feat: add improved registry enforcement

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>

Author: oliverbaehler

api/v1beta2/rule_status_type.go

@@ -33,11 +33,8 @@ type RuleStatusStatus struct {
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Ready Status"
 // +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].message",description="Ready Message"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
 type RuleStatus struct {
-	metav1.TypeMeta `json:",inline"`
-
-	// +optional
+	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitzero"`
 
 	// +optional

charts/capsule/crds/capsule.clastix.io_rulestatuses.yaml

@@ -23,10 +23,6 @@ spec:
       jsonPath: .status.conditions[?(@.type=="Ready")].message
       name: Message
       type: string
-    - description: Age
-      jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
     name: v1beta2
     schema:
       openAPIV3Schema:
@@ -308,6 +304,8 @@ spec:
             required:
             - conditions
             type: object
+        required:
+        - metadata
         type: object
     served: true
     storage: true

e2e/rules_registry_test.go

@@ -122,6 +122,11 @@ var _ = Describe("enforcing container registry namespace rules", Ordered, Label(
 						},
 					},
 					{
+						NamespaceSelector: &metav1.LabelSelector{
+							MatchLabels: map[string]string{
+								"negate": "true",
+							},
+						},
 						NamespaceRuleBodyNamespace: rules.NamespaceRuleBodyNamespace{
 							Enforce: rules.NamespaceRuleEnforceBody{
 								Action: rules.ActionTypeDeny,
@@ -138,11 +143,6 @@ var _ = Describe("enforcing container registry namespace rules", Ordered, Label(
 								},
 							},
 						},
-						NamespaceSelector: &metav1.LabelSelector{
-							MatchLabels: map[string]string{
-								"negate": "true",
-							},
-						},
 					},
 				},
 			},
@@ -370,6 +370,36 @@ var _ = Describe("enforcing container registry namespace rules", Ordered, Label(
 		})
 	})
 
+	It("stores namespace-selector matched negated regex rules as independent status rule blocks", func() {
+		ns := NewNamespace("", map[string]string{
+			"negate":         "true",
+			meta.TenantLabel: tnt.GetName(),
+		})
+
+		NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
+		NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())
+
+		expectNamespaceStatusRules(ns.GetName(), []expectedStatusRule{
+			{
+				action:      rules.ActionTypeAllow,
+				expressions: []string{"harbor/.*"},
+			},
+			{
+				action:      rules.ActionTypeDeny,
+				expressions: []string{"harbor/customer/.*"},
+			},
+			{
+				action:      rules.ActionTypeAudit,
+				expressions: []string{"audit/.*"},
+			},
+			{
+				action:      rules.ActionTypeDeny,
+				expressions: []string{"trusted/.*"},
+				negated:     []bool{true},
+			},
+		})
+	})
+
 	It("allows a broad matching allow rule", func() {
 		ns := NewNamespace("", map[string]string{
 			meta.TenantLabel: tnt.GetName(),
@@ -472,6 +502,29 @@ var _ = Describe("enforcing container registry namespace rules", Ordered, Label(
 		)
 	})
 
+	It("applies negated regex rules using the nested regex expression", func() {
+		ns := NewNamespace("", map[string]string{
+			"negate":         "true",
+			meta.TenantLabel: tnt.GetName(),
+		})
+
+		cs := ownerClient(tnt.Spec.Owners[0].UserSpec)
+
+		NamespaceCreation(ns, tnt.Spec.Owners[0].UserSpec, defaultTimeoutInterval).Should(Succeed())
+		NamespaceIsPartOfTenant(tnt, ns).Should(Succeed())
+
+		allowed := restrictedPod("negate-trusted-allowed", "trusted/team/app:1", corev1.PullIfNotPresent)
+		createPodAndExpectAllowed(cs, ns.Name, allowed)
+
+		denied := restrictedPod("negate-untrusted-denied", "untrusted/team/app:1", corev1.PullIfNotPresent)
+		createPodAndExpectDenied(cs, ns.Name, denied,
+			"containers[0]",
+			"untrusted/team/app:1",
+			"denied",
+			"trusted/.*",
+		)
+	})
+
 	It("evaluates init containers with the same multi-rule action semantics", func() {
 		ns := NewNamespace("", map[string]string{
 			meta.TenantLabel: tnt.GetName(),

hack/distro/capsule/example-setup/tenants.yaml

@@ -93,15 +93,12 @@ spec:
         action: "deny"
         registries:
         - url: "harbor/.*"
-
     - enforce:
         action: "allow"
         registries:
         - url: "harbor/customer/.*"
           policy:
           - "Never"
-
-
     - namespaceSelector:
         matchExpressions:
           - key: env

internal/cache/registries.go

@@ -113,9 +113,13 @@ func (c *RegistryRuleSetCache) GetOrBuild(specRules []rules.OCIRegistry) (rs *Ru
 	return built, false, nil
 }
 
+// Match matches a reference against target, regex and pullPolicy.
+// Admission deny/allow/audit evaluation should usually use MatchReference instead,
+// because it needs to distinguish "regex matched but pullPolicy is forbidden" from
+// "regex did not match".
 func (c *RegistryRuleSetCache) Match(
 	specRules []rules.OCIRegistry,
-	image string,
+	reference string,
 	pullPolicy corev1.PullPolicy,
 	target rules.RegistryValidationTarget,
 ) (*CompiledRule, error) {
@@ -128,12 +132,13 @@ func (c *RegistryRuleSetCache) Match(
 		return nil, nil
 	}
 
-	return c.MatchRuleSet(rs, image, pullPolicy, target)
+	return c.MatchRuleSet(rs, reference, pullPolicy, target)
 }
 
+// MatchRuleSet matches a reference against target, regex and pullPolicy.
 func (c *RegistryRuleSetCache) MatchRuleSet(
 	rs *RuleSet,
-	image string,
+	reference string,
 	pullPolicy corev1.PullPolicy,
 	target rules.RegistryValidationTarget,
 ) (*CompiledRule, error) {
@@ -165,7 +170,46 @@ func (c *RegistryRuleSetCache) MatchRuleSet(
 			return nil, err
 		}
 
-		if compiled.MatchString(image) {
+		if compiled.MatchString(reference) {
+			return rule, nil
+		}
+	}
+
+	return nil, nil
+}
+
+// MatchReference matches a reference against target and regex only.
+// It intentionally does not check pullPolicy.
+func (c *RegistryRuleSetCache) MatchReference(
+	rs *RuleSet,
+	reference string,
+	target rules.RegistryValidationTarget,
+) (*CompiledRule, error) {
+	if c == nil {
+		return nil, fmt.Errorf("registry rule set cache is nil")
+	}
+
+	if c.regexCache == nil {
+		return nil, fmt.Errorf("regex cache is nil")
+	}
+
+	if rs == nil {
+		return nil, nil
+	}
+
+	for i := range rs.Compiled {
+		rule := &rs.Compiled[i]
+
+		if !rule.MatchesTarget(target) {
+			continue
+		}
+
+		compiled, _, err := c.regexCache.GetOrCompile(rule.Expression)
+		if err != nil {
+			return nil, err
+		}
+
+		if compiled.MatchString(reference) {
 			return rule, nil
 		}
 	}
@@ -174,6 +218,10 @@ func (c *RegistryRuleSetCache) MatchRuleSet(
 }
 
 func (c *RegistryRuleSetCache) Stats() int {
+	if c == nil {
+		return 0
+	}
+
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 
@@ -182,6 +230,10 @@ func (c *RegistryRuleSetCache) Stats() int {
 
 // activeIDs: set of ids currently referenced by RuleStatus in cluster.
 func (c *RegistryRuleSetCache) PruneActive(activeIDs map[string]struct{}) int {
+	if c == nil {
+		return 0
+	}
+
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
@@ -267,6 +319,10 @@ func (c *RegistryRuleSetCache) HashRules(specRules []rules.OCIRegistry) string {
 
 // Has is useful in tests and debugging.
 func (c *RegistryRuleSetCache) Has(id string) bool {
+	if c == nil {
+		return false
+	}
+
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 
@@ -276,47 +332,14 @@ func (c *RegistryRuleSetCache) Has(id string) bool {
 }
 
 func (c *RegistryRuleSetCache) Reset() {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	c.rs = make(map[string]*RuleSet)
-}
-
-func (c *RegistryRuleSetCache) MatchReference(
-	rs *RuleSet,
-	reference string,
-	target rules.RegistryValidationTarget,
-) (*CompiledRule, error) {
 	if c == nil {
-		return nil, fmt.Errorf("registry rule set cache is nil")
+		return
 	}
 
-	if c.regexCache == nil {
-		return nil, fmt.Errorf("regex cache is nil")
-	}
-
-	if rs == nil {
-		return nil, nil
-	}
-
-	for i := range rs.Compiled {
-		rule := &rs.Compiled[i]
-
-		if !rule.MatchesTarget(target) {
-			continue
-		}
-
-		compiled, _, err := c.regexCache.GetOrCompile(rule.Expression)
-		if err != nil {
-			return nil, err
-		}
-
-		if compiled.MatchString(reference) {
-			return rule, nil
-		}
-	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
 
-	return nil, nil
+	c.rs = make(map[string]*RuleSet)
 }
 
 // InsertForTest can be behind a build tag if you prefer, but it is fine to keep simple.

pkg/api/registry.go

@@ -0,0 +1,36 @@
+// Copyright 2020-2026 Project Capsule Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import corev1 "k8s.io/api/core/v1"
+
+// +kubebuilder:validation:Enum=Always;Never;IfNotPresent
+type ImagePullPolicySpec string
+
+func (i ImagePullPolicySpec) String() string {
+	return string(i)
+}
+
+// +kubebuilder:validation:Enum=pod/images;pod/volumes
+type RegistryValidationTarget string
+
+const (
+	ValidateImages  RegistryValidationTarget = "pod/images"
+	ValidateVolumes RegistryValidationTarget = "pod/volumes"
+)
+
+// +kubebuilder:object:generate=true
+type OCIRegistry struct {
+	// OCI Registry endpoint, is treated as regular expression.
+	Registry string `json:"url,omitzero"`
+
+	// Allowed PullPolicy for the given registry. Supplying no value allows all policies.
+	// +optional
+	// +kubebuilder:validation:Items:Enum=Always;Never;IfNotPresent
+	Policy []corev1.PullPolicy `json:"policy,omitempty"`
+
+	// Requesting Resources
+	//+kubebuilder:default:={pod/images,pod/volumes}
+	Validation []RegistryValidationTarget `json:"validation,omitempty"`
+}