kyverno · chipzoller · Aug 9, 2024 · Jul 9, 2024 · Jul 9, 2024 · Jul 9, 2024
diff --git a/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml b/other/require-image-checksum/.chainsaw-test/chainsaw-test.yaml
@@ -36,3 +36,20 @@ spec:
         - check:
             ($error != null): true
         file: podcontroller-bad.yaml
+  - name: step-03
+    try:
+    - script:
+        content: |
+          kubectl apply -f pod-good-for-ephemeral.yaml
+          sleep 2
+          kubectl debug goodpod-for-debug -it --image=ubuntu@sha256:0eb0f877e1c869a300c442c41120e778db7161419244ee5cbc6fa5f134e74736 --share-processes --copy-to=myapp-debug
+    - script:
+        content: |
+          kubectl apply -f pod-bad-for-ephemeral.yaml
+          sleep 2
+          kubectl debug badpod-for-debug -it --image=ubuntu --share-processes --copy-to=myapp-debug
+        check:
+          ($error != null): true
+    - script:
+        content: |
+          kubectl delete pods --all --force
diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad-for-ephemeral.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod-for-debug
+spec:
+  containers:
+  - name: busybox
+    image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+    command: ["sleep", "1d"]
+
diff --git a/other/require-image-checksum/.chainsaw-test/pod-bad.yaml b/other/require-image-checksum/.chainsaw-test/pod-bad.yaml
@@ -18,4 +18,23 @@ spec:
     - name: busybox
       image: busybox
     - name: bb
-      image: busybox:latest
+      image: busybox:latest
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  initContainers:
+  - name: init-busybox
+    image: busybox:1.35
+    command: ['sh', '-c', 'echo Init container 1 completed']
+  - name: init-alpine
+    image: alpine:3.16
+    command: ['sh', '-c', 'echo Init container 2 completed']
+  containers:
+  - name: busybox
+    image: busybox:1.35
+  - name: busybox02
+    image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+---
diff --git a/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml b/other/require-image-checksum/.chainsaw-test/pod-good-for-ephemeral.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod-for-debug
+spec:
+  containers:
+  - name: busybox
+    image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+    command: ["sleep", "1d"]
diff --git a/other/require-image-checksum/.chainsaw-test/pod-good.yaml b/other/require-image-checksum/.chainsaw-test/pod-good.yaml
@@ -18,4 +18,23 @@ spec:
   - name: busybox
     image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
   - name: nginx
-    image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+    image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod03
+spec:
+  initContainers:
+  - name: init-busybox
+    image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+    command: ['sh', '-c', 'echo Init container 1 completed']
+  - name: init-nginx
+    image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+    command: ['sh', '-c', 'echo Init container 2 completed']
+  containers:
+  - name: busybox
+    image: busybox@sha256:67a8ef886e2ca4055f00e7cd13aedb9b24148c1451a6832d16fcc997a157eedc
+  - name: nginx
+    image: nginx@sha256:1bb5c4b86cb7c1e9f0209611dc2135d8a2c1c3a6436163970c99193787d067ea
+---
diff --git a/other/require-image-checksum/.kyverno-test/kyverno-test.yaml b/other/require-image-checksum/.kyverno-test/kyverno-test.yaml
@@ -17,17 +17,17 @@ results:
   policy: require-image-checksum
   resources:
   - myapp-pod-2
-  result: fail
+  result: pass
   rule: require-image-checksum
 - kind: Deployment
   policy: require-image-checksum
   resources:
   - mydeploy
-  result: pass
+  result: fail
   rule: require-image-checksum
 - kind: Pod
   policy: require-image-checksum
   resources:
   - myapp-pod-1
-  result: pass
+  result: fail
   rule: require-image-checksum
diff --git a/other/require-image-checksum/.kyverno-test/resource.yaml b/other/require-image-checksum/.kyverno-test/resource.yaml
@@ -5,6 +5,10 @@ metadata:
   labels:
     app: myapp-1
 spec:
+  initContainers:
+  - name: init-myservice
+    image: busybox
+    command: ['sh', '-c', 'echo Initializing...']
   containers:
   - name: nginx
     image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9
@@ -17,9 +21,13 @@ metadata:
   labels:
     app: myapp-2
 spec:
+  initContainers:
+  - name: init-myservice
+    image: busybox@sha256:9ae97d36d26566ff84e8893c64a6dc4fe8ca6d1144bf5b87b2b85a32def253c7
+    command: ['sh', '-c', 'echo Initializing...']
   containers:
   - name: nginx
-    image: nginx
+    image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9
 
 ---
 apiVersion: apps/v1
@@ -36,6 +44,10 @@ spec:
       labels:
         app: myapp
     spec:
+      initContainers:
+      - name: init-myservice
+        image: busybox
+        command: ['sh', '-c', 'echo Initializing...']
       containers:
       - name: nginx
         image: nginx@sha256:353c20f74d9b6aee359f30e8e4f69c3d7eaea2f610681c4a95849a2fd7c497f9
@@ -53,6 +65,10 @@ spec:
     spec:
       template:
         spec:
+          initContainers:
+          - name: init-myservice
+            image: busybox
+            command: ['sh', '-c', 'echo Initializing...']
           containers:
           - name: hello
             image: busybox
@@ -61,4 +77,4 @@ spec:
             - /bin/sh
             - -c
             - date; echo Hello from the Kubernetes cluster
-          restartPolicy: OnFailure
+
diff --git a/other/require-image-checksum/artifacthub-pkg.yml b/other/require-image-checksum/artifacthub-pkg.yml
@@ -18,4 +18,4 @@ readme: |
 annotations:
   kyverno/category: "Sample"
   kyverno/subject: "Pod"
-digest: 3337bb7de436169ae83391daf6da76251ce00422f3fc5691d80cfc6f75606d80
+digest: c04622929b71c3e6437ad7f1f6ee84e8601e46ff35344c1cabb512d43b314cc1
diff --git a/other/require-image-checksum/require-image-checksum.yaml b/other/require-image-checksum/require-image-checksum.yaml
@@ -9,11 +9,9 @@ metadata:
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/description: >-
-      Use of a SHA checksum when pulling an image is often preferable because tags
-      are mutable and can be overwritten. This policy checks to ensure that all images
-      use SHA checksums rather than tags.
+      Use of a SHA checksum when pulling an image is often preferable because tags are mutable and can be overwritten. This policy checks to ensure that all images use SHA checksums rather than tags.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: require-image-checksum
@@ -27,4 +25,8 @@ spec:
       pattern:
         spec:
           containers:
-          - image: "*@*"
+          - image: "*@*"
+          =(ephemeralContainers):
+          - image: "*@*"
+          =(initContainers):
+          - image: "*@*"