Last active
June 21, 2020 20:04
-
-
Save Igelchen1/21c5e79df16decaf77b728bd97f04909 to your computer and use it in GitHub Desktop.
content-trust-validation-rules.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package policy.validating | |
operations := {"CREATE", "UPDATE"} | |
kind := {"Pod", "Deployment"} | |
# rule to deny digests for pods and deployments | |
deny[msg] { | |
operations[input.request.operation] | |
kind[input.request.kind.kind] | |
image = get_images[_] | |
not contains(image.name, "@sha256:") | |
msg := sprintf("%v contains tag; only images with checksum are allowed", [image.name]) | |
} | |
# rule deny if digest is not in notary | |
deny[msg] { | |
operations[input.request.operation] | |
kind[input.request.kind.kind] | |
image = get_images[_] | |
contains(image.name, "@sha256:") | |
# Example to mock digest comparison | |
# parts := split_image(image.name) | |
# not parts.digest == "@sha256:50" | |
get_checksum_status(image.name) != 200 | |
msg := sprintf("No trust data found for the following image: %v ", [image.name]) | |
} | |
# helper rules | |
# get images if pod | |
get_images[x] { | |
input.request.kind.kind == "Pod" | |
name := input.request.object.spec.containers[i].image | |
x := { | |
"index": i, | |
"name": name, | |
} | |
} | |
## get images if deployment | |
get_images[x] { | |
input.request.kind.kind == "Deployment" | |
name := input.request.object.spec.template.spec.containers[i].image | |
x := { | |
"index": i, | |
"name": name, | |
} | |
} | |
# rule to split gun and tag | |
split_image(image) = x { | |
parts := split(image, "@sha256:") | |
x := { | |
"gun": parts[0], | |
"digest": parts[1], | |
} | |
} | |
# rule to get digest from notary-wrapper | |
get_checksum_status(image) = status { | |
wrapperRootCa := "/etc/certs/notary/root-ca.crt" | |
notaryWrapperURL = "https://notary-wrapper-svc.opa.svc:4445/verify" | |
parts := split_image(image) | |
body := { | |
"GUN": parts.gun, | |
"SHA": parts.digest, | |
"notaryServer": "notary-server-svc.notary.svc:4443", | |
} | |
headers_json := {"Content-Type": "application/json"} | |
output := http.send({"method": "post", "url": notaryWrapperURL, "headers": headers_json, "body": body, "tls_ca_cert_file": wrapperRootCa}) | |
status := output.status_code | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment