kyverno cli:bundleVerified,但策略失败?

问题描述 投票:0回答:1

我正在尝试设置一项策略来阻止未经证明的图像。

这是我的代码:https://github.com/whoissqr/cg-test-keyless-sign

我的集群策略如下

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-keyless
spec:
  validationFailureAction: Enforce
  failurePolicy: Fail
  background: false
  webhookTimeoutSeconds: 30
  rules:
    - name: check-image-keyless
      match:
        any:
        - resources:
            kinds:
              - Pod
      verifyImages:
      - verifyDigest: false
        imageReferences:
        - "ghcr.io/whoissqr/cg-test-keyless-sign:latest"
        attestors:
        - entries:
          - keyless:
              subject: "https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main"
              issuer: "https://token.actions.githubusercontent.com"
              rekor:
                url: https://rekor.sigstore.dev

当我跑步时

 kubectl get clusterpolicies -o yaml | kyverno apply - --resource ./k3s/pod.yaml -v 5
,我得到了

policy check-image-keyless -> resource app/Pod/cg failed: 
1. check-image-keyless: unverified image ghcr.io/whoissqr/cg-test-keyless-sign:latest 
I0226 13:11:26.376474    6153 cosign.go:86] cosign "msg"="verified image" "bundleVerified"=true "count"=1
I0226 13:11:26.376625    6153 imageVerify.go:511] EngineVerifyImages "msg"="image attestors verification succeeded" "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "requiredCount"=1 "verifiedCount"=1
I0226 13:11:26.376663    6153 imageVerify.go:287] EngineVerifyImages "msg"="adding digest patch" "image"="ghcr.io/whoissqr/cg-test-keyless-sign:latest" "kind"="Pod" "name"="cg" "namespace"="app" "patch"="{\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"ghcr.io/whoissqr/cg-test-keyless-sign:latest@sha256:0c1f3bc065a0f1e7ea189fe50cf6f0e74e20b046bcfb6674eb716bd0af80f457\"}" "policy"="check-image-keyless"
I0226 13:11:26.376891    6153 validation.go:591] EngineVerifyImages "msg"="resource does not match rule" "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "reason"="rule autogen-check-image-keyless not matched:\n 1. no resource matched"
I0226 13:11:26.376996    6153 validation.go:591] EngineVerifyImages "msg"="resource does not match rule" "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "reason"="rule autogen-cronjob-check-image-keyless not matched:\n 1. no resource matched"
I0226 13:11:26.377050    6153 imageVerify.go:83] EngineVerifyImages "msg"="processed image verification rules" "applied"=1 "kind"="Pod" "name"="cg" "namespace"="app" "policy"="check-image-keyless" "successful"=true "time"="1.301291106s"
I0226 13:11:26.377099    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
I0226 13:11:26.377219    6153 rule.go:286] autogen "msg"="generating rule for cronJob" 
I0226 13:11:26.377235    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
I0226 13:11:26.377335    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
I0226 13:11:26.377416    6153 rule.go:286] autogen "msg"="generating rule for cronJob" 
I0226 13:11:26.377432    6153 rule.go:233] autogen "msg"="processing rule" "rulename"="check-image-keyless"
pass: 1, fail: 1, warn: 0, error: 0, skip: 4 
Error: Process completed with exit code 1.

“失败:1”到底是什么?

此外,通过 cosign 进行的 cosign 验证也已通过。

kubernetes docker-image kyverno
1个回答
0
投票

以下工作有效,感谢 kyverno slack 频道的专家:

      - name: (optional) Install Kyverno CLI
        if: always() 
        uses: kyverno/[email protected]
          
      - name: (optional) Dry run policy using Kyverno CLI
        if: always() 
        run: |
          kyverno version
          kyverno apply ./k3s/policy-check-image-keyless.yaml --resource ./k3s/pod.yaml
          # kubectl get clusterpolicies -o yaml | kyverno apply - --resource ./k3s/pod.yaml -v 10
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.