From 3d1db6df02a8306b92baeb1f7766976c1377cbfa Mon Sep 17 00:00:00 2001 From: kushal9897 Date: Sat, 8 Feb 2025 07:50:54 +0530 Subject: [PATCH 1/3] docs: clarify that variables are not allowed in imageReferences field Signed-off-by: kushal9897 --- .../en/docs/writing-policies/verify-images/_index.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/content/en/docs/writing-policies/verify-images/_index.md b/content/en/docs/writing-policies/verify-images/_index.md index 920b5ec8e..be1ff3d53 100644 --- a/content/en/docs/writing-policies/verify-images/_index.md +++ b/content/en/docs/writing-policies/verify-images/_index.md @@ -48,6 +48,17 @@ The `imageRegistryCredentials.secrets` specifies a list of secrets that are prov For additional details please reference a section below for the solution used to sign the images and attestations: +## Limitations + +### Variables in `imageReferences` +The `imageReferences` field does **not** support variable interpolation (e.g., `{{ }}` syntax). Only **static strings** or predefined lists should be used. + +#### **Incorrect Usage** +```yaml +verifyImages: + - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"] + + ### Cache Image verification requires multiple network calls and can be time consuming. Kyverno has a TTL based cache for image verification which caches successful outcomes of image verification. When cache is enabled, an image once verified by a policy will be considered to be verified until TTL duration expires or there is a change in policy. From ad2320cb4ea27d93c723b3bf1806b253fec3ff27 Mon Sep 17 00:00:00 2001 From: kushal9897 Date: Tue, 11 Feb 2025 08:28:21 +0530 Subject: [PATCH 2/3] docs(index.md): clarify variable restrictions in imageReferences Signed-off-by: kushal9897 --- .../writing-policies/verify-images/_index.md | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/content/en/docs/writing-policies/verify-images/_index.md b/content/en/docs/writing-policies/verify-images/_index.md index be1ff3d53..7da687522 100644 --- a/content/en/docs/writing-policies/verify-images/_index.md +++ b/content/en/docs/writing-policies/verify-images/_index.md @@ -53,12 +53,71 @@ For additional details please reference a section below for the solution used to ### Variables in `imageReferences` The `imageReferences` field does **not** support variable interpolation (e.g., `{{ }}` syntax). Only **static strings** or predefined lists should be used. + #### ** Incorrect Usage (Using Variables – Not Allowed)** + ```yaml + verifyImages: + - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"] + ``` + This will result in a validation error because variables are **not allowed** in `imageReferences`. + + #### ** Correct Usage (Using Static Values – Allowed)** + ```yaml + verifyImages: + - imageReferences: + - "myregistry.com/app-image:v1" + - "myregistry.com/app-image:v2" + ``` + Here, only **explicit, static image references** are used, which is allowed. + + +### **Other Fields Where Variables Are Not Allowed** + In addition to `imageReferences`, the following fields **do not support variable interpolation** and must be defined with static values: + + - `match.resources.kinds` + - `exclude.resources.kinds` + - `preconditions.all` + - `preconditions.any` + + #### ** Incorrect Usage (Using Variables – Not Allowed)** + ```yaml + rules: + - name: restrict-deployment-kinds + match: + resources: + kinds: + - "{{ request.object.kind }}" + ``` + **Why is this incorrect?** + - `match.resources.kinds` must contain **static** resource kinds (e.g., `Pod`, `Deployment`). + - Dynamic interpolation using `{{ request.object.kind }}` is **not supported**. + + #### ** Correct Usage (Using Static Values – Allowed)** + ```yaml + rules: + - name: restrict-deployment-kinds + match: + resources: + kinds: + - Deployment + - StatefulSet + ``` + **Why is this correct?** + - Only predefined, static resource kinds (`Deployment`, `StatefulSet`) are used. + +--- + +### **Why Are Variables Not Allowed in These Fields?** + Kyverno requires these fields to be **static** to ensure policy validation and enforcement remain deterministic and efficient. Allowing variables in these fields could introduce unexpected behavior, making policy evaluation unreliable. + +--- + #### **Incorrect Usage** ```yaml verifyImages: - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"] + ### Cache Image verification requires multiple network calls and can be time consuming. Kyverno has a TTL based cache for image verification which caches successful outcomes of image verification. When cache is enabled, an image once verified by a policy will be considered to be verified until TTL duration expires or there is a change in policy. From fefddd87a34fa51212704c94eff078d3cb813a4f Mon Sep 17 00:00:00 2001 From: kushal9897 Date: Sat, 15 Feb 2025 03:36:57 +0530 Subject: [PATCH 3/3] docs: clarify that preconditions are not allowed in imageReferences field Signed-off-by: kushal9897 --- .../writing-policies/verify-images/_index.md | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/content/en/docs/writing-policies/verify-images/_index.md b/content/en/docs/writing-policies/verify-images/_index.md index 7da687522..e8a79e8a8 100644 --- a/content/en/docs/writing-policies/verify-images/_index.md +++ b/content/en/docs/writing-policies/verify-images/_index.md @@ -53,14 +53,14 @@ For additional details please reference a section below for the solution used to ### Variables in `imageReferences` The `imageReferences` field does **not** support variable interpolation (e.g., `{{ }}` syntax). Only **static strings** or predefined lists should be used. - #### ** Incorrect Usage (Using Variables – Not Allowed)** + #### Incorrect Usage (Using Variables – Not Allowed) ```yaml verifyImages: - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"] ``` This will result in a validation error because variables are **not allowed** in `imageReferences`. - #### ** Correct Usage (Using Static Values – Allowed)** + #### Correct Usage (Using Static Values – Allowed) ```yaml verifyImages: - imageReferences: @@ -78,7 +78,7 @@ The `imageReferences` field does **not** support variable interpolation (e.g., ` - `preconditions.all` - `preconditions.any` - #### ** Incorrect Usage (Using Variables – Not Allowed)** + #### Incorrect Usage (Using Variables – Not Allowed) ```yaml rules: - name: restrict-deployment-kinds @@ -91,7 +91,7 @@ The `imageReferences` field does **not** support variable interpolation (e.g., ` - `match.resources.kinds` must contain **static** resource kinds (e.g., `Pod`, `Deployment`). - Dynamic interpolation using `{{ request.object.kind }}` is **not supported**. - #### ** Correct Usage (Using Static Values – Allowed)** + #### Correct Usage (Using Static Values – Allowed) ```yaml rules: - name: restrict-deployment-kinds @@ -104,18 +104,11 @@ The `imageReferences` field does **not** support variable interpolation (e.g., ` **Why is this correct?** - Only predefined, static resource kinds (`Deployment`, `StatefulSet`) are used. ---- + ### **Why Are Variables Not Allowed in These Fields?** Kyverno requires these fields to be **static** to ensure policy validation and enforcement remain deterministic and efficient. Allowing variables in these fields could introduce unexpected behavior, making policy evaluation unreliable. ---- - -#### **Incorrect Usage** -```yaml -verifyImages: - - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"] - ### Cache