updated request handler (#354)

* enable inScopeUsers

Signed-off-by: ruriko <[email protected]>

* fix err message

Signed-off-by: ruriko <[email protected]>

* resolve cosign warning message

Signed-off-by: ruriko <[email protected]>

Author: rurikudo

observer/go.mod

@@ -5,6 +5,7 @@ go 1.16
 require (
 	github.com/IBM/integrity-shield/shield v0.0.0-00010101000000-000000000000
 	github.com/pkg/errors v0.9.1
+	github.com/sigstore/cosign v1.1.0
 	github.com/sigstore/k8s-manifest-sigstore v0.0.0-20210909071548-2120192e4ff7
 	github.com/sirupsen/logrus v1.8.1
 	k8s.io/api v0.21.3

observer/pkg/observer/observer.go

@@ -31,6 +31,7 @@ import (
 	vrcclient "github.com/IBM/integrity-shield/observer/pkg/client/manifestintegritystate/clientset/versioned/typed/manifestintegritystate/v1"
 	k8smnfconfig "github.com/IBM/integrity-shield/shield/pkg/config"
 	"github.com/pkg/errors"
+	cosign "github.com/sigstore/cosign/cmd/cosign/cli"
 	"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
 	"github.com/sigstore/k8s-manifest-sigstore/pkg/util/kubeutil"
 	log "github.com/sirupsen/logrus"
@@ -124,7 +125,7 @@ func NewObserver() *Observer {
 }
 
 func (self *Observer) Init() error {
-	log.Info("init Observer....")
+	log.Info("initialize observer.")
 	kubeconf, _ := kubeutil.GetKubeConfig()
 
 	var err error
@@ -154,6 +155,11 @@ func (self *Observer) Init() error {
 	}
 	os.Setenv(k8sLogLevelEnvKey, logLevelStr)
 	log.SetLevel(logLevel)
+
+	log.Info("initialize cosign.")
+	cmd := cosign.Init()
+	cmd.Exec(context.Background(), []string{})
+
 	return nil
 }
 
@@ -167,7 +173,12 @@ func (self *Observer) Run() {
 	// load constraints
 	constraints, err := self.loadConstraints()
 	if err != nil {
-		log.Error("Failed to load constraints; err: ", err.Error())
+		if err.Error() == "the server could not find the requested resource" {
+			log.Info("no observation results")
+			return
+		} else {
+			log.Error("Failed to load constraints; err: ", err.Error())
+		}
 	}
 
 	// setup env value for sigstore

shield/main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
@@ -26,6 +27,7 @@ import (
 
 	k8smnfconfig "github.com/IBM/integrity-shield/shield/pkg/config"
 	"github.com/IBM/integrity-shield/shield/pkg/shield"
+	cosign "github.com/sigstore/cosign/cmd/cosign/cli"
 	log "github.com/sirupsen/logrus"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
@@ -38,6 +40,9 @@ const (
 
 func init() {
 	log.SetFormatter(&log.JSONFormatter{})
+	log.Info("initialize cosign.")
+	cmd := cosign.Init()
+	cmd.Exec(context.Background(), []string{})
 	log.Info("Integrity Shield has been started.")
 }
 

shield/pkg/config/parameter.go

@@ -29,7 +29,7 @@ type ParameterObject struct {
 	KeyConfigs                       []KeyConfig                     `json:"keyConfigs,omitempty"`
 	InScopeObjects                   k8smanifest.ObjectReferenceList `json:"objectSelector,omitempty"`
 	SkipUsers                        ObjectUserBindingList           `json:"skipUsers,omitempty"`
-	TargetServiceAccount             []string                        `json:"targetServiceAccount,omitempty"`
+	InScopeUsers                     ObjectUserBindingList           `json:"inScopeUsers,omitempty"`
 	ImageProfile                     ImageProfile                    `json:"imageProfile,omitempty"`
 	k8smanifest.VerifyResourceOption `json:""`
 	Action                           *Action `json:"action,omitempty"`

shield/pkg/shield/request_handler.go

@@ -120,12 +120,6 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 
 	//filter by user listed in common profile
 	commonSkipUserMatched = rhconfig.RequestFilterProfile.SkipUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
-	// TODO: inserted ad hoc logic: need to fix
-	if commonSkipUserMatched && req.AdmissionRequest.UserInfo.Username == "system:admin" {
-		if req.Namespace == "akmebank-dev-ns" || req.Namespace == "akmebank-stage-ns" {
-			commonSkipUserMatched = false
-		}
-	}
 
 	// skip object
 	skipObjectMatched = skipObjectsMatch(rhconfig.RequestFilterProfile.SkipObjects, resource)
@@ -134,6 +128,9 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 	//filter by user
 	skipUserMatched := paramObj.SkipUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
 
+	//force check user
+	inScopeUserMatched := paramObj.InScopeUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
+
 	//check scope
 	inScopeObjMatched := paramObj.InScopeObjects.Match(resource)
 
@@ -153,7 +150,7 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 
 	allow := false
 	message := ""
-	if skipUserMatched || commonSkipUserMatched {
+	if (skipUserMatched || commonSkipUserMatched) && !inScopeUserMatched {
 		allow = true
 		message = "SkipUsers rule matched."
 	} else if !inScopeObjMatched {

webhook/admission-controller/go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/jinzhu/copier v0.3.2
 	github.com/pkg/errors v0.9.1
+	github.com/sigstore/cosign v1.1.0
 	github.com/sigstore/k8s-manifest-sigstore v0.0.0-20210909071548-2120192e4ff7
 	github.com/sirupsen/logrus v1.8.1
 	k8s.io/api v0.21.3

webhook/admission-controller/pkg/controller/webhook.go

@@ -27,6 +27,7 @@ import (
 	acconfig "github.com/IBM/integrity-shield/webhook/admission-controller/pkg/config"
 	"github.com/ghodss/yaml"
 	"github.com/pkg/errors"
+	cosign "github.com/sigstore/cosign/cmd/cosign/cli"
 	"github.com/sigstore/k8s-manifest-sigstore/pkg/util/kubeutil"
 	log "github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -66,8 +67,10 @@ func init() {
 	if !ok {
 		logLevel = log.InfoLevel
 	}
-
 	log.SetLevel(logLevel)
+	cmd := cosign.Init()
+	cmd.Exec(context.Background(), []string{})
+	log.Info("initialized cosign.")
 }
 
 func ProcessRequest(req admission.Request) admission.Response {