Attestation validation #179

askkhan84 · 2024-04-11T05:42:49Z

If I have a Kyverno cluster policy for the admission controller that has for example the following attestation requirements:

- key: attestations
  value:
    - imageReference: "*"
      type: 
        - name: sbom/cyclone-dx
          conditions:
            all:
        - name: application/sarif+json
          conditions:
            all:
            - key: \{{ element.components[].licenses[].expression }}
              operator: AllNotIn
              value: ["GPL-2.0", "GPL-3.0"]

If the attestation exists in the OCI registry, it validates it and either allows or denies the admission. But if the attestation does not exist at all, it allows the pod admission. I would have thought it should reject the pod admission given it does not have the attestation. what is the explanation behind this design and any way to override it so if an attestation does not exist, pod admission should be rejected?

The text was updated successfully, but these errors were encountered:

JimBugwadia · 2024-05-01T01:32:10Z

This is a bug, which needs to be fixed. Thanks for reporting it!

vishal-chdhry · 2024-05-01T01:39:42Z

looks like a missing if check when none of the attestations match, looking into it

JimBugwadia added the bug Something isn't working label May 1, 2024

JimBugwadia assigned vishal-chdhry May 1, 2024

vishal-chdhry mentioned this issue May 3, 2024

chore: bump kyverno-notation-verifier version #191

Merged

realshuting closed this as completed in #191 May 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Attestation validation #179

Attestation validation #179

askkhan84 commented Apr 11, 2024

JimBugwadia commented May 1, 2024

vishal-chdhry commented May 1, 2024

Attestation validation #179

Attestation validation #179

Comments

askkhan84 commented Apr 11, 2024

JimBugwadia commented May 1, 2024

vishal-chdhry commented May 1, 2024