stolostron · hirokuni-kitahara · Nov 26, 2021 · Nov 24, 2021 · Nov 24, 2021 · Nov 24, 2021
diff --git a/integrity-shield-operator/config/samples/apis_v1_integrityshield.yaml b/integrity-shield-operator/config/samples/apis_v1_integrityshield.yaml
@@ -46,7 +46,7 @@ spec:
   requestHandlerConfigName: request-handler-config
   requestHandlerConfig: |
     defaultConstraintAction:
-      mode: detect
+      mode: inform
     sideEffect: 
       createDenyEvent: true
     log:

diff --git a/integrity-shield-operator/config/samples/apis_v1_integrityshield_ac.yaml b/integrity-shield-operator/config/samples/apis_v1_integrityshield_ac.yaml
@@ -20,7 +20,7 @@ spec:
   requestHandlerConfigName: request-handler-config
   requestHandlerConfig: |
     defaultConstraintAction:
-      mode: detect
+      mode: inform
     sideEffect: 
       createDenyEvent: true
     log:

diff --git a/integrity-shield-operator/config/samples/apis_v1_integrityshield_local.yaml b/integrity-shield-operator/config/samples/apis_v1_integrityshield_local.yaml
@@ -45,7 +45,7 @@ spec:
   requestHandlerConfigName: request-handler-config
   requestHandlerConfig: |
     defaultConstraintAction:
-      mode: detect
+      mode: inform
     sideEffect:
       createDenyEvent: true
     log:

diff --git a/integrity-shield-operator/resources/deploy.go b/integrity-shield-operator/resources/deploy.go
@@ -114,6 +114,10 @@ func BuildDeploymentForIShieldAPI(cr *apiv1.IntegrityShield) *appsv1.Deployment
 			Name:  "REKOR_SERVER",
 			Value: cr.Spec.RekorServerConfig.URL,
 		},
+		{
+			Name:  "COSIGN_EXPERIMENTAL",
+			Value: "1",
+		},
 	}
 	if cr.Spec.OCIRegistryConfig.ManifestPullSecret != "" {
 		env = append(env, v1.EnvVar{

diff --git a/...manifest-integrity-constraint-detect.yaml → ...manifest-integrity-constraint-inform.yaml b/...manifest-integrity-constraint-detect.yaml → ...manifest-integrity-constraint-inform.yaml
@@ -16,4 +16,4 @@ spec:
     - keySecretName: keyring-secret
       keySecretNamespace: integrity-shield-operator-system
     action:
-      mode: detect
+      mode: inform
diff --git a/integrity-shield-operator/test/e2e/framework.go b/integrity-shield-operator/test/e2e/framework.go
@@ -52,7 +52,7 @@ var (
 	observer_name                  = "integrity-shield-observer"
 	ac_server_name                 = "integrity-shield-validator"
 	constraint                     = deploy_dir + "test-manifest-integrity-constraint.yaml"
-	constraint_detect              = deploy_dir + "test-manifest-integrity-constraint-detect.yaml"
+	constraint_detect              = deploy_dir + "test-manifest-integrity-constraint-inform.yaml"
 	constraint_ac                  = deploy_dir + "test-manifest-integrity-profile.yaml"
 	constraint_name                = "configmap-constraint"
 	gatekeeper_ns                  = "gatekeeper-system"

diff --git a/observer/pkg/observer/observer.go b/observer/pkg/observer/observer.go
@@ -59,6 +59,7 @@ const logLevelEnvKey = "LOG_LEVEL"
 const k8sLogLevelEnvKey = "K8S_MANIFEST_SIGSTORE_LOG_LEVEL"
 
 const VerifyResourceViolationLabel = "integrityshield.io/verifyResourceViolation"
+const SignatureResourceLabel = "integrityshield.io/signatureResource"
 
 var IgnoredKinds = []string{"Event", "Lease", "Endpoints", "TokenReview", "SubjectAccessReview", "SelfSubjectAccessReview", "LocalSubjectAccessReview"}
 
@@ -219,7 +220,22 @@ func (self *Observer) Run() {
 		results := []VerifyResultDetail{}
 		for _, resource := range resources {
 			log.Debugf("Observe new resource; ns:%s, kind:%s, name:%s", resource.GetNamespace(), resource.GetKind(), resource.GetName())
-			// skip object
+			// check if signature resource
+			signatureResource := isSignatureResource(resource)
+			if signatureResource {
+				result := VerifyResultDetail{
+					Time:       time.Now().Format(timeFormat),
+					Kind:       resource.GroupVersionKind().Kind,
+					ApiGroup:   resource.GetObjectKind().GroupVersionKind().Group,
+					ApiVersion: resource.GetObjectKind().GroupVersionKind().Version,
+					Name:       resource.GetName(),
+					Namespace:  resource.GetNamespace(),
+					Message:    "this resource is signatureResource",
+					Violation:  false,
+				}
+				results = append(results, result)
+				continue
+			}
 			result := ObserveResource(resource, constraint.Parameters, ignoreFields, skipObjects, secrets)
 			imgAllow, imgMsg := ObserveImage(resource, constraint.Parameters.ImageProfile)
 			if !imgAllow {
@@ -522,3 +538,16 @@ func (self *Observer) loadConstraints() ([]ConstraintSpec, error) {
 	}
 	return micList, nil
 }
+
+func isSignatureResource(resource unstructured.Unstructured) bool {
+	var label bool
+	if !(resource.GetKind() == "ConfigMap") {
+		return label
+	}
+	labelsMap := resource.GetLabels()
+	_, found := labelsMap[SignatureResourceLabel]
+	if found {
+		label = true
+	}
+	return label
+}
diff --git a/shield/pkg/shield/request_handler.go b/shield/pkg/shield/request_handler.go
@@ -46,6 +46,7 @@ const defaultPodNamespace = "integrity-shield-operator-system"
 const ImageRefAnnotationKeyShield = "integrityshield.io/signature"
 const AnnotationKeyDomain = "integrityshield.io"
 const SignatureAnnotationTypeShield = "IntegrityShield"
+const SignatureResourceLabel = "integrityshield.io/signatureResource"
 const (
 	EventTypeAnnotationKey       = "integrityshield.io/eventType"
 	EventResultAnnotationKey     = "integrityshield.io/eventResult"
@@ -113,14 +114,14 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 			}
 		}
 	} else {
-		if paramObj.Action.Mode != "enforce" && paramObj.Action.Mode != "detect" {
+		if paramObj.Action.Mode != "enforce" && paramObj.Action.Mode != "inform" {
 			log.WithFields(log.Fields{
 				"namespace": req.Namespace,
 				"name":      req.Name,
 				"kind":      req.Kind.Kind,
 				"operation": req.Operation,
 				"userName":  req.UserInfo.Username,
-			}).Warningf("run mode should be set to 'enforce' or 'detect' in rule,%s", paramObj.ConstraintName)
+			}).Warningf("run mode should be set to 'enforce' or 'inform' in rule,%s", paramObj.ConstraintName)
 		}
 		if paramObj.Action.Mode == "enforce" {
 			enforce = true
@@ -134,6 +135,10 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 
 	commonSkipUserMatched := false
 	skipObjectMatched := false
+	signatureResource := false
+
+	// check if signature resource
+	signatureResource = isAllowedSignatureResource(resource, req.AdmissionRequest.OldObject.Raw, req.Operation)
 
 	//filter by user listed in common profile
 	commonSkipUserMatched = rhconfig.RequestFilterProfile.SkipUsers.Match(resource, req.AdmissionRequest.UserInfo.Username)
@@ -151,23 +156,12 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 	//check scope
 	inScopeObjMatched := paramObj.InScopeObjects.Match(resource)
 
-	// mutation check
-	if isUpdateRequest(req.AdmissionRequest.Operation) {
-		ignoreFields := getMatchedIgnoreFields(paramObj.IgnoreFields, rhconfig.RequestFilterProfile.IgnoreFields, resource)
-		mutated, err := mutationCheck(req.AdmissionRequest.OldObject.Raw, req.AdmissionRequest.Object.Raw, ignoreFields)
-		if err != nil {
-			log.Errorf("failed to check mutation: %s", err.Error())
-			errMsg := "IntegrityShield failed to decide the response. Failed to check mutation: " + err.Error()
-			return makeResultFromRequestHandler(false, errMsg, enforce, req)
-		}
-		if !mutated {
-			return makeResultFromRequestHandler(true, "no mutation found", enforce, req)
-		}
-	}
-
 	allow := false
 	message := ""
-	if (skipUserMatched || commonSkipUserMatched) && !inScopeUserMatched {
+	if signatureResource {
+		allow = true
+		message = "allowed because this resource is signatureResource."
+	} else if (skipUserMatched || commonSkipUserMatched) && !inScopeUserMatched {
 		allow = true
 		message = "SkipUsers rule matched."
 		logRecord["reason"] = message
@@ -179,7 +173,20 @@ func RequestHandler(req admission.Request, paramObj *k8smnfconfig.ParameterObjec
 	} else if skipObjectMatched {
 		allow = true
 		message = "SkipObjects rule matched."
-	} else {
+	} else if isUpdateRequest(req.AdmissionRequest.Operation) {
+		// mutation check
+		ignoreFields := getMatchedIgnoreFields(paramObj.IgnoreFields, rhconfig.RequestFilterProfile.IgnoreFields, resource)
+		mutated, err := mutationCheck(req.AdmissionRequest.OldObject.Raw, req.AdmissionRequest.Object.Raw, ignoreFields)
+		if err != nil {
+			log.Errorf("failed to check mutation: %s", err.Error())
+			message = "IntegrityShield failed to decide the response. Failed to check mutation: " + err.Error()
+		}
+		if !mutated {
+			allow = true
+			message = "no mutation found"
+		}
+	}
+	if !allow { // signature check
 		var signatureAnnotationType string
 		annotations := resource.GetAnnotations()
 		_, found := annotations[ImageRefAnnotationKeyShield]
@@ -304,6 +311,37 @@ func isUpdateRequest(operation v1.Operation) bool {
 	return (operation == v1.Update)
 }
 
+func isAllowedSignatureResource(resource unstructured.Unstructured, oldObj []byte, operation v1.Operation) bool {
+	var currentResourceLabel bool
+	var label bool
+	if !(resource.GetKind() == "ConfigMap") {
+		return label
+	}
+	label = isSignatureResource(resource)
+	if operation == v1.Create {
+		currentResourceLabel = true
+	} else if operation == v1.Update {
+		// unmarshal admission request object
+		var oldRes unstructured.Unstructured
+		err := json.Unmarshal(oldObj, &oldRes)
+		if err != nil {
+			log.Errorf("failed to Unmarshal a requested object into %T; %s", resource, err.Error())
+		}
+		currentResourceLabel = isSignatureResource(oldRes)
+	}
+	return (label && currentResourceLabel)
+}
+
+func isSignatureResource(resource unstructured.Unstructured) bool {
+	var label bool
+	labelsMap := resource.GetLabels()
+	_, found := labelsMap[SignatureResourceLabel]
+	if found {
+		label = true
+	}
+	return label
+}
+
 func getMatchedIgnoreFields(pi, ci k8smanifest.ObjectFieldBindingList, resource unstructured.Unstructured) []string {
 	var allIgnoreFields []string
 	_, fields := pi.Match(resource)