2022-08-31 04:22:46 +00:00
|
|
|
.DEFAULT_GOAL: build-all
|
2019-05-29 21:44:21 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
############
|
|
|
|
# DEFAULTS #
|
|
|
|
############
|
|
|
|
|
|
|
|
GIT_VERSION := $(shell git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))
|
|
|
|
GIT_VERSION_DEV := $(shell git describe --match "[0-9].[0-9]-dev*")
|
|
|
|
GIT_BRANCH := $(shell git branch | grep \* | cut -d ' ' -f2)
|
|
|
|
GIT_HASH := $(GIT_BRANCH)/$(shell git log -1 --pretty=format:"%H")
|
|
|
|
TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
|
|
|
|
VERSION ?= $(shell git describe --match "v[0-9]*")
|
|
|
|
REGISTRY ?= ghcr.io
|
|
|
|
REPO = $(REGISTRY)/kyverno
|
|
|
|
IMAGE_TAG_LATEST_DEV = $(shell git describe --match "[0-9].[0-9]-dev*" | cut -d '-' -f-2)
|
|
|
|
IMAGE_TAG_DEV = $(GIT_VERSION_DEV)
|
|
|
|
IMAGE_TAG ?= $(GIT_VERSION)
|
|
|
|
K8S_VERSION ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-)
|
|
|
|
TEST_GIT_BRANCH ?= main
|
|
|
|
KIND_IMAGE ?= kindest/node:v1.24.0
|
2022-08-31 08:06:12 +00:00
|
|
|
KIND_NAME ?= kind
|
2022-08-31 04:22:46 +00:00
|
|
|
GOOS ?= $(shell go env GOOS)
|
|
|
|
GOARCH ?= $(shell go env GOARCH)
|
2022-03-07 09:43:36 +00:00
|
|
|
|
2022-02-23 15:52:08 +00:00
|
|
|
export K8S_VERSION
|
2022-03-25 16:08:38 +00:00
|
|
|
|
2022-08-25 16:59:24 +00:00
|
|
|
#########
|
|
|
|
# TOOLS #
|
|
|
|
#########
|
|
|
|
|
|
|
|
TOOLS_DIR := $(PWD)/.tools
|
|
|
|
KIND := $(TOOLS_DIR)/kind
|
|
|
|
KIND_VERSION := v0.14.0
|
|
|
|
CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen
|
|
|
|
CONTROLLER_GEN_VERSION := v0.9.1-0.20220629131006-1878064c4cdf
|
|
|
|
GEN_CRD_API_REFERENCE_DOCS := $(TOOLS_DIR)/gen-crd-api-reference-docs
|
|
|
|
GEN_CRD_API_REFERENCE_DOCS_VERSION := latest
|
|
|
|
GO_ACC := $(TOOLS_DIR)/go-acc
|
|
|
|
GO_ACC_VERSION := latest
|
|
|
|
KUSTOMIZE := $(TOOLS_DIR)/kustomize
|
|
|
|
KUSTOMIZE_VERSION := latest
|
|
|
|
GOIMPORTS := $(TOOLS_DIR)/goimports
|
|
|
|
GOIMPORTS_VERSION := latest
|
|
|
|
HELM_DOCS := $(TOOLS_DIR)/helm-docs
|
|
|
|
HELM_DOCS_VERSION := v1.6.0
|
|
|
|
KO := $(TOOLS_DIR)/ko
|
|
|
|
KO_VERSION := v0.12.0
|
|
|
|
TOOLS := $(KIND) $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(KUSTOMIZE) $(GOIMPORTS) $(HELM_DOCS) $(KO)
|
2022-08-30 14:06:30 +00:00
|
|
|
ifeq ($(GOOS), darwin)
|
|
|
|
SED := gsed
|
|
|
|
else
|
|
|
|
SED := sed
|
|
|
|
endif
|
2022-08-25 16:59:24 +00:00
|
|
|
|
|
|
|
$(KIND):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
|
|
|
|
|
|
|
|
$(CONTROLLER_GEN):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION)
|
|
|
|
|
|
|
|
$(GEN_CRD_API_REFERENCE_DOCS):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_CRD_API_REFERENCE_DOCS_VERSION)
|
|
|
|
|
|
|
|
$(GO_ACC):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install github.com/ory/go-acc@$(GO_ACC_VERSION)
|
|
|
|
|
|
|
|
$(KUSTOMIZE):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kustomize/kustomize/v4@$(KUSTOMIZE_VERSION)
|
|
|
|
|
|
|
|
$(GOIMPORTS):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install golang.org/x/tools/cmd/goimports@$(GOIMPORTS_VERSION)
|
|
|
|
|
|
|
|
$(HELM_DOCS):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install github.com/norwoodj/helm-docs/cmd/helm-docs@$(HELM_DOCS_VERSION)
|
|
|
|
|
|
|
|
$(KO):
|
|
|
|
@GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION)
|
|
|
|
|
|
|
|
.PHONY: install-tools
|
|
|
|
install-tools: $(TOOLS) ## Install tools
|
|
|
|
|
|
|
|
.PHONY: clean-tools
|
2022-08-30 15:30:28 +00:00
|
|
|
clean-tools: ## Remove installed tools
|
2022-08-25 16:59:24 +00:00
|
|
|
@rm -rf $(TOOLS_DIR)
|
|
|
|
|
2022-08-26 07:23:04 +00:00
|
|
|
#################
|
|
|
|
# BUILD (LOCAL) #
|
|
|
|
#################
|
|
|
|
|
|
|
|
CMD_DIR := ./cmd
|
|
|
|
KYVERNO_DIR := $(CMD_DIR)/kyverno
|
|
|
|
KYVERNOPRE_DIR := $(CMD_DIR)/initContainer
|
|
|
|
CLI_DIR := $(CMD_DIR)/cli/kubectl-kyverno
|
2022-08-30 15:30:28 +00:00
|
|
|
KYVERNO_BIN := $(KYVERNO_DIR)/kyverno
|
|
|
|
KYVERNOPRE_BIN := $(KYVERNOPRE_DIR)/kyvernopre
|
|
|
|
CLI_BIN := $(CLI_DIR)/kubectl-kyverno
|
2022-08-26 07:23:04 +00:00
|
|
|
PACKAGE ?= github.com/kyverno/kyverno
|
|
|
|
CGO_ENABLED ?= 0
|
|
|
|
LD_FLAGS = "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
|
|
|
|
LD_FLAGS_DEV = "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
|
|
|
|
|
|
|
|
.PHONY: fmt
|
|
|
|
fmt: ## Run go fmt
|
2022-08-30 04:59:08 +00:00
|
|
|
@go fmt ./...
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: vet
|
|
|
|
vet: ## Run go vet
|
2022-08-30 04:59:08 +00:00
|
|
|
@go vet ./...
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
$(KYVERNO_BIN): fmt vet
|
|
|
|
@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(KYVERNO_BIN) -ldflags=$(LD_FLAGS) $(KYVERNO_DIR)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
$(KYVERNOPRE_BIN): fmt vet
|
|
|
|
@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(KYVERNOPRE_BIN) -ldflags=$(LD_FLAGS) $(KYVERNOPRE_DIR)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
$(CLI_BIN): fmt vet
|
|
|
|
@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(CLI_BIN) -ldflags=$(LD_FLAGS) $(CLI_DIR)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: build-kyverno
|
2022-08-30 15:30:28 +00:00
|
|
|
build-kyverno: $(KYVERNO_BIN) ## Build kyverno binary
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: build-kyvernopre
|
2022-08-30 15:30:28 +00:00
|
|
|
build-kyvernopre: $(KYVERNOPRE_BIN) ## Build kyvernopre binary
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: build-cli
|
2022-08-30 15:30:28 +00:00
|
|
|
build-cli: $(CLI_BIN) ## Build CLI binary
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
build-all: build-kyverno build-kyvernopre build-cli ## Build all binaries
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
##############
|
|
|
|
# BUILD (KO) #
|
|
|
|
##############
|
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
KO_PLATFORM := linux/amd64,linux/arm64,linux/s390x
|
|
|
|
KO_TAGS := latest,$(IMAGE_TAG)
|
|
|
|
KO_TAGS_DEV := latest,$(IMAGE_TAG_DEV)
|
|
|
|
KYVERNOPRE_IMAGE := kyvernopre
|
2022-08-30 14:06:30 +00:00
|
|
|
KYVERNO_IMAGE := kyverno
|
|
|
|
CLI_IMAGE := kyverno-cli
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-build-kyvernopre
|
|
|
|
ko-build-kyvernopre: $(KO) ## Build kyvernopre local image (with ko)
|
|
|
|
@LD_FLAGS=$(LD_FLAGS_DEV) KO_DOCKER_REPO=ko.local $(KO) build $(KYVERNOPRE_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(KO_PLATFORM)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: ko-build-kyverno
|
2022-08-30 15:30:28 +00:00
|
|
|
ko-build-kyverno: $(KO) ## Build kyverno local image (with ko)
|
|
|
|
@LD_FLAGS=$(LD_FLAGS_DEV) KO_DOCKER_REPO=ko.local $(KO) build $(KYVERNO_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(KO_PLATFORM)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: ko-build-cli
|
2022-08-30 15:30:28 +00:00
|
|
|
ko-build-cli: $(KO) ## Build CLI local image (with ko)
|
|
|
|
@LD_FLAGS=$(LD_FLAGS_DEV) KO_DOCKER_REPO=ko.local $(KO) build $(CLI_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(KO_PLATFORM)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-build-all
|
|
|
|
ko-build-all: ko-build-kyvernopre ko-build-kyverno ko-build-cli ## Build all local images (with ko)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
################
|
|
|
|
# PUBLISH (KO) #
|
|
|
|
################
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
REPO_KYVERNOPRE := $(REPO)/$(KYVERNOPRE_IMAGE)
|
|
|
|
REPO_KYVERNO := $(REPO)/$(KYVERNO_IMAGE)
|
|
|
|
REPO_CLI := $(REPO)/$(CLI_IMAGE)
|
|
|
|
REGISTRY_USERNAME ?= dummy
|
|
|
|
INITC_KIND_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/initcontainer
|
|
|
|
KYVERNO_KIND_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/kyverno
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-login
|
|
|
|
ko-login: $(KO)
|
|
|
|
@$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-publish-kyvernopre
|
|
|
|
ko-publish-kyvernopre: ko-login
|
|
|
|
@LD_FLAGS=$(LD_FLAGS) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) $(KO) build $(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS) --platform=$(KO_PLATFORM)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-publish-kyverno
|
|
|
|
ko-publish-kyverno: ko-login
|
|
|
|
@LD_FLAGS=$(LD_FLAGS) KO_DOCKER_REPO=$(REPO_KYVERNO) $(KO) build $(KYVERNO_DIR) --bare --tags=$(KO_TAGS) --platform=$(KO_PLATFORM)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-publish-cli
|
|
|
|
ko-publish-cli: ko-login
|
|
|
|
@LD_FLAGS=$(LD_FLAGS) KO_DOCKER_REPO=$(REPO_CLI) $(KO) build $(CLI_DIR) --bare --tags=$(KO_TAGS) --platform=$(KO_PLATFORM)
|
|
|
|
|
|
|
|
.PHONY: ko-publish-kyvernopre-dev
|
|
|
|
ko-publish-kyvernopre-dev: ko-login
|
|
|
|
@LD_FLAGS=$(LD_FLAGS_DEV) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) $(KO) build $(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(KO_PLATFORM)
|
|
|
|
|
|
|
|
.PHONY: ko-publish-kyverno-dev
|
|
|
|
ko-publish-kyverno-dev: ko-login
|
|
|
|
@LD_FLAGS=$(LD_FLAGS_DEV) KO_DOCKER_REPO=$(REPO_KYVERNO) $(KO) build $(KYVERNO_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(KO_PLATFORM)
|
|
|
|
|
|
|
|
.PHONY: ko-publish-cli-dev
|
|
|
|
ko-publish-cli-dev: ko-login
|
|
|
|
@LD_FLAGS=$(LD_FLAGS_DEV) KO_DOCKER_REPO=$(REPO_CLI) $(KO) build $(CLI_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(KO_PLATFORM)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-publish-all
|
|
|
|
ko-publish-all: ko-publish-kyvernopre ko-publish-kyverno ko-publish-cli
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 15:30:28 +00:00
|
|
|
.PHONY: ko-publish-all-dev
|
|
|
|
ko-publish-all-dev: ko-publish-kyvernopre-dev ko-publish-kyverno-dev ko-publish-cli-dev
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-30 14:06:30 +00:00
|
|
|
##################
|
2022-08-31 04:22:46 +00:00
|
|
|
# UTILS (DOCKER) #
|
2022-08-30 14:06:30 +00:00
|
|
|
##################
|
2019-05-23 04:41:24 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-get-kyvernopre-digest
|
|
|
|
docker-get-kyvernopre-digest:
|
|
|
|
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNOPRE_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
|
|
|
|
|
|
|
|
.PHONY: docker-get-kyvernopre-digest-dev
|
|
|
|
docker-get-kyvernopre-digest-dev:
|
|
|
|
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
|
|
|
|
|
|
|
|
.PHONY: docker-get-kyverno-digest
|
|
|
|
docker-get-kyverno-digest:
|
|
|
|
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
|
|
|
|
|
|
|
|
.PHONY: docker-get-kyverno-digest-dev
|
|
|
|
docker-get-kyverno-digest-dev:
|
|
|
|
@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
|
|
|
|
|
2022-08-30 14:06:30 +00:00
|
|
|
.PHONY: docker-buildx-builder
|
2022-08-26 07:23:04 +00:00
|
|
|
docker-buildx-builder:
|
|
|
|
if ! docker buildx ls | grep -q kyverno; then\
|
|
|
|
docker buildx create --name kyverno --use;\
|
|
|
|
fi
|
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
##################
|
|
|
|
# BUILD (DOCKER) #
|
|
|
|
##################
|
|
|
|
|
|
|
|
.PHONY: docker-build-kyvernopre
|
|
|
|
docker-build-kyvernopre: docker-buildx-builder
|
2022-08-30 15:30:28 +00:00
|
|
|
@docker buildx build --file $(KYVERNOPRE_DIR)/Dockerfile --progress plane --platform $(KO_PLATFORM) --tag $(REPO)/$(KYVERNOPRE_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-build-kyverno
|
|
|
|
docker-build-kyverno: docker-buildx-builder
|
|
|
|
@docker buildx build --file $(KYVERNO_DIR)/Dockerfile --progress plane --platform $(KO_PLATFORM) --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-build-cli
|
|
|
|
docker-build-cli: docker-buildx-builder
|
|
|
|
@docker buildx build --file $(CLI_DIR)/Dockerfile --progress plane --platform $(KO_PLATFORM) --tag $(REPO)/$(CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
|
|
|
|
|
|
|
|
.PHONY: docker-build-all
|
|
|
|
docker-build-all: docker-build-kyvernopre docker-build-kyverno docker-build-cli ## Build all local images (with docker)
|
|
|
|
|
|
|
|
####################
|
|
|
|
# PUBLISH (DOCKER) #
|
|
|
|
####################
|
|
|
|
|
|
|
|
.PHONY: docker-publish-kyvernopre
|
|
|
|
docker-publish-kyvernopre: docker-buildx-builder
|
|
|
|
@docker buildx build --file $(KYVERNOPRE_DIR)/Dockerfile --progress plane --push --platform $(KO_PLATFORM) --tag $(REPO)/$(KYVERNOPRE_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-kyvernopre-dev
|
|
|
|
docker-publish-kyvernopre-dev: docker-buildx-builder
|
2022-08-30 14:06:30 +00:00
|
|
|
@docker buildx build --file $(KYVERNOPRE_DIR)/Dockerfile --progress plane --push --platform $(KO_PLATFORM) \
|
2022-08-30 15:30:28 +00:00
|
|
|
--tag $(REPO)/$(KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV) --tag $(REPO)/$(KYVERNOPRE_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest --tag $(REPO)/$(KYVERNOPRE_IMAGE):latest \
|
2022-08-30 14:06:30 +00:00
|
|
|
. --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-kyverno
|
|
|
|
docker-publish-kyverno: docker-buildx-builder
|
2022-08-30 14:06:30 +00:00
|
|
|
@docker buildx build --file $(KYVERNO_DIR)/Dockerfile --progress plane --push --platform $(KO_PLATFORM) --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-kyverno-dev
|
|
|
|
docker-publish-kyverno-dev: docker-buildx-builder
|
2022-08-30 14:06:30 +00:00
|
|
|
@docker buildx build --file $(KYVERNO_DIR)/Dockerfile --progress plane --push --platform $(KO_PLATFORM) \
|
|
|
|
--tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest --tag $(REPO)/$(KYVERNO_IMAGE):latest \
|
|
|
|
. --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-cli
|
|
|
|
docker-publish-cli: docker-buildx-builder
|
2022-08-30 14:06:30 +00:00
|
|
|
@docker buildx build --file $(CLI_DIR)/Dockerfile --progress plane --push --platform $(KO_PLATFORM) --tag $(REPO)/$(CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-cli-dev
|
|
|
|
docker-publish-cli-dev: docker-buildx-builder
|
|
|
|
@docker buildx build --file $(CLI_DIR)/Dockerfile --progress plane --push --platform $(KO_PLATFORM) \
|
|
|
|
--tag $(REPO)/$(CLI_IMAGE):$(IMAGE_TAG_DEV) --tag $(REPO)/$(CLI_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest --tag $(REPO)/$(CLI_IMAGE):latest \
|
|
|
|
. --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
|
2021-02-08 03:46:50 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-all
|
|
|
|
docker-publish-all: docker-publish-kyvernopre docker-publish-kyverno docker-publish-cli
|
2019-06-05 01:05:10 +00:00
|
|
|
|
2022-08-31 04:22:46 +00:00
|
|
|
.PHONY: docker-publish-all-dev
|
|
|
|
docker-publish-all-dev: docker-publish-kyvernopre-dev docker-publish-kyverno-dev docker-publish-cli-dev
|
2020-08-06 06:26:31 +00:00
|
|
|
|
2022-08-30 14:06:30 +00:00
|
|
|
##################################
|
|
|
|
# KYVERNO
|
|
|
|
##################################
|
|
|
|
|
|
|
|
.PHONY: unused-package-check
|
|
|
|
unused-package-check:
|
|
|
|
@echo "------------------"
|
|
|
|
@echo "--> Check unused packages for the all kyverno components"
|
|
|
|
@echo "------------------"
|
|
|
|
@tidy=$$(go mod tidy); \
|
|
|
|
if [ -n "$${tidy}" ]; then \
|
|
|
|
echo "go mod tidy checking failed!"; echo "$${tidy}"; echo; \
|
|
|
|
fi
|
|
|
|
|
2022-03-07 09:43:36 +00:00
|
|
|
##################################
|
2020-07-20 14:35:06 +00:00
|
|
|
# Generate Docs for types.go
|
|
|
|
##################################
|
|
|
|
|
2022-08-25 16:59:24 +00:00
|
|
|
.PHONY: generate-api-docs
|
|
|
|
generate-api-docs: $(GEN_CRD_API_REFERENCE_DOCS) ## Generate api reference docs
|
2022-03-11 14:32:59 +00:00
|
|
|
rm -rf docs/crd
|
|
|
|
mkdir docs/crd
|
2022-08-25 16:59:24 +00:00
|
|
|
$(GEN_CRD_API_REFERENCE_DOCS) -v 6 -api-dir ./api/kyverno/v1alpha2 -config docs/config.json -template-dir docs/template -out-file docs/crd/v1alpha2/index.html
|
|
|
|
$(GEN_CRD_API_REFERENCE_DOCS) -v 6 -api-dir ./api/kyverno/v1beta1 -config docs/config.json -template-dir docs/template -out-file docs/crd/v1beta1/index.html
|
|
|
|
$(GEN_CRD_API_REFERENCE_DOCS) -v 6 -api-dir ./api/kyverno/v1 -config docs/config.json -template-dir docs/template -out-file docs/crd/v1/index.html
|
2022-03-11 14:32:59 +00:00
|
|
|
|
|
|
|
.PHONY: verify-api-docs
|
|
|
|
verify-api-docs: generate-api-docs ## Check api reference docs are up to date
|
2022-03-16 09:31:35 +00:00
|
|
|
git --no-pager diff docs
|
2022-03-11 14:32:59 +00:00
|
|
|
@echo 'If this test fails, it is because the git diff is non-empty after running "make generate-api-docs".'
|
|
|
|
@echo 'To correct this, locally run "make generate-api-docs", commit the changes, and re-run tests.'
|
|
|
|
git diff --quiet --exit-code docs
|
2019-06-05 01:05:10 +00:00
|
|
|
|
2020-08-21 16:45:04 +00:00
|
|
|
##################################
|
2022-08-25 18:32:40 +00:00
|
|
|
# Create e2e Infrastructure
|
2020-08-21 16:45:04 +00:00
|
|
|
##################################
|
2020-08-11 16:32:51 +00:00
|
|
|
|
2022-03-25 16:08:38 +00:00
|
|
|
.PHONY: kind-e2e-cluster
|
2022-08-25 16:59:24 +00:00
|
|
|
kind-e2e-cluster: $(KIND) ## Create kind cluster for e2e tests
|
|
|
|
$(KIND) create cluster --image=$(KIND_IMAGE)
|
2022-03-25 16:08:38 +00:00
|
|
|
|
2022-08-26 07:23:04 +00:00
|
|
|
# TODO(eddycharly): $(REPO) is wrong, it is always ghcr.io/kyverno in the source
|
2022-03-25 16:08:38 +00:00
|
|
|
.PHONY: e2e-kustomize
|
2022-08-25 16:59:24 +00:00
|
|
|
e2e-kustomize: $(KUSTOMIZE) ## Build kustomize manifests for e2e tests
|
2022-03-25 16:08:38 +00:00
|
|
|
cd config && \
|
2022-08-30 15:30:28 +00:00
|
|
|
$(KUSTOMIZE) edit set image $(REPO)/$(KYVERNOPRE_IMAGE)=$(INITC_KIND_IMAGE):$(IMAGE_TAG_DEV) && \
|
2022-08-26 07:23:04 +00:00
|
|
|
$(KUSTOMIZE) edit set image $(REPO)/$(KYVERNO_IMAGE)=$(KYVERNO_KIND_IMAGE):$(IMAGE_TAG_DEV)
|
|
|
|
$(KUSTOMIZE) build config/ -o config/install.yaml
|
|
|
|
|
|
|
|
.PHONY: e2e-init-container
|
2022-08-30 15:30:28 +00:00
|
|
|
e2e-init-container: kind-e2e-cluster | ko-build-kyvernopre
|
2022-08-30 04:59:08 +00:00
|
|
|
$(KIND) load docker-image $(INITC_KIND_IMAGE):$(IMAGE_TAG_DEV)
|
2022-08-26 07:23:04 +00:00
|
|
|
|
|
|
|
.PHONY: e2e-kyverno-container
|
2022-08-30 15:30:28 +00:00
|
|
|
e2e-kyverno-container: kind-e2e-cluster | ko-build-kyverno
|
2022-08-30 04:59:08 +00:00
|
|
|
$(KIND) load docker-image $(KYVERNO_KIND_IMAGE):$(IMAGE_TAG_DEV)
|
2022-03-25 16:08:38 +00:00
|
|
|
|
2022-08-25 18:32:40 +00:00
|
|
|
.PHONY: create-e2e-infrastructure
|
2022-08-26 07:23:04 +00:00
|
|
|
create-e2e-infrastructure: e2e-init-container e2e-kyverno-container e2e-kustomize | ## Setup infrastructure for e2e tests
|
2020-08-11 00:16:13 +00:00
|
|
|
|
2019-11-18 19:41:37 +00:00
|
|
|
##################################
|
2021-04-08 23:14:08 +00:00
|
|
|
# Testing & Code-Coverage
|
2019-11-18 19:41:37 +00:00
|
|
|
##################################
|
2019-06-07 18:50:12 +00:00
|
|
|
|
|
|
|
CODE_COVERAGE_FILE:= coverage
|
|
|
|
CODE_COVERAGE_FILE_TXT := $(CODE_COVERAGE_FILE).txt
|
|
|
|
CODE_COVERAGE_FILE_HTML := $(CODE_COVERAGE_FILE).html
|
|
|
|
|
2022-04-28 12:30:23 +00:00
|
|
|
test: test-clean test-unit test-e2e ## Clean tests cache then run unit and e2e tests
|
2021-09-27 01:30:53 +00:00
|
|
|
|
2022-04-28 12:30:23 +00:00
|
|
|
test-clean: ## Clean tests cache
|
2021-09-27 01:30:53 +00:00
|
|
|
@echo " cleaning test cache"
|
|
|
|
go clean -testcache ./...
|
2021-07-10 01:01:46 +00:00
|
|
|
|
2022-02-24 15:34:12 +00:00
|
|
|
.PHONY: test-cli
|
2022-05-25 14:26:22 +00:00
|
|
|
test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry
|
2022-02-24 15:34:12 +00:00
|
|
|
|
|
|
|
.PHONY: test-cli-policies
|
2022-08-30 15:30:28 +00:00
|
|
|
test-cli-policies: $(CLI_BIN)
|
|
|
|
@$(CLI_BIN) test https://github.com/kyverno/policies/$(TEST_GIT_BRANCH)
|
2022-02-24 15:34:12 +00:00
|
|
|
|
|
|
|
.PHONY: test-cli-local
|
2022-08-30 15:30:28 +00:00
|
|
|
test-cli-local: $(CLI_BIN)
|
|
|
|
@$(CLI_BIN) test ./test/cli/test
|
2022-02-24 15:34:12 +00:00
|
|
|
|
|
|
|
.PHONY: test-cli-local-mutate
|
2022-08-30 15:30:28 +00:00
|
|
|
test-cli-local-mutate: $(CLI_BIN)
|
|
|
|
@$(CLI_BIN) test ./test/cli/test-mutate
|
2022-02-24 15:34:12 +00:00
|
|
|
|
2022-05-25 14:26:22 +00:00
|
|
|
.PHONY: test-cli-local-generate
|
2022-08-30 15:30:28 +00:00
|
|
|
test-cli-local-generate: $(CLI_BIN)
|
|
|
|
@$(CLI_BIN) test ./test/cli/test-generate
|
2022-05-25 14:26:22 +00:00
|
|
|
|
2022-03-09 07:40:53 +00:00
|
|
|
.PHONY: test-cli-test-case-selector-flag
|
2022-08-30 15:30:28 +00:00
|
|
|
test-cli-test-case-selector-flag: $(CLI_BIN)
|
|
|
|
@$(CLI_BIN) test ./test/cli/test --test-case-selector "policy=disallow-latest-tag, rule=require-image-tag, resource=test-require-image-tag-pass"
|
2021-07-10 01:01:46 +00:00
|
|
|
|
2022-03-16 04:26:47 +00:00
|
|
|
.PHONY: test-cli-registry
|
2022-08-30 15:30:28 +00:00
|
|
|
test-cli-registry: $(CLI_BIN)
|
|
|
|
@$(CLI_BIN) test ./test/cli/registry --registry
|
2022-03-16 04:26:47 +00:00
|
|
|
|
2022-04-28 12:30:23 +00:00
|
|
|
test-unit: $(GO_ACC) ## Run unit tests
|
2019-06-07 18:50:12 +00:00
|
|
|
@echo " running unit tests"
|
2022-08-25 16:59:24 +00:00
|
|
|
$(GO_ACC) ./... -o $(CODE_COVERAGE_FILE_TXT)
|
2019-06-07 18:50:12 +00:00
|
|
|
|
2022-03-28 14:01:27 +00:00
|
|
|
code-cov-report: ## Generate code coverage report
|
2019-06-07 18:50:12 +00:00
|
|
|
@echo " generating code coverage report"
|
2022-03-14 08:21:27 +00:00
|
|
|
GO111MODULE=on go test -v -coverprofile=coverage.out ./...
|
|
|
|
go tool cover -func=coverage.out -o $(CODE_COVERAGE_FILE_TXT)
|
|
|
|
go tool cover -html=coverage.out -o $(CODE_COVERAGE_FILE_HTML)
|
2020-06-04 18:45:37 +00:00
|
|
|
|
2020-08-06 05:16:10 +00:00
|
|
|
# Test E2E
|
|
|
|
test-e2e:
|
|
|
|
$(eval export E2E="ok")
|
2022-05-01 21:20:22 +00:00
|
|
|
go test ./test/e2e/verifyimages -v
|
2021-05-13 23:16:24 +00:00
|
|
|
go test ./test/e2e/metrics -v
|
2021-04-08 23:14:08 +00:00
|
|
|
go test ./test/e2e/mutate -v
|
|
|
|
go test ./test/e2e/generate -v
|
2020-08-06 05:16:10 +00:00
|
|
|
$(eval export E2E="")
|
|
|
|
|
2021-07-27 06:49:28 +00:00
|
|
|
test-e2e-local:
|
|
|
|
$(eval export E2E="ok")
|
2021-10-29 16:13:20 +00:00
|
|
|
kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/github/rbac.yaml
|
2021-07-27 06:49:28 +00:00
|
|
|
kubectl port-forward -n kyverno service/kyverno-svc-metrics 8000:8000 &
|
2022-05-01 21:20:22 +00:00
|
|
|
go test ./test/e2e/verifyimages -v
|
2021-07-27 06:49:28 +00:00
|
|
|
go test ./test/e2e/metrics -v
|
|
|
|
go test ./test/e2e/mutate -v
|
|
|
|
go test ./test/e2e/generate -v
|
|
|
|
kill $!
|
|
|
|
$(eval export E2E="")
|
|
|
|
|
2022-02-04 06:47:36 +00:00
|
|
|
helm-test-values:
|
|
|
|
sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml
|
|
|
|
sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml
|
|
|
|
sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml
|
2022-08-25 18:32:40 +00:00
|
|
|
sed -i -e "s|tag: # replaced in e2e tests.*|tag: $(IMAGE_TAG_DEV)|" charts/kyverno/values.yaml
|
|
|
|
sed -i -e "s|repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests|repository: $(INITC_KIND_IMAGE)|" charts/kyverno/values.yaml
|
|
|
|
sed -i -e "s|repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests|repository: $(KYVERNO_KIND_IMAGE)|" charts/kyverno/values.yaml
|
2022-02-04 06:47:36 +00:00
|
|
|
|
2022-03-14 15:12:29 +00:00
|
|
|
.PHONY: kustomize-crd
|
2022-08-25 16:59:24 +00:00
|
|
|
kustomize-crd: $(KUSTOMIZE) ## Create install.yaml
|
2021-04-08 23:14:08 +00:00
|
|
|
# Create CRD for helm deployment Helm
|
2022-08-25 16:59:24 +00:00
|
|
|
$(KUSTOMIZE) build ./config/release | kustomize cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' > ./charts/kyverno/templates/crds.yaml
|
2020-06-05 20:44:47 +00:00
|
|
|
# Generate install.yaml that have all resources for kyverno
|
2022-08-25 16:59:24 +00:00
|
|
|
$(KUSTOMIZE) build ./config > ./config/install.yaml
|
2020-06-05 20:44:47 +00:00
|
|
|
# Generate install_debug.yaml that for developer testing
|
2022-08-25 16:59:24 +00:00
|
|
|
$(KUSTOMIZE) build ./config/debug > ./config/install_debug.yaml
|
2020-08-12 14:54:45 +00:00
|
|
|
|
2020-10-07 18:12:31 +00:00
|
|
|
# guidance https://github.com/kyverno/kyverno/wiki/Generate-a-Release
|
2020-11-29 08:37:36 +00:00
|
|
|
release:
|
2022-08-25 16:59:24 +00:00
|
|
|
$(KUSTOMIZE) build ./config > ./config/install.yaml
|
|
|
|
$(KUSTOMIZE) build ./config/release > ./config/release/install.yaml
|
2020-08-14 19:21:06 +00:00
|
|
|
|
2021-08-10 16:07:46 +00:00
|
|
|
release-notes:
|
2021-08-12 16:58:25 +00:00
|
|
|
@bash -c 'while IFS= read -r line ; do if [[ "$$line" == "## "* && "$$line" != "## $(VERSION)" ]]; then break ; fi; echo "$$line"; done < "CHANGELOG.md"' \
|
2021-08-10 16:07:46 +00:00
|
|
|
true
|
|
|
|
|
2022-03-07 09:43:36 +00:00
|
|
|
##################################
|
|
|
|
# CODEGEN
|
|
|
|
##################################
|
|
|
|
|
|
|
|
.PHONY: kyverno-crd
|
2022-08-25 16:59:24 +00:00
|
|
|
kyverno-crd: $(CONTROLLER_GEN) ## Generate Kyverno CRDs
|
2021-10-29 16:13:20 +00:00
|
|
|
$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=./config/crds
|
2020-11-13 03:48:39 +00:00
|
|
|
|
2022-03-07 09:43:36 +00:00
|
|
|
.PHONY: report-crd
|
2022-08-25 16:59:24 +00:00
|
|
|
report-crd: $(CONTROLLER_GEN) ## Generate policy reports CRDs
|
2021-10-29 16:13:20 +00:00
|
|
|
$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=./config/crds
|
2020-11-09 19:26:12 +00:00
|
|
|
|
2022-03-07 09:43:36 +00:00
|
|
|
.PHONY: deepcopy-autogen
|
2022-08-25 16:59:24 +00:00
|
|
|
deepcopy-autogen: $(CONTROLLER_GEN) $(GOIMPORTS) ## Generate deep copy code
|
|
|
|
$(CONTROLLER_GEN) object:headerFile="scripts/boilerplate.go.txt" paths="./..." && $(GOIMPORTS) -w ./api/
|
2021-03-01 18:58:58 +00:00
|
|
|
|
2022-03-07 09:43:36 +00:00
|
|
|
.PHONY: codegen
|
2022-03-16 09:31:35 +00:00
|
|
|
codegen: kyverno-crd report-crd deepcopy-autogen generate-api-docs gen-helm ## Update all generated code and docs
|
2022-03-07 09:43:36 +00:00
|
|
|
|
2022-03-16 09:31:35 +00:00
|
|
|
.PHONY: verify-api
|
|
|
|
verify-api: kyverno-crd report-crd deepcopy-autogen ## Check api is up to date
|
|
|
|
git --no-pager diff api
|
2022-03-07 09:43:36 +00:00
|
|
|
@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen".'
|
|
|
|
@echo 'To correct this, locally run "make codegen", commit the changes, and re-run tests.'
|
|
|
|
git diff --quiet --exit-code api
|
|
|
|
|
2022-03-16 09:31:35 +00:00
|
|
|
.PHONY: verify-config
|
|
|
|
verify-config: kyverno-crd report-crd ## Check config is up to date
|
|
|
|
git --no-pager diff config
|
|
|
|
@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen".'
|
|
|
|
@echo 'To correct this, locally run "make codegen", commit the changes, and re-run tests.'
|
|
|
|
git diff --quiet --exit-code config
|
|
|
|
|
|
|
|
.PHONY: verify-codegen
|
|
|
|
verify-codegen: verify-api verify-config verify-api-docs verify-helm ## Verify all generated code and docs are up to date
|
|
|
|
|
2022-02-25 16:22:00 +00:00
|
|
|
##################################
|
|
|
|
# HELM
|
|
|
|
##################################
|
|
|
|
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
|
|
|
# .PHONY: gen-helm-docs
|
2022-02-25 16:22:00 +00:00
|
|
|
.PHONY: gen-helm-docs
|
2022-08-31 04:22:46 +00:00
|
|
|
gen-helm-docs: ## Generate Helm docs
|
2022-02-25 16:22:00 +00:00
|
|
|
@docker run -v ${PWD}:/work -w /work jnorwood/helm-docs:v1.6.0 -s file
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
|
|
|
# gen-helm-docs: $(HELM_DOCS) ## Generate Helm docs
|
|
|
|
# # @$(HELM_DOCS) -s file
|
|
|
|
# @docker run -v ${PWD}:/work -w /work jnorwood/helm-docs:v1.6.0 -s file
|
2022-03-08 15:10:53 +00:00
|
|
|
|
2022-03-10 15:07:48 +00:00
|
|
|
.PHONY: gen-helm
|
|
|
|
gen-helm: gen-helm-docs kustomize-crd ## Generate Helm charts stuff
|
|
|
|
|
|
|
|
.PHONY: verify-helm
|
|
|
|
verify-helm: gen-helm ## Check Helm charts are up to date
|
2022-03-16 09:31:35 +00:00
|
|
|
git --no-pager diff charts
|
2022-03-10 15:07:48 +00:00
|
|
|
@echo 'If this test fails, it is because the git diff is non-empty after running "make gen-helm".'
|
|
|
|
@echo 'To correct this, locally run "make gen-helm", commit the changes, and re-run tests.'
|
|
|
|
git diff --quiet --exit-code charts
|
2022-03-16 13:48:31 +00:00
|
|
|
|
2022-08-31 08:06:12 +00:00
|
|
|
########
|
|
|
|
# KIND #
|
|
|
|
########
|
2022-03-16 13:48:31 +00:00
|
|
|
|
2022-08-31 08:06:12 +00:00
|
|
|
.PHONY: kind-create-cluster
|
|
|
|
kind-create-cluster: $(KIND) ## Create KinD cluster
|
|
|
|
@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE)
|
2022-04-04 20:16:45 +00:00
|
|
|
|
2022-08-31 08:06:12 +00:00
|
|
|
.PHONY: kind-delete-cluster
|
|
|
|
kind-delete-cluster: $(KIND) ## Delete KinD cluster
|
|
|
|
@$(KIND) delete cluster --name $(KIND_NAME)
|
|
|
|
|
|
|
|
.PHONY: kind-load-kyvernopre
|
|
|
|
kind-load-kyvernopre: $(KIND) ko-build-kyvernopre ## Build kyvernopre image and load it in KinD cluster
|
|
|
|
@$(KIND) load docker-image --name $(KIND_NAME) $(INITC_KIND_IMAGE):$(IMAGE_TAG_DEV)
|
|
|
|
|
|
|
|
.PHONY: kind-load-kyverno
|
|
|
|
kind-load-kyverno: $(KIND) ko-build-kyverno ## Build kyverno image and load it in KinD cluster
|
|
|
|
@$(KIND) load docker-image --name $(KIND_NAME) $(KYVERNO_KIND_IMAGE):$(IMAGE_TAG_DEV)
|
|
|
|
|
|
|
|
.PHONY: kind-load-all
|
|
|
|
kind-load-all: kind-load-kyvernopre kind-load-kyverno ## Build images and load them in KinD cluster
|
|
|
|
|
|
|
|
.PHONY: kind-deploy-kyverno
|
|
|
|
kind-deploy-kyverno: kind-load-all ## Build images, load them in KinD cluster and deploy kyverno helm chart
|
|
|
|
@helm upgrade --install kyverno --namespace kyverno --wait --create-namespace ./charts/kyverno \
|
2022-08-25 18:32:40 +00:00
|
|
|
--set image.repository=$(KYVERNO_KIND_IMAGE) \
|
2022-04-04 20:16:45 +00:00
|
|
|
--set image.tag=$(IMAGE_TAG_DEV) \
|
2022-08-25 18:32:40 +00:00
|
|
|
--set initImage.repository=$(INITC_KIND_IMAGE) \
|
2022-04-04 20:16:45 +00:00
|
|
|
--set initImage.tag=$(IMAGE_TAG_DEV) \
|
2022-08-25 15:01:43 +00:00
|
|
|
--set extraArgs={--autogenInternals=true}
|
2022-08-31 08:06:12 +00:00
|
|
|
|
|
|
|
.PHONY: kind-deploy-kyverno-policies
|
|
|
|
kind-deploy-kyverno-policies: ## Deploy kyverno-policies helm chart
|
|
|
|
@helm upgrade --install kyverno-policies --namespace kyverno --create-namespace ./charts/kyverno-policies
|
|
|
|
|
|
|
|
.PHONY: kind-deploy-all
|
|
|
|
kind-deploy-all: | kind-deploy-kyverno kind-deploy-kyverno-policies ## Build images, load them in KinD cluster and deploy helm charts
|
|
|
|
|
|
|
|
########
|
|
|
|
# HELP #
|
|
|
|
########
|
|
|
|
|
|
|
|
.PHONY: help
|
|
|
|
help: ## Shows the available commands
|
|
|
|
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
|