Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8s manifest attestor #420

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

K8s manifest attestor #420

wants to merge 6 commits into from
+2,944 −1

Conversation

colek42
Copy link
Member

@colek42 colek42 commented Jan 26, 2025
edited
Loading

MERGE #408 first

only review the code in the k8smanifest dir.

What this PR does / why we need it

This PR introduces a brand-new Kubernetes manifest attestor (k8smanifest) to Witness. It enables Witness users to attest Kubernetes manifests (YAML or JSON) by:

  1. Collecting and Splitting multi-document YAML or JSON arrays into separate documents.
  2. Applying (optional) Server-Side Dry-Run via kubectl to capture defaulted fields the server would inject.
  3. Removing Ephemeral Fields (uid, status, etc.) and ephemeral annotations to ensure reproducible digests.
  4. Canonicalizing the remaining content into stable JSON with jsoncanonicalizer.Transform, and
  5. Computing Digests to serve as attestation subjects.

Key Features & Benefits

  • Multi-Doc Handling: Supports multiple Kubernetes objects in a single file (e.g., multi-doc YAML or JSON arrays).
  • Ephemeral-Field Removal: Strips fields such as metadata.uid, metadata.resourceVersion, and status—ensuring that transient data doesn't alter the final digests.
  • Optional Dry-Run: If --server-side-dry-run is used, kubectl apply --dry-run=server normalizes resources with server defaults.
  • Flexible Ignoring: Allows users to specify additional fields and annotations to ignore.
  • Thorough Testing: Includes tests for both YAML and JSON documents, multi-doc scenarios, ephemeral fields, and server-side dry-run.

Which issue(s) this PR fixes (optional)

(Optional: if there's a related issue, link it here using fixes #<issue_number> so that merging this PR closes it.)

Acceptance Criteria Met

  • Docs changes if needed (usage, CLI flags, etc.)
  • Testing changes if needed (new test coverage for multi-doc and ephemeral removal)
  • All workflow checks passing (automatically enforced)
  • All review conversations resolved (automatically enforced)
  • [DCO Sign-off](https://github.com/apps/dco)

Special notes for your reviewer:

  • Since this attestor did not exist prior to this PR, all code in k8smanifest/ is net-new.
  • The design closely parallels the “structureddata” attestor, to provide a consistent experience in how Witness handles JSON/YAML data plus canonicalization.
  • Please review the tests to see how multiple objects in a single file are handled, ephemeral fields are removed, and server-side defaults can be captured.

Cole Kennedy added 5 commits January 21, 2025 09:46
@jkjell
feat: structured data attestor
e0bd942 
-supports attestations on json/multi doc yaml
-canancolizes data
-adds canacolization library to internal
-adds a console logger used to debig tests
@jkjell
feat: add canonicaldigest
e46fb61
@jkjell
feat: only allow strings and numbers for jq subjects
69053ef
fix: schemagen
b70d79d
feat: add k8s_manifest attestor
4c14e73
@colek42 colek42 changed the title K8s manifest a K8s manifest attestor Jan 26, 2025
@ChaosInTheCRD
Copy link
Collaborator

mentioned this async, but I'd still be pretty keen to integrate some of the container image reference finding capability from https://github.com/chaosinthecrd/dexter into this attestor. Would be pretty nice to know which images were involved in said yaml, add them to the subjects etc.

@colek42
Copy link
Member Author

colek42 commented Jan 27, 2025

mentioned this async, but I'd still be pretty keen to integrate some of the container image reference finding capability from https://github.com/chaosinthecrd/dexter into this attestor. Would be pretty nice to know which images were involved in said yaml, add them to the subjects etc.

That is a great idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@colek42 @ChaosInTheCRD