Skip to content

Commit

Permalink
add Dockerfile policy sample
Browse files Browse the repository at this point in the history 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
  • Loading branch information
@JimBugwadia
JimBugwadia committed Oct 9, 2023
1 parent 68efbf6 commit 8bf9a11
Show file tree
Hide file tree
Showing 4 changed files with 242 additions and 0 deletions.
29 changes: 29 additions & 0 deletions testdata/dockerfile/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
ARG BUILD_PLATFORM="linux/amd64"
ARG BUILDER_IMAGE="golang:1.20.6-alpine3.18"

FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder

WORKDIR /
COPY . ./

# Get Signer plugin binary
ARG SIGNER_BINARY_LINK="https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip"
ARG SIGNER_BINARY_FILE="notation-aws-signer-plugin.zip"
RUN wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}
RUN apk update && \
apk add unzip && \
unzip -o ${SIGNER_BINARY_FILE}

# Build Go binary
RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o kyverno-notation-aws .

FROM gcr.io/distroless/static:nonroot
WORKDIR /

# Notation home
ENV PLUGINS_DIR=/plugins

COPY --from=builder notation-com.amazonaws.signer.notation.plugin plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin

COPY --from=builder kyverno-notation-aws kyverno-notation-aws
ENTRYPOINT ["/kyverno-notation-aws"]
18 changes: 18 additions & 0 deletions testdata/dockerfile/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Apply policies on a Dockerfile

1. Download a Dockerfile

```
curl https://raw.githubusercontent.com/nirmata/kyverno-notation-aws/main/Dockerfile /tmp/Dockefile
```

2. Convert to JSON

Install `dockerfile-json`: https://github.com/keilerkonzept/dockerfile-json#get-it

```
dockerfile-json ~/go/src/github.com/jimbugwadia/kyverno-notation-aws/Dockerfile | jq > input.json
```

3. Apply policy

175 changes: 175 additions & 0 deletions testdata/dockerfile/input.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
{
"MetaArgs": [
{
"Key": "BUILD_PLATFORM",
"DefaultValue": "\"linux/amd64\"",
"ProvidedValue": null,
"Value": "\"linux/amd64\""
},
{
"Key": "BUILDER_IMAGE",
"DefaultValue": "\"golang:1.20.6-alpine3.18\"",
"ProvidedValue": null,
"Value": "\"golang:1.20.6-alpine3.18\""
}
],
"Stages": [
{
"Name": "builder",
"BaseName": "\"golang:1.20.6-alpine3.18\"",
"Platform": "$BUILD_PLATFORM",
"Comment": "",
"SourceCode": "FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder",
"Location": [
{
"Start": {
"Line": 4,
"Character": 0
},
"End": {
"Line": 4,
"Character": 0
}
}
],
"As": "builder",
"From": {
"Image": "\"golang:1.20.6-alpine3.18\""
},
"Commands": [
{
"Name": "WORKDIR",
"Path": "/"
},
{
"Chmod": "",
"Chown": "",
"DestPath": "./",
"From": "",
"Link": false,
"Name": "COPY",
"SourceContents": null,
"SourcePaths": [
"."
]
},
{
"Args": [
{
"Comment": "",
"Key": "SIGNER_BINARY_LINK",
"Value": "\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\""
}
],
"Name": "ARG"
},
{
"Args": [
{
"Comment": "",
"Key": "SIGNER_BINARY_FILE",
"Value": "\"notation-aws-signer-plugin.zip\""
}
],
"Name": "ARG"
},
{
"CmdLine": [
"wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}"
],
"Files": null,
"FlagsUsed": [],
"Name": "RUN",
"PrependShell": true
},
{
"CmdLine": [
"apk update && apk add unzip && unzip -o ${SIGNER_BINARY_FILE}"
],
"Files": null,
"FlagsUsed": [],
"Name": "RUN",
"PrependShell": true
},
{
"CmdLine": [
"GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws ."
],
"Files": null,
"FlagsUsed": [],
"Name": "RUN",
"PrependShell": true
}
]
},
{
"Name": "",
"BaseName": "gcr.io/distroless/static:nonroot",
"Platform": "",
"Comment": "",
"SourceCode": "FROM gcr.io/distroless/static:nonroot",
"Location": [
{
"Start": {
"Line": 20,
"Character": 0
},
"End": {
"Line": 20,
"Character": 0
}
}
],
"From": {
"Image": "gcr.io/distroless/static:nonroot"
},
"Commands": [
{
"Name": "WORKDIR",
"Path": "/"
},
{
"Env": [
{
"Key": "PLUGINS_DIR",
"Value": "/plugins"
}
],
"Name": "ENV"
},
{
"Chmod": "",
"Chown": "",
"DestPath": "plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin",
"From": "builder",
"Link": false,
"Name": "COPY",
"SourceContents": null,
"SourcePaths": [
"notation-com.amazonaws.signer.notation.plugin"
]
},
{
"Chmod": "",
"Chown": "",
"DestPath": "kyverno-notation-aws",
"From": "builder",
"Link": false,
"Name": "COPY",
"SourceContents": null,
"SourcePaths": [
"kyverno-notation-aws"
]
},
{
"CmdLine": [
"/kyverno-notation-aws"
],
"Files": null,
"Name": "ENTRYPOINT",
"PrependShell": false
}
]
}
]
}
20 changes: 20 additions & 0 deletions testdata/dockerfile/policy-check-external.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: json.kyverno.io/v1alpha1
kind: Policy
metadata:
name: check-dockerfile
spec:
rules:
- name: no-http
validate:
message: "HTTP calls are not allowed"
assert:
all:
- ~.(Stages[].Commands[].Args[].Value):
(contains(@, 'https://') || contains(@, 'http://')): false
- name: no-curl-wget
validate:
message: "curl / wget are not allowed"
assert:
all:
- ~.(Stages[].Commands[].CmdLine[]):
(contains(@, 'wget') || contains(@, 'curl')): false

0 comments on commit 8bf9a11

Please sign in to comment.