
            operator: Equals
            value: 1
  validationFailureAction: audit

create pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: web
      image: nginx

create patchedPod:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
spec:
  containers:
    - name: web
      image: nginx
  tolerations:
    - key: kubernetes.io/arch
      operator: Equal
      value: arm64
      effect: NoSchedule

Test with kyverno-cli, kyverno-test.yaml:

name: add-tolerations 
policies:
  - cpol.yaml
resources:
  - pod.yaml
results:
  - policy: add-tolerations
    rule: pod-tolerations 
    resource: mypod
    patchedResource: patchedPod.yaml
    kind: Pod
    result: pass

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
• CLI support should be added and my PR doesn't contain that functionality.

Further Comments

[welcome]

Thanks for opening your first Pull Request here! Please check out our Contributing guidelines and confirm that you Signed off.

[realshuting]

I would like to see some test coverage for this change.

[vishal-chdhry]

Some tests for both multiarch and singlearch image would be nice

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 33.59%. Comparing base (1647b80) to head (208ab3f).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9883      +/-   ##
==========================================
- Coverage   33.60%   33.59%   -0.01%     
==========================================
  Files         347      347              
  Lines       23843    23843              
==========================================
- Hits         8013     8011       -2     
- Misses      14941    14942       +1     
- Partials      889      890       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[alexandermarston]

@NetanelK are you planning to continue to work on this? Would be great to see this added.