Skip to content

Commit 5b311db

Browse files
authored
updated request handler (#354)
* enable inScopeUsers Signed-off-by: ruriko <[email protected]> * fix err message Signed-off-by: ruriko <[email protected]> * resolve cosign warning message Signed-off-by: ruriko <[email protected]>
1 parent ebdd90f commit 5b311db

File tree

7 files changed

+29
-11
lines changed

7 files changed

+29
-11
lines changed

observer/go.mod

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ go 1.16
55
require (
66
github.com/IBM/integrity-shield/shield v0.0.0-00010101000000-000000000000
77
github.com/pkg/errors v0.9.1
8+
github.com/sigstore/cosign v1.1.0
89
github.com/sigstore/k8s-manifest-sigstore v0.0.0-20210909071548-2120192e4ff7
910
github.com/sirupsen/logrus v1.8.1
1011
k8s.io/api v0.21.3

observer/pkg/observer/observer.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ import (
3131
vrcclient "github.com/IBM/integrity-shield/observer/pkg/client/manifestintegritystate/clientset/versioned/typed/manifestintegritystate/v1"
3232
k8smnfconfig "github.com/IBM/integrity-shield/shield/pkg/config"
3333
"github.com/pkg/errors"
34+
cosign "github.com/sigstore/cosign/cmd/cosign/cli"
3435
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
3536
"github.com/sigstore/k8s-manifest-sigstore/pkg/util/kubeutil"
3637
log "github.com/sirupsen/logrus"
@@ -124,7 +125,7 @@ func NewObserver() *Observer {
124125
}
125126

126127
func (self *Observer) Init() error {
127-
log.Info("init Observer....")
128+
log.Info("initialize observer.")
128129
kubeconf, _ := kubeutil.GetKubeConfig()
129130

130131
var err error
@@ -154,6 +155,11 @@ func (self *Observer) Init() error {
154155
}
155156
os.Setenv(k8sLogLevelEnvKey, logLevelStr)
156157
log.SetLevel(logLevel)
158+
159+
log.Info("initialize cosign.")
160+
cmd := cosign.Init()
161+
cmd.Exec(context.Background(), []string{})
162+
157163
return nil
158164
}
159165

@@ -167,7 +173,12 @@ func (self *Observer) Run() {
167173
// load constraints
168174
constraints, err := self.loadConstraints()
169175
if err != nil {
170-
log.Error("Failed to load constraints; err: ", err.Error())
176+
if err.Error() == "the server could not find the requested resource" {
177+
log.Info("no observation results")
178+
return
179+
} else {
180+
log.Error("Failed to load constraints; err: ", err.Error())
181+
}
171182
}
172183

173184
// setup env value for sigstore

shield/main.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ package main
1818

1919
import (
2020
"bytes"
21+
"context"
2122
"crypto/tls"
2223
"encoding/json"
2324
"fmt"
@@ -26,6 +27,7 @@ import (
2627

2728
k8smnfconfig "github.com/IBM/integrity-shield/shield/pkg/config"
2829
"github.com/IBM/integrity-shield/shield/pkg/shield"
30+
cosign "github.com/sigstore/cosign/cmd/cosign/cli"
2931
log "github.com/sirupsen/logrus"
3032
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
3133
)
@@ -38,6 +40,9 @@ const (
3840

3941
func init() {
4042
log.SetFormatter(&log.JSONFormatter{})
43+
log.Info("initialize cosign.")
44+
cmd := cosign.Init()
45+
cmd.Exec(context.Background(), []string{})
4146
log.Info("Integrity Shield has been started.")
4247
}
4348

shield/pkg/config/parameter.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ type ParameterObject struct {
2929
KeyConfigs []KeyConfig `json:"keyConfigs,omitempty"`
3030
InScopeObjects k8smanifest.ObjectReferenceList `json:"objectSelector,omitempty"`
3131
SkipUsers ObjectUserBindingList `json:"skipUsers,omitempty"`
32-
TargetServiceAccount []string `json:"targetServiceAccount,omitempty"`
32+
InScopeUsers ObjectUserBindingList `json:"inScopeUsers,omitempty"`
3333
ImageProfile ImageProfile `json:"imageProfile,omitempty"`
3434
k8smanifest.VerifyResourceOption `json:""`
3535
Action *Action `json:"action,omitempty"`

shield/pkg/shield/request_handler.go

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -120,12 +120,6 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
120120

121121
//filter by user listed in common profile
122122
commonSkipUserMatched = rhconfig.RequestFilterProfile.SkipUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
123-
// TODO: inserted ad hoc logic: need to fix
124-
if commonSkipUserMatched && req.AdmissionRequest.UserInfo.Username == "system:admin" {
125-
if req.Namespace == "akmebank-dev-ns" || req.Namespace == "akmebank-stage-ns" {
126-
commonSkipUserMatched = false
127-
}
128-
}
129123

130124
// skip object
131125
skipObjectMatched = skipObjectsMatch(rhconfig.RequestFilterProfile.SkipObjects, resource)
@@ -134,6 +128,9 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
134128
//filter by user
135129
skipUserMatched := paramObj.SkipUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
136130

131+
//force check user
132+
inScopeUserMatched := paramObj.InScopeUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
133+
137134
//check scope
138135
inScopeObjMatched := paramObj.InScopeObjects.Match(resource)
139136

@@ -153,7 +150,7 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
153150

154151
allow := false
155152
message := ""
156-
if skipUserMatched || commonSkipUserMatched {
153+
if (skipUserMatched || commonSkipUserMatched) && !inScopeUserMatched {
157154
allow = true
158155
message = "SkipUsers rule matched."
159156
} else if !inScopeObjMatched {

webhook/admission-controller/go.mod

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ require (
77
github.com/ghodss/yaml v1.0.0
88
github.com/jinzhu/copier v0.3.2
99
github.com/pkg/errors v0.9.1
10+
github.com/sigstore/cosign v1.1.0
1011
github.com/sigstore/k8s-manifest-sigstore v0.0.0-20210909071548-2120192e4ff7
1112
github.com/sirupsen/logrus v1.8.1
1213
k8s.io/api v0.21.3

webhook/admission-controller/pkg/controller/webhook.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727
acconfig "github.com/IBM/integrity-shield/webhook/admission-controller/pkg/config"
2828
"github.com/ghodss/yaml"
2929
"github.com/pkg/errors"
30+
cosign "github.com/sigstore/cosign/cmd/cosign/cli"
3031
"github.com/sigstore/k8s-manifest-sigstore/pkg/util/kubeutil"
3132
log "github.com/sirupsen/logrus"
3233
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -66,8 +67,10 @@ func init() {
6667
if !ok {
6768
logLevel = log.InfoLevel
6869
}
69-
7070
log.SetLevel(logLevel)
71+
cmd := cosign.Init()
72+
cmd.Exec(context.Background(), []string{})
73+
log.Info("initialized cosign.")
7174
}
7275

7376
func ProcessRequest(req admission.Request) admission.Response {

0 commit comments

Comments
 (0)