library

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 4, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package library implements CEL extension functions that expose Kubewarden context-aware capabilities as CEL functions for the policy to use.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Crypto

func Crypto() cel.EnvOption

Crypto provides a CEL function library extension for verifying certificates.

certificate

Returns a certificate verifier that can be used to verify the trust of the certificate.

kw.crypto.certificate(<string>) <CryptoVerifier>

Examples:

kw.crypto.certificate('PEM CERTIFICATE') // returns a certificate verifier for the given PEM encoded certificate

certificateChain

Adds a certificate to the certificate chain.

<CryptoVerifier>.certificateChain(<string>) <CryptoVerifier>

Examples:

kw.crypto.certificate('PEM CERTIFICATE').certificateChain('PEM CERTIFICATE') // returns a certificate verifier with the given PEM encoded certificate added to the chain

notAfter

Sets the not after date for the certificate verification. If `notAfter` is not set, the certificate is assumed to never expire. The date must be a `google.protobuf.Timestamp`. A `google.protobuf.Timestamp` can be created using the `timestamp` standard definition, by passing a string in RFC 3339 format. See: https://github.com/google/cel-spec/blob/master/doc/langdef.md#list-of-standard-definitions

<CryptoVerifier>.notAfter(<google.protobuf.Timestamp>)  <CryptoVerifier>

Examples:

kw.crypto.certificate('cert.pem').notAfter(timestamp('2000-01-01T00:00:00Z')) // returns a certificate verifier with the not after date set to '2000-01-01T00:00:00Z'

verify

Verifies the trust of the certificate. Returns a Response type that contains the trust result. `isTrusted()` returns a boolean that indicates if the certificate is trusted. `reason()` returns a string that contains the reason why the certificate is not trusted (empty if the certificate is trusted).

<CryptoVerifier>.verify() <Response>

Examples:

kw.crypto.certificate('PEM CERTIFICATE').certificateChain('PEM CERTIFICATE').notAfter(timestamp('2000-01-01T00:00:00Z')).verify().isTrusted() // returns true if the certificate is trusted

func Kubernetes

func Kubernetes() cel.EnvOption

Kubernetes provides a CEL function library extension for performing context-aware calls.

apiVersion

Returns a scoped client builder that can be used to build a client object for a specific API version. (v1 for core group, groupName/groupVersions for other).

kw.k8s.apiVersion(<string>) <ClientBuilder>

Examples:

kw.k8s.apiVersion('v1') // returns an ClientBuilder for the core group
kw.k8s.apiVersion('apps/v1') // returns an ClientBuilder for the 'apps' group

kind

Returns a client configured to list or get resources of the provided kind.

<ClientBuilder>.kind(<string>) <Client>

Examples:

kw.k8s.apiVersion('v1').kind('Pod') // returns a Client for the 'Pod' resources in the core group
kw.k8s.apiVersion('apps/v1').kind('Deployment') // returns a Client for the 'Deployment' resources in the 'apps' group

namespace

Returns a client configured to list or get resources in the provided namespace.

<Client>.namespace(<string>) <Client>

Examples:

kw.k8s.apiVersion('v1').kind('Pod').namespace('default') // returns a Client for the 'Pod' resources in the core group in the 'default' namespace

labelSelector

Returns a client configured to list resources with the provided label selector. NOTE: this is ignored for get operations. The label selector should be a valid Kubernetes label selector.

<Client>.labelSelector(<string>) <Client>

Examples:

kw.k8s.apiVersion('v1').kind('Pod').labelSelector('app=nginx') // returns a Client for the 'Pod' resources in the core group with the label selector 'app=nginx'

fieldSelector

Returns a client configured to list resources with the provided field selector. NOTE: this is ignored for get operations. The field selector should be a valid Kubernetes field selector.

<Client>.fieldSelector(<string>) <Client>

Examples:

kw.k8s.apiVersion('v1').kind('Pod').fieldSelector('status.phase=Running') // returns a Client for the 'Pod' resources in the core group with the field selector 'status.phase=Running'

list

Returns a list of Kubernetes resources matching the client configuration. The list of resources is returned as the corresponding object list type, for instance listing of `Pods` will return a [`PodList`](https://pkg.go.dev/k8s.io/api/core/v1#PodList). The resources can be accessed using the 'items' field.

<Client>.list() <objectList>

Examples:

kw.k8s.apiVersion('v1').kind('Pod').namespace('default').list().items // returns a list of 'Pod' resources in the 'default' namespace
kw.k8s.apiVersion('v1').kind('Pod').list().items // returns a list of 'Pod' resources in all namespaces
kw.k8s.apiVersion('v1').kind('Pod').labelSelector('app=nginx').list().items // returns a list of 'Pod' resources in all namespaces with the label selector 'app=nginx'
kw.k8s.apiVersion('v1').kind('Pod').fieldSelector('status.phase=Running').namespace('default').list().items // returns a list of running 'Pod' resources in the default namespace with the field selector 'status.phase=Running'

get

Returns a Kubernetes resource matching the provided name. If a resource is namespaced, the namespace should be set using the namespace method.

<Client>.get(<string>) <object>

Examples:

kw.k8s.apiVersion('v1').kind('Pod').namespace('default').get('nginx') // returns the 'Pod' resource with the name 'nginx' in the 'default' namespace
kw.k8s.apiVersion('v1').kind('Pod').get('nginx') // error, 'Pod' resources are namespaced and the namespace must be set
kw.k8s.apiVersion('v1').kind('Namespace').get('default') // returns the 'Namespace' resource with the name 'default'

func Net

func Net() cel.EnvOption

Net provides a CEL function library extension to interact with Kubewarden's network capabilities.

lookupHost

Returns a list of IP addresses resolved from the provided hostname.

kw.net.lookupHost(<string>) <list<string>>

Examples:

kw.net.lookupHost('example.com') // returns a list of IP addresses associated with 'example.com'

func OCI

func OCI() cel.EnvOption

OCI provides a CEL function library extension for retrieving the manifest of a given image.

image

Returns an OCI client object that can be used to retrieve the manifest of the provided image.

kw.oci.image(<string>) <OCIClient>

Examples:

kw.oci.image('image:latest') // returns an OCIClient for the 'image:latest' image

manifest

Returns the manifest of the image. The returned value, depends of the given image. It could be a OCI image manifest or a OCI index image manifest. See more at: https://github.com/opencontainers/image-spec/blob/main/manifest.md https://github.com/opencontainers/image-spec/blob/main/image-index.md If the response is an OCI index image manifest, the image field will be nil. If the response is an OCI image manifest, the index field will be nil.

<OCIClient>.manifest() <DynamicMap>

Examples:

kw.oci.image('image:latest').manifest().index // returns the index manfest, the image field is nil

or

kw.oci.image('image:latest').manifest().image // returns the image manifest, the index field is nil

manifestDigest

Returns the digest of the image manifest.

<OCIClient>.manifestDigest() <string>

Examples:

kw.oci.image('image:latest').manifestDigest() // returns the digest of the image manifest

manifestConfig

Returns the manifest, digest and image configuration of the OCI image. See more information about the fields available of manifest and image configuration at: https://github.com/opencontainers/image-spec/blob/main/manifest.md https://github.com/opencontainers/image-spec/blob/main/config.md

<OCIClient>.manifestConfig() <DynamicMap>

Examples:

kw.oci.image('image:latest').manifestConfig().manifest // returns the image manifest
kw.oci.image('image:latest').manifestConfig().config // returns the image configuration
kw.oci.image('image:latest').manifestConfig().digest // returns the image digest

func Sigstore

func Sigstore() cel.EnvOption

Sigstore provides a CEL function library extension for verifying sigstore signatures of an image.

image

Returns a verifier builder object that can be used to build a specific verifier.

kw.sigstore.image(<string>) <VerifierBuilder>

Examples:

kw.sigstore.image('image:latest') // returns a verifier builder for the 'image:latest' image

annotation

Adds an annotation to the verifier builder.

<VerifierBuilder>.annotation(<string>, <string>) <VerifierBuilder>

Examples:

kw.sigstore.image('image:latest').annotation('foo', 'bar').annotation('baz', 'qux') // returns a verifier builder with the annotations 'foo'='bar' and 'baz'='qux'

pubKey

Builds a verifier that verifies the signature of an image using a set of public keys.

<VerifierBuilder>.pubKey(<string>) <PubKeysVerifier>
<PubKeysVerifier>.pubKey(<string>) <PubKeysVerifier>

Examples:

kw.sigstore.image('image:latest').pubKey('pubkey1').pubKey('pubkey2') // returns a verifier that verifies the signature of the 'image:latest' image using the public keys 'pubkey1' and 'pubkey2'

keyless

Builds a verifier that verifies the signature of an image using keyless signing. The first argument is the issuer and the second argument is the subject.

<VerifierBuilder>.keyless(<string>, <string>) <KeylessVerifier>
<KeylessVerifier>.keyless(<string>, <string>) <KeylessVerifier>

Examples:

kw.sigstore.image('image:latest').keyless('issuer1', 'subject1').keyless('issuer2', 'subject2') // returns a verifier that verifies the signature of the 'image:latest' image using keyless signing with the keyless info 'issuer1'='subject1' and 'issuer2'='subject2'

keylessPrefix

Builds a verifier that verifies the signature of an image using keyless signing. The first argument is the issuer and the second argument is a subject as an URL prefix. The provided subject is sanitized to ensure it is a valid URL prefix and to prevent typosquatting. The signature is satisfied only if the subject is a prefix of the signature subject.

<VerifierBuilder>.keylessPrefix(<string>, <string>) <KeylessPrefixVerifier>
<KeylessPrefixVerifier>.keylessPrefix(<string>, <string>) <KeylessPrefixVerifier>

Examples:

kw.sigstore.image('image:latest').keylessPrefix('issuer1', 'https://example.com/').keylessPrefix('issuer2', 'https://example.org/') // returns a verifier that verifies the signature of the 'image:latest' image using keyless signing with the keyless prefix info 'issuer1'='https://example.com/' and 'issuer2'='https://example.org/'

githubAction

Builds a verifier that verifies sigstore signatures of an image using keyless signatures made via Github Actions. The first argument is the owner and the second argument is the repo (optional).

<VerifierBuilder>.githubAction(<string>, <string>) <GitHubActionVerifier>
<VerifierBuilder>.githubAction(<string>) <GitHubActionVerifier>

Examples:

kw.sigstore.image('image:latest').githubAction('owner1', 'repo1') // returns a verifier that verifies sigstore signatures of the 'image:latest' image using keyless signatures made via Github Actions with the owner 'owner1' and the repo 'repo1'

certificate

Builds a verifier that verifies sigstore signatures of an image using a user provided certificate. The certificate must be in PEM format.

<VerifierBuilder>.certificate(<string>) <CertificateVerifier>

Examples:

kw.sigstore.image('image:latest').certificate('certificate') // returns a verifier that verifies sigstore signatures of the 'image:latest' image using the provided certificate

certificateChain

Adds a certificate to the certificate verifier's chain. The certificate must be in PEM format.

<CertificateVerifier>.certificateChain(<string>) <CertificateVerifier>

Examples:

kw.sigstore.image('image:latest').certificate('certificate').certificateChain('certificate1').certificateChain('certificate2') // returns a verifier that verifies sigstore signatures of the 'image:latest' image using the provided certificate and the certificate chain 'certificate1' and 'certificate2'

requireRekorBundle

Sets whether the certificate verifier requires a Rekor bundle to be present in the signature. Having a Rekor bundle allows further checks to be performed, e.g. ensuring the signature has been produced during the validity time frame of the cert. It is recommended to set this to `true`.

<CertificateVerifier>.requireRekorBundle(<bool>) <CertificateVerifier>

Examples:

kw.sigstore.image('image:latest').certificate('certificate').requireRekorBundle(true) // returns a verifier that verifies sigstore signatures of the 'image:latest' image using the provided certificate and requires a Rekor bundle to be present in the signature

verify

Verifies the signature of an image using the verifier. Returns a Response object with the methods `isTrusted()` and `digest()` to check the trust of the signature and get the digest of the image respectively.

<PubKeysVerifier>.verify() <Response>
<KeylessVerifier>.verify() <Response>
<KeylessPrefixVerifier>.verify() <Response>
<GitHubActionVerifier>.verify() <Response>
<CertificateVerifier>.verify() <Response>

Examples:

kw.sigstore.image('image:latest').pubKey('pubkey').verify().isTrusted() // returns whether the signature of the 'image:latest' image using the public key 'pubkey' is trusted
kw.sigstore.image('image:latest').keyless('issuer', 'subject').verify().digest() // returns the digest of the 'image:latest' image using keyless signing with the keyless info 'issuer'='subject'
kw.sigstore.image('image:latest').keylessPrefix('issuer', 'https://example.com/').verify().isTrusted() // returns whether the signature of the 'image:latest' image using keyless signing with the keyless prefix info 'issuer'='https://example.com/' is trusted
kw.sigstore.image('image:latest').github('owner', 'repo').verify().digest() // returns the digest of the 'image:latest' image using keyless signatures made via Github Actions with the owner 'owner' and the repo 'repo'
kw.sigstore.image('image:latest').certificate('certificate').certificateChain('certificate1').verify().isTrusted() // returns whether the signature of the 'image:latest' image using the provided certificate is trusted

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL