diff --git a/Makefile b/Makefile index a7754f21..86a6f96c 100644 --- a/Makefile +++ b/Makefile @@ -267,8 +267,13 @@ codegen-schemas-json: codegen-schemas-openapi ## Generate json schemas .PHONY: codegen-schemas codegen-schemas: codegen-schemas-openapi codegen-schemas-json ## Generate openapi and json schemas +.PHONY: codegen-playground-examples +codegen-playground-examples: ## Generate playground examples + @echo Generate playground examples... >&2 + @go run ./website/playground-examples/main.go + .PHONY: codegen-playground -codegen-playground: build-wasm ## Generate playground +codegen-playground: build-wasm codegen-playground-examples ## Generate playground @echo Generate playground... >&2 @rm -rf ./pkg/server/ui/dist && mkdir -p ./pkg/server/ui/dist && cp -r ./website/playground/* ./pkg/server/ui/dist @rm -rf ./website/docs/_playground && mkdir -p ./website/docs/_playground && cp -r ./website/playground/* ./website/docs/_playground diff --git a/pkg/server/ui/dist/assets/data.json b/pkg/server/ui/dist/assets/data.json index 6aa3ce4e..a7fbc437 100644 --- a/pkg/server/ui/dist/assets/data.json +++ b/pkg/server/ui/dist/assets/data.json @@ -1,10 +1,10 @@ { "examples": [ { + "category": "dockerfile", "name": "check-dockerfile", - "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: check-dockerfile\nspec:\n rules:\n - name: deny-external-calls\n assert:\n all:\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].Args[].Value):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"curl is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'curl')): false\n - message: \"wget is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'wget')): false\n", - "payload": "MetaArgs:\n- Key: BUILD_PLATFORM\n DefaultValue: '\"linux/amd64\"'\n ProvidedValue:\n Value: '\"linux/amd64\"'\n- Key: BUILDER_IMAGE\n DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n ProvidedValue:\n Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- Name: builder\n BaseName: '\"golang:1.20.6-alpine3.18\"'\n Platform: \"$BUILD_PLATFORM\"\n Comment: ''\n SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n Location:\n - Start:\n Line: 4\n Character: 0\n End:\n Line: 4\n Character: 0\n As: builder\n From:\n Image: '\"golang:1.20.6-alpine3.18\"'\n Commands:\n - Name: WORKDIR\n Path: \"/\"\n - Chmod: ''\n Chown: ''\n DestPath: \"./\"\n From: ''\n Link: false\n Name: COPY\n SourceContents:\n SourcePaths:\n - \".\"\n - Args:\n - Comment: ''\n Key: SIGNER_BINARY_LINK\n Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n Name: ARG\n - Args:\n - Comment: ''\n Key: SIGNER_BINARY_FILE\n Value: '\"notation-aws-signer-plugin.zip\"'\n Name: ARG\n - CmdLine:\n - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n Files:\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - apk update && apk add unzip && unzip -o ${SIGNER_BINARY_FILE}\n Files:\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n .\n Files:\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n- Name: ''\n BaseName: gcr.io/distroless/static:nonroot\n Platform: ''\n Comment: ''\n SourceCode: FROM gcr.io/distroless/static:nonroot\n Location:\n - Start:\n Line: 20\n Character: 0\n End:\n Line: 20\n Character: 0\n From:\n Image: gcr.io/distroless/static:nonroot\n Commands:\n - Name: WORKDIR\n Path: \"/\"\n - Env:\n - Key: PLUGINS_DIR\n Value: \"/plugins\"\n Name: ENV\n - Chmod: ''\n Chown: ''\n DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n From: builder\n Link: false\n Name: COPY\n SourceContents:\n SourcePaths:\n - notation-com.amazonaws.signer.notation.plugin\n - Chmod: ''\n Chown: ''\n DestPath: kyverno-notation-aws\n From: builder\n Link: false\n Name: COPY\n SourceContents:\n SourcePaths:\n - kyverno-notation-aws\n - CmdLine:\n - \"/kyverno-notation-aws\"\n Files:\n Name: ENTRYPOINT\n PrependShell: false\n", - "category": "dockerfile" + "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: check-dockerfile\nspec:\n rules:\n - name: deny-external-calls\n assert:\n all:\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].Args[].Value):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"curl is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'curl')): false\n - message: \"wget is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'wget')): false", + "payload": "MetaArgs:\n- DefaultValue: '\"linux/amd64\"'\n Key: BUILD_PLATFORM\n ProvidedValue: null\n Value: '\"linux/amd64\"'\n- DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n Key: BUILDER_IMAGE\n ProvidedValue: null\n Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- As: builder\n BaseName: '\"golang:1.20.6-alpine3.18\"'\n Commands:\n - Name: WORKDIR\n Path: /\n - Chmod: \"\"\n Chown: \"\"\n DestPath: ./\n From: \"\"\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - .\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_LINK\n Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n Name: ARG\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_FILE\n Value: '\"notation-aws-signer-plugin.zip\"'\n Name: ARG\n - CmdLine:\n - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - apk update \u0026\u0026 apk add unzip \u0026\u0026 unzip -o ${SIGNER_BINARY_FILE}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n .\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n Comment: \"\"\n From:\n Image: '\"golang:1.20.6-alpine3.18\"'\n Location:\n - End:\n Character: 0\n Line: 4\n Start:\n Character: 0\n Line: 4\n Name: builder\n Platform: $BUILD_PLATFORM\n SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n- BaseName: gcr.io/distroless/static:nonroot\n Commands:\n - Name: WORKDIR\n Path: /\n - Env:\n - Key: PLUGINS_DIR\n Value: /plugins\n Name: ENV\n - Chmod: \"\"\n Chown: \"\"\n DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - notation-com.amazonaws.signer.notation.plugin\n - Chmod: \"\"\n Chown: \"\"\n DestPath: kyverno-notation-aws\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - kyverno-notation-aws\n - CmdLine:\n - /kyverno-notation-aws\n Files: null\n Name: ENTRYPOINT\n PrependShell: false\n Comment: \"\"\n From:\n Image: gcr.io/distroless/static:nonroot\n Location:\n - End:\n Character: 0\n Line: 20\n Start:\n Character: 0\n Line: 20\n Name: \"\"\n Platform: \"\"\n SourceCode: FROM gcr.io/distroless/static:nonroot\n" } ] } \ No newline at end of file diff --git a/playground-examples.yaml b/playground-examples.yaml new file mode 100644 index 00000000..288e1e6b --- /dev/null +++ b/playground-examples.yaml @@ -0,0 +1,6 @@ +# categories +dockerfile: + # names + check-dockerfile: + policy: test/commands/scan/dockerfile/policy.yaml + payload: test/commands/scan/dockerfile/payload.json diff --git a/website/playground-examples/main.go b/website/playground-examples/main.go new file mode 100644 index 00000000..b16206d6 --- /dev/null +++ b/website/playground-examples/main.go @@ -0,0 +1,81 @@ +package main + +import ( + "encoding/json" + "fmt" + "io/fs" + "os" + "path/filepath" + + "gopkg.in/yaml.v2" +) + +type Content struct { + Policy string `yaml:"policy"` + Payload string `yaml:"payload"` +} + +type Example struct { + Category string `json:"category"` + Name string `json:"name"` + Policy string `json:"policy"` + Payload string `json:"payload"` +} + +type Examples struct { + Examples []Example `json:"examples"` +} + +func load(file string) string { + if filepath.Ext(file) == ".json" { + content, err := os.ReadFile(file) + if err != nil { + panic(err) + } + var obj interface{} + if err := json.Unmarshal(content, &obj); err != nil { + panic(err) + } + data, err := yaml.Marshal(obj) + if err != nil { + panic(err) + } + return string(data) + } else if filepath.Ext(file) == ".yaml" || filepath.Ext(file) == ".yml" { + content, err := os.ReadFile(file) + if err != nil { + panic(err) + } + return string(content) + } + panic(fmt.Sprintf("unsupported file type %s", file)) +} + +func main() { + bytes, err := os.ReadFile("playground-examples.yaml") + if err != nil { + panic(err) + } + var content map[string]map[string]Content + if err := yaml.Unmarshal(bytes, &content); err != nil { + panic(err) + } + var examples Examples + for category, names := range content { + for name, value := range names { + examples.Examples = append(examples.Examples, Example{ + Category: category, + Name: name, + Policy: load(value.Policy), + Payload: load(value.Payload), + }) + } + } + data, err := json.MarshalIndent(&examples, "", " ") + if err != nil { + panic(err) + } + if err := os.WriteFile("website/playground/assets/data.json", data, fs.ModePerm); err != nil { + panic(err) + } +} diff --git a/website/playground/assets/data.json b/website/playground/assets/data.json index 6aa3ce4e..a7fbc437 100644 --- a/website/playground/assets/data.json +++ b/website/playground/assets/data.json @@ -1,10 +1,10 @@ { "examples": [ { + "category": "dockerfile", "name": "check-dockerfile", - "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: check-dockerfile\nspec:\n rules:\n - name: deny-external-calls\n assert:\n all:\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].Args[].Value):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"curl is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'curl')): false\n - message: \"wget is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'wget')): false\n", - "payload": "MetaArgs:\n- Key: BUILD_PLATFORM\n DefaultValue: '\"linux/amd64\"'\n ProvidedValue:\n Value: '\"linux/amd64\"'\n- Key: BUILDER_IMAGE\n DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n ProvidedValue:\n Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- Name: builder\n BaseName: '\"golang:1.20.6-alpine3.18\"'\n Platform: \"$BUILD_PLATFORM\"\n Comment: ''\n SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n Location:\n - Start:\n Line: 4\n Character: 0\n End:\n Line: 4\n Character: 0\n As: builder\n From:\n Image: '\"golang:1.20.6-alpine3.18\"'\n Commands:\n - Name: WORKDIR\n Path: \"/\"\n - Chmod: ''\n Chown: ''\n DestPath: \"./\"\n From: ''\n Link: false\n Name: COPY\n SourceContents:\n SourcePaths:\n - \".\"\n - Args:\n - Comment: ''\n Key: SIGNER_BINARY_LINK\n Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n Name: ARG\n - Args:\n - Comment: ''\n Key: SIGNER_BINARY_FILE\n Value: '\"notation-aws-signer-plugin.zip\"'\n Name: ARG\n - CmdLine:\n - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n Files:\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - apk update && apk add unzip && unzip -o ${SIGNER_BINARY_FILE}\n Files:\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n .\n Files:\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n- Name: ''\n BaseName: gcr.io/distroless/static:nonroot\n Platform: ''\n Comment: ''\n SourceCode: FROM gcr.io/distroless/static:nonroot\n Location:\n - Start:\n Line: 20\n Character: 0\n End:\n Line: 20\n Character: 0\n From:\n Image: gcr.io/distroless/static:nonroot\n Commands:\n - Name: WORKDIR\n Path: \"/\"\n - Env:\n - Key: PLUGINS_DIR\n Value: \"/plugins\"\n Name: ENV\n - Chmod: ''\n Chown: ''\n DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n From: builder\n Link: false\n Name: COPY\n SourceContents:\n SourcePaths:\n - notation-com.amazonaws.signer.notation.plugin\n - Chmod: ''\n Chown: ''\n DestPath: kyverno-notation-aws\n From: builder\n Link: false\n Name: COPY\n SourceContents:\n SourcePaths:\n - kyverno-notation-aws\n - CmdLine:\n - \"/kyverno-notation-aws\"\n Files:\n Name: ENTRYPOINT\n PrependShell: false\n", - "category": "dockerfile" + "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n name: check-dockerfile\nspec:\n rules:\n - name: deny-external-calls\n assert:\n all:\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].Args[].Value):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"HTTP calls are not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'https://') || contains(@, 'http://')): false\n - message: \"curl is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'curl')): false\n - message: \"wget is not allowed\"\n check:\n ~.(Stages[].Commands[].CmdLine[]):\n (contains(@, 'wget')): false", + "payload": "MetaArgs:\n- DefaultValue: '\"linux/amd64\"'\n Key: BUILD_PLATFORM\n ProvidedValue: null\n Value: '\"linux/amd64\"'\n- DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n Key: BUILDER_IMAGE\n ProvidedValue: null\n Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- As: builder\n BaseName: '\"golang:1.20.6-alpine3.18\"'\n Commands:\n - Name: WORKDIR\n Path: /\n - Chmod: \"\"\n Chown: \"\"\n DestPath: ./\n From: \"\"\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - .\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_LINK\n Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n Name: ARG\n - Args:\n - Comment: \"\"\n Key: SIGNER_BINARY_FILE\n Value: '\"notation-aws-signer-plugin.zip\"'\n Name: ARG\n - CmdLine:\n - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - apk update \u0026\u0026 apk add unzip \u0026\u0026 unzip -o ${SIGNER_BINARY_FILE}\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n - CmdLine:\n - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n .\n Files: null\n FlagsUsed: []\n Name: RUN\n PrependShell: true\n Comment: \"\"\n From:\n Image: '\"golang:1.20.6-alpine3.18\"'\n Location:\n - End:\n Character: 0\n Line: 4\n Start:\n Character: 0\n Line: 4\n Name: builder\n Platform: $BUILD_PLATFORM\n SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n- BaseName: gcr.io/distroless/static:nonroot\n Commands:\n - Name: WORKDIR\n Path: /\n - Env:\n - Key: PLUGINS_DIR\n Value: /plugins\n Name: ENV\n - Chmod: \"\"\n Chown: \"\"\n DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - notation-com.amazonaws.signer.notation.plugin\n - Chmod: \"\"\n Chown: \"\"\n DestPath: kyverno-notation-aws\n From: builder\n Link: false\n Name: COPY\n SourceContents: null\n SourcePaths:\n - kyverno-notation-aws\n - CmdLine:\n - /kyverno-notation-aws\n Files: null\n Name: ENTRYPOINT\n PrependShell: false\n Comment: \"\"\n From:\n Image: gcr.io/distroless/static:nonroot\n Location:\n - End:\n Character: 0\n Line: 20\n Start:\n Character: 0\n Line: 20\n Name: \"\"\n Platform: \"\"\n SourceCode: FROM gcr.io/distroless/static:nonroot\n" } ] } \ No newline at end of file