Documentation ¶
Overview ¶
Package library implements CEL extension functions that expose Kubewarden context-aware capabilities as CEL functions for the policy to use.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Crypto ¶
Crypto provides a CEL function library extension for verifying certificates.
certificate
Returns a certificate verifier that can be used to verify the trust of the certificate.
kw.crypto.certificate(<string>) <CryptoVerifier>
Examples:
kw.crypto.certificate('PEM CERTIFICATE') // returns a certificate verifier for the given PEM encoded certificate
certificateChain
Adds a certificate to the certificate chain.
<CryptoVerifier>.certificateChain(<string>) <CryptoVerifier>
Examples:
kw.crypto.certificate('PEM CERTIFICATE').certificateChain('PEM CERTIFICATE') // returns a certificate verifier with the given PEM encoded certificate added to the chain
notAfter
Sets the not after date for the certificate verification. If `notAfter` is not set, the certificate is assumed to never expire. The date must be a `google.protobuf.Timestamp`. A `google.protobuf.Timestamp` can be created using the `timestamp` standard definition, by passing a string in RFC 3339 format. See: https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions
<CryptoVerifier>.notAfter(<google.protobuf.Timestamp>) <CryptoVerifier>
Examples:
kw.crypto.certificate('cert.pem').notAfter(timestamp('2000-01-01T00:00:00Z')) // returns a certificate verifier with the not after date set to '2000-01-01T00:00:00Z'
verify
Verifies the trust of the certificate. Returns a Response type that contains the trust result. `isTrusted()` returns a boolean that indicates if the certificate is trusted. `reason()` returns a string that contains the reason why the certificate is not trusted (empty if the certificate is trusted).
<CryptoVerifier>.verify() <Response>
Examples:
kw.crypto.certificate('PEM CERTIFICATE').certificateChain('PEM CERTIFICATE').notAfter(timestamp('2000-01-01T00:00:00Z')).verify().isTrusted() // returns true if the certificate is trusted
func Kubernetes ¶
Kubernetes provides a CEL function library extension for performing context-aware calls.
apiVersion
Returns a scoped client builder that can be used to build a client object for a specific API version. (v1 for core group, groupName/groupVersions for other).
kw.k8s.apiVersion(<string>) <ClientBuilder>
Examples:
kw.k8s.apiVersion('v1') // returns an ClientBuilder for the core group kw.k8s.apiVersion('apps/v1') // returns an ClientBuilder for the 'apps' group
kind
Returns a client configured to list or get resources of the provided kind.
<ClientBuilder>.kind(<string>) <Client>
Examples:
kw.k8s.apiVersion('v1').kind('Pod') // returns a Client for the 'Pod' resources in the core group kw.k8s.apiVersion('apps/v1').kind('Deployment') // returns a Client for the 'Deployment' resources in the 'apps' group
namespace
Returns a client configured to list or get resources in the provided namespace.
<Client>.namespace(<string>) <Client>
Examples:
kw.k8s.apiVersion('v1').kind('Pod').namespace('default') // returns a Client for the 'Pod' resources in the core group in the 'default' namespace
labelSelector
Returns a client configured to list resources with the provided label selector. NOTE: this is ignored for get operations. The label selector should be a valid Kubernetes label selector.
<Client>.labelSelector(<string>) <Client>
Examples:
kw.k8s.apiVersion('v1').kind('Pod').labelSelector('app=nginx') // returns a Client for the 'Pod' resources in the core group with the label selector 'app=nginx'
fieldSelector
Returns a client configured to list resources with the provided field selector. NOTE: this is ignored for get operations. The field selector should be a valid Kubernetes field selector.
<Client>.fieldSelector(<string>) <Client>
Examples:
kw.k8s.apiVersion('v1').kind('Pod').fieldSelector('status.phase=Running') // returns a Client for the 'Pod' resources in the core group with the field selector 'status.phase=Running'
list
Returns a list of Kubernetes resources matching the client configuration. The list of resources is returned as the corresponding object list type, for instance listing of `Pods` will return a [`PodList`](https://pkg.go.dev/k8s.io/api/core/v1#PodList). The resources can be accessed using the 'items' field.
<Client>.list() <objectList>
Examples:
kw.k8s.apiVersion('v1').kind('Pod').namespace('default').list().items // returns a list of 'Pod' resources in the 'default' namespace kw.k8s.apiVersion('v1').kind('Pod').list().items // returns a list of 'Pod' resources in all namespaces kw.k8s.apiVersion('v1').kind('Pod').labelSelector('app=nginx').list().items // returns a list of 'Pod' resources in all namespaces with the label selector 'app=nginx' kw.k8s.apiVersion('v1').kind('Pod').fieldSelector('status.phase=Running').namespace('default').list().items // returns a list of running 'Pod' resources in the default namespace with the field selector 'status.phase=Running'
get
Returns a Kubernetes resource matching the provided name. If a resource is namespaced, the namespace should be set using the namespace method.
<Client>.get(<string>) <object>
Examples:
kw.k8s.apiVersion('v1').kind('Pod').namespace('default').get('nginx') // returns the 'Pod' resource with the name 'nginx' in the 'default' namespace kw.k8s.apiVersion('v1').kind('Pod').get('nginx') // error, 'Pod' resources are namespaced and the namespace must be set kw.k8s.apiVersion('v1').kind('Namespace').get('default') // returns the 'Namespace' resource with the name 'default'
func Net ¶
Net provides a CEL function library extension to interact with Kubewarden's network capabilities.
lookupHost
Returns a list of IP addresses resolved from the provided hostname.
kw.net.lookupHost(<string>) <list<string>>
Examples:
kw.net.lookupHost('example.com') // returns a list of IP addresses associated with 'example.com'
func OCI ¶
OCI provides a CEL function library extension for retrieving the manifest of a given image.
image
Returns an OCI client object that can be used to retrieve the manifest of the provided image.
kw.oci.image(<string>) <OCIClient>
Examples:
kw.oci.image('image:latest') // returns an OCIClient for the 'image:latest' image
manifest
Returns the manifest of the image. The returned value, depends of the given image. It could be a OCI image manifest or a OCI index image manifest. See more at: https://github.com/opencontainers/image-spec/blob/main/manifest.md https://github.com/opencontainers/image-spec/blob/main/image-index.md If the response is an OCI index image manifest, the image field will be nil. If the response is an OCI image manifest, the index field will be nil.
<OCIClient>.manifest() <DynamicMap>
Examples:
kw.oci.image('image:latest').manifest().index // returns the index manfest, the image field is nil
or
kw.oci.image('image:latest').manifest().image // returns the image manifest, the index field is nil
manifestDigest
Returns the digest of the image manifest.
<OCIClient>.manifestDigest() <string>
Examples:
kw.oci.image('image:latest').manifestDigest() // returns the digest of the image manifest
manifestConfig
Returns the manifest, digest and image configuration of the OCI image. See more information about the fields available of manifest and image configuration at: https://github.com/opencontainers/image-spec/blob/main/manifest.md https://github.com/opencontainers/image-spec/blob/main/config.md
<OCIClient>.manifestConfig() <DynamicMap>
Examples:
kw.oci.image('image:latest').manifestConfig().manifest // returns the image manifest kw.oci.image('image:latest').manifestConfig().config // returns the image configuration kw.oci.image('image:latest').manifestConfig().digest // returns the image digest
func Sigstore ¶
Sigstore provides a CEL function library extension for verifying sigstore signatures of an image.
image
Returns a verifier builder object that can be used to build a specific verifier.
kw.sigstore.image(<string>) <VerifierBuilder>
Examples:
kw.sigstore.image('image:latest') // returns a verifier builder for the 'image:latest' image
annotation
Adds an annotation to the verifier builder.
<VerifierBuilder>.annotation(<string>, <string>) <VerifierBuilder>
Examples:
kw.sigstore.image('image:latest').annotation('foo', 'bar').annotation('baz', 'qux') // returns a verifier builder with the annotations 'foo'='bar' and 'baz'='qux'
pubKey
Builds a verifier that verifies the signature of an image using a set of public keys.
<VerifierBuilder>.pubKey(<string>) <PubKeysVerifier> <PubKeysVerifier>.pubKey(<string>) <PubKeysVerifier>
Examples:
kw.sigstore.image('image:latest').pubKey('pubkey1').pubKey('pubkey2') // returns a verifier that verifies the signature of the 'image:latest' image using the public keys 'pubkey1' and 'pubkey2'
keyless
Builds a verifier that verifies the signature of an image using keyless signing. The first argument is the issuer and the second argument is the subject.
<VerifierBuilder>.keyless(<string>, <string>) <KeylessVerifier> <KeylessVerifier>.keyless(<string>, <string>) <KeylessVerifier>
Examples:
kw.sigstore.image('image:latest').keyless('issuer1', 'subject1').keyless('issuer2', 'subject2') // returns a verifier that verifies the signature of the 'image:latest' image using keyless signing with the keyless info 'issuer1'='subject1' and 'issuer2'='subject2'
keylessPrefix
Builds a verifier that verifies the signature of an image using keyless signing. The first argument is the issuer and the second argument is a subject as an URL prefix. The provided subject is sanitized to ensure it is a valid URL prefix and to prevent typosquatting. The signature is satisfied only if the subject is a prefix of the signature subject.
<VerifierBuilder>.keylessPrefix(<string>, <string>) <KeylessPrefixVerifier> <KeylessPrefixVerifier>.keylessPrefix(<string>, <string>) <KeylessPrefixVerifier>
Examples:
kw.sigstore.image('image:latest').keylessPrefix('issuer1', 'https://example.com/').keylessPrefix('issuer2', 'https://example.org/') // returns a verifier that verifies the signature of the 'image:latest' image using keyless signing with the keyless prefix info 'issuer1'='https://example.com/' and 'issuer2'='https://example.org/'
githubAction
Builds a verifier that verifies sigstore signatures of an image using keyless signatures made via Github Actions. The first argument is the owner and the second argument is the repo (optional).
<VerifierBuilder>.githubAction(<string>, <string>) <GitHubActionVerifier> <VerifierBuilder>.githubAction(<string>) <GitHubActionVerifier>
Examples:
kw.sigstore.image('image:latest').githubAction('owner1', 'repo1') // returns a verifier that verifies sigstore signatures of the 'image:latest' image using keyless signatures made via Github Actions with the owner 'owner1' and the repo 'repo1'
certificate
Builds a verifier that verifies sigstore signatures of an image using a user provided certificate. The certificate must be in PEM format.
<VerifierBuilder>.certificate(<string>) <CertificateVerifier>
Examples:
kw.sigstore.image('image:latest').certificate('certificate') // returns a verifier that verifies sigstore signatures of the 'image:latest' image using the provided certificate
certificateChain
Adds a certificate to the certificate verifier's chain. The certificate must be in PEM format.
<CertificateVerifier>.certificateChain(<string>) <CertificateVerifier>
Examples:
kw.sigstore.image('image:latest').certificate('certificate').certificateChain('certificate1').certificateChain('certificate2') // returns a verifier that verifies sigstore signatures of the 'image:latest' image using the provided certificate and the certificate chain 'certificate1' and 'certificate2'
requireRekorBundle
Sets whether the certificate verifier requires a Rekor bundle to be present in the signature. Having a Rekor bundle allows further checks to be performed, e.g. ensuring the signature has been produced during the validity time frame of the cert. It is recommended to set this to `true`.
<CertificateVerifier>.requireRekorBundle(<bool>) <CertificateVerifier>
Examples:
kw.sigstore.image('image:latest').certificate('certificate').requireRekorBundle(true) // returns a verifier that verifies sigstore signatures of the 'image:latest' image using the provided certificate and requires a Rekor bundle to be present in the signature
verify
Verifies the signature of an image using the verifier. Returns a Response object with the methods `isTrusted()` and `digest()` to check the trust of the signature and get the digest of the image respectively.
<PubKeysVerifier>.verify() <Response> <KeylessVerifier>.verify() <Response> <KeylessPrefixVerifier>.verify() <Response> <GitHubActionVerifier>.verify() <Response> <CertificateVerifier>.verify() <Response>
Examples:
kw.sigstore.image('image:latest').pubKey('pubkey').verify().isTrusted() // returns whether the signature of the 'image:latest' image using the public key 'pubkey' is trusted kw.sigstore.image('image:latest').keyless('issuer', 'subject').verify().digest() // returns the digest of the 'image:latest' image using keyless signing with the keyless info 'issuer'='subject' kw.sigstore.image('image:latest').keylessPrefix('issuer', 'https://example.com/').verify().isTrusted() // returns whether the signature of the 'image:latest' image using keyless signing with the keyless prefix info 'issuer'='https://example.com/' is trusted kw.sigstore.image('image:latest').github('owner', 'repo').verify().digest() // returns the digest of the 'image:latest' image using keyless signatures made via Github Actions with the owner 'owner' and the repo 'repo' kw.sigstore.image('image:latest').certificate('certificate').certificateChain('certificate1').verify().isTrusted() // returns whether the signature of the 'image:latest' image using the provided certificate is trusted
Types ¶
This section is empty.