diff --git a/testdata/dockerfile/Dockerfile b/testdata/dockerfile/Dockerfile new file mode 100644 index 00000000..a905fe8d --- /dev/null +++ b/testdata/dockerfile/Dockerfile @@ -0,0 +1,29 @@ +ARG BUILD_PLATFORM="linux/amd64" +ARG BUILDER_IMAGE="golang:1.20.6-alpine3.18" + +FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder + +WORKDIR / +COPY . ./ + +# Get Signer plugin binary +ARG SIGNER_BINARY_LINK="https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip" +ARG SIGNER_BINARY_FILE="notation-aws-signer-plugin.zip" +RUN wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK} +RUN apk update && \ + apk add unzip && \ + unzip -o ${SIGNER_BINARY_FILE} + +# Build Go binary +RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o kyverno-notation-aws . + +FROM gcr.io/distroless/static:nonroot +WORKDIR / + +# Notation home +ENV PLUGINS_DIR=/plugins + +COPY --from=builder notation-com.amazonaws.signer.notation.plugin plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin + +COPY --from=builder kyverno-notation-aws kyverno-notation-aws +ENTRYPOINT ["/kyverno-notation-aws"] diff --git a/testdata/dockerfile/README.md b/testdata/dockerfile/README.md new file mode 100644 index 00000000..64354e44 --- /dev/null +++ b/testdata/dockerfile/README.md @@ -0,0 +1,18 @@ +# Apply policies on a Dockerfile + +1. Download a Dockerfile + +``` +curl https://raw.githubusercontent.com/nirmata/kyverno-notation-aws/main/Dockerfile /tmp/Dockefile +``` + +2. Convert to JSON + +Install `dockerfile-json`: https://github.com/keilerkonzept/dockerfile-json#get-it + +``` +dockerfile-json ~/go/src/github.com/jimbugwadia/kyverno-notation-aws/Dockerfile | jq > input.json +``` + +3. Apply policy + diff --git a/testdata/dockerfile/input.json b/testdata/dockerfile/input.json new file mode 100644 index 00000000..c15b00ea --- /dev/null +++ b/testdata/dockerfile/input.json @@ -0,0 +1,175 @@ +{ + "MetaArgs": [ + { + "Key": "BUILD_PLATFORM", + "DefaultValue": "\"linux/amd64\"", + "ProvidedValue": null, + "Value": "\"linux/amd64\"" + }, + { + "Key": "BUILDER_IMAGE", + "DefaultValue": "\"golang:1.20.6-alpine3.18\"", + "ProvidedValue": null, + "Value": "\"golang:1.20.6-alpine3.18\"" + } + ], + "Stages": [ + { + "Name": "builder", + "BaseName": "\"golang:1.20.6-alpine3.18\"", + "Platform": "$BUILD_PLATFORM", + "Comment": "", + "SourceCode": "FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder", + "Location": [ + { + "Start": { + "Line": 4, + "Character": 0 + }, + "End": { + "Line": 4, + "Character": 0 + } + } + ], + "As": "builder", + "From": { + "Image": "\"golang:1.20.6-alpine3.18\"" + }, + "Commands": [ + { + "Name": "WORKDIR", + "Path": "/" + }, + { + "Chmod": "", + "Chown": "", + "DestPath": "./", + "From": "", + "Link": false, + "Name": "COPY", + "SourceContents": null, + "SourcePaths": [ + "." + ] + }, + { + "Args": [ + { + "Comment": "", + "Key": "SIGNER_BINARY_LINK", + "Value": "\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"" + } + ], + "Name": "ARG" + }, + { + "Args": [ + { + "Comment": "", + "Key": "SIGNER_BINARY_FILE", + "Value": "\"notation-aws-signer-plugin.zip\"" + } + ], + "Name": "ARG" + }, + { + "CmdLine": [ + "wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + }, + { + "CmdLine": [ + "apk update && apk add unzip && unzip -o ${SIGNER_BINARY_FILE}" + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + }, + { + "CmdLine": [ + "GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws ." + ], + "Files": null, + "FlagsUsed": [], + "Name": "RUN", + "PrependShell": true + } + ] + }, + { + "Name": "", + "BaseName": "gcr.io/distroless/static:nonroot", + "Platform": "", + "Comment": "", + "SourceCode": "FROM gcr.io/distroless/static:nonroot", + "Location": [ + { + "Start": { + "Line": 20, + "Character": 0 + }, + "End": { + "Line": 20, + "Character": 0 + } + } + ], + "From": { + "Image": "gcr.io/distroless/static:nonroot" + }, + "Commands": [ + { + "Name": "WORKDIR", + "Path": "/" + }, + { + "Env": [ + { + "Key": "PLUGINS_DIR", + "Value": "/plugins" + } + ], + "Name": "ENV" + }, + { + "Chmod": "", + "Chown": "", + "DestPath": "plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin", + "From": "builder", + "Link": false, + "Name": "COPY", + "SourceContents": null, + "SourcePaths": [ + "notation-com.amazonaws.signer.notation.plugin" + ] + }, + { + "Chmod": "", + "Chown": "", + "DestPath": "kyverno-notation-aws", + "From": "builder", + "Link": false, + "Name": "COPY", + "SourceContents": null, + "SourcePaths": [ + "kyverno-notation-aws" + ] + }, + { + "CmdLine": [ + "/kyverno-notation-aws" + ], + "Files": null, + "Name": "ENTRYPOINT", + "PrependShell": false + } + ] + } + ] +} diff --git a/testdata/dockerfile/policy-check-external.yaml b/testdata/dockerfile/policy-check-external.yaml new file mode 100644 index 00000000..541ed73b --- /dev/null +++ b/testdata/dockerfile/policy-check-external.yaml @@ -0,0 +1,20 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: Policy +metadata: + name: check-dockerfile +spec: + rules: + - name: no-http + validate: + message: "HTTP calls are not allowed" + assert: + all: + - ~.(Stages[].Commands[].Args[].Value): + (contains(@, 'https://') || contains(@, 'http://')): false + - name: no-curl-wget + validate: + message: "curl / wget are not allowed" + assert: + all: + - ~.(Stages[].Commands[].CmdLine[]): + (contains(@, 'wget') || contains(@, 'curl')): false \ No newline at end of file