1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

[Bug] [CLI] PSS report does not show properties with control details (#9785)

* add properties in pss report

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove  tests

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix lint

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore: move chainsaw config at the root of the repo (#9768)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump svenstaro/upload-release-action from 2.7.0 to 2.9.0 (#9767)

Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.7.0 to 2.9.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](1beeb572c1...04733e069f)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add test

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fill properties field in test

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unwanted folders

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remote gitpod file

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: remove unnecessary podSecurity chainsaw test (#9791)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: remove unnecessary validation check for podSecurity rule (#9790)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update versions (#9783)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore: add tests for exceptions in the CLI (#9781)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump go.opentelemetry.io/otel/sdk/metric (#9799)

Bumps [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk/metric
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc (#9797)

Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump codecov/codecov-action from 4.0.1 to 4.0.2 (#9794)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.1 to 4.0.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](e0b68c6749...0cfda1dd0a)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump go.opentelemetry.io/otel/exporters/prometheus (#9796)

Bumps [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) from 0.45.2 to 0.46.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.45.2...example/prometheus/v0.46.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/prometheus
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace (#9795)

Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* changes

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#9798)

Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump codecov/codecov-action from 4.0.2 to 4.1.0 (#9811)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.2 to 4.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](0cfda1dd0a...54bcd8715e)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#9809)

Bumps [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.48.0 to 0.49.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.48.0...zpages/v0.49.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 (#9810)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.19.0 to 0.20.0.
- [Commits](https://github.com/golang/crypto/compare/v0.19.0...v0.20.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix lint

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix(globalcontext): old WaitGroup not stopping (#9813)

* fix(globalcontext): old waitgroup not stopping

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* chore(globalcontext): add AGE

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* feat(globalcontext): add lastRefreshTime

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* fix(globalcontext): unhandled intormer run exception

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* chore(globalcontext): comment wording

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* chore(globalcontext): codegen

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* fix(globalcontext): linter

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add empty declaration of properties

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add changes

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: add podSecurity validation checks for exceptions (#9817)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#9825)

Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#9821)

Bumps [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#9823)

Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump kyverno/action-install-chainsaw from 0.1.6 to 0.1.7 (#9832)

Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.1.6 to 0.1.7.
- [Release notes](https://github.com/kyverno/action-install-chainsaw/releases)
- [Commits](204730d723...3bf0752f44)

---
updated-dependencies:
- dependency-name: kyverno/action-install-chainsaw
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#9831)

Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](84384bd6e7...062f259268)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#9830)

Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* [Bug] [CLI] Restore warn-exit-code functionality for apply command (#9828)

* Restore warn-exite-code functionality for apply command

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* Nove error handling

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* Uncomment println statement

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* Fixing linting

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* Adding conformance tets for cli apply command with warn-exit-code

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* Update path to kubectl-kyverno binary

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* Add prepare-cli as needed dependency

Signed-off-by: Matt Veitas <mveitas@gmail.com>

* feat: install kubectl-kyverno in standard conformance tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: update chainsaw config

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: move CLI chainsaw tests to a separate action

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: CLI path

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: name

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: add chainsaw flag '--no-cluster'

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: CLI name

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: Matt Veitas <mveitas@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#9822)

Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove comment and shift line 91

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* modify test

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* added rseperate function for adding properties in result

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add test for pss report

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove comments

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: remove duplicate chainsaw tests for PSA (#9835)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* modify policy

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* modify policy in test_dta

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* docs: Add new adopter to ADOPTERS.md (#9841)

Signed-off-by: Younsung Lee <cysl@kakao.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: use gcr crane opts while fetching image descriptors (#9838)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: add missing unit tests for podSecurity.hostpathVolume check (#9845)

* fix: add missing unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: update pinned lib

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: uncomment code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix: release CRDs manifests (#9849)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#9842)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix name access for policy types

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* modify pkg report

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* modify name

Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add bindings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Revert "add bindings"

This reverts commit c616c11d9bb4dd0554104025fcfb9cf9e25dc02d.

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert add bindings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update chainsaw

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Revert "update name"

This reverts commit 84de45b4ce1c5f94d8cbd0a66e893c7907f4a600.

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* simplify results

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com>
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Signed-off-by: Matt Veitas <mveitas@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Signed-off-by: Younsung Lee <cysl@kakao.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: Matt Veitas <mveitas@gmail.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Younsung Lee <cysl@kakao.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
Suruchi Kumari 2024-03-08 03:24:00 +05:30 committed by GitHub
parent 2656e62c4d
commit 26df05d8c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 156 additions and 112 deletions

View file

@ -1,7 +1,7 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Configuration
metadata:
name: congiguration
name: configuration
spec:
timeouts:
assert: 90s

View file

@ -0,0 +1,23 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/severity: medium
name: psa
spec:
background: true
rules:
- name: restricted
match:
any:
- resources:
kinds:
- Pod
validate:
podSecurity:
level: restricted
version: latest
validationFailureAction: Audit

View file

@ -1,9 +1,7 @@
package report
import (
"github.com/kyverno/kyverno/api/kyverno"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
corev1 "k8s.io/api/core/v1"
@ -13,47 +11,26 @@ import (
func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) policyreportv1alpha2.PolicyReportResult {
policy := engineResponse.Policy()
policyType := policy.GetType()
policyName := cache.MetaObjectToName(policy.MetaObject()).String()
audit := engineResponse.GetValidationFailureAction().Audit()
scored := annotations.Scored(policy.GetAnnotations())
category := annotations.Category(policy.GetAnnotations())
severity := annotations.Severity(policy.GetAnnotations())
result := policyreportv1alpha2.PolicyReportResult{
Policy: policyName,
Resources: []corev1.ObjectReference{
{
Kind: engineResponse.Resource.GetKind(),
Namespace: engineResponse.Resource.GetNamespace(),
APIVersion: engineResponse.Resource.GetAPIVersion(),
Name: engineResponse.Resource.GetName(),
UID: engineResponse.Resource.GetUID(),
},
},
Scored: scored,
Category: category,
Severity: severity,
resource := engineResponse.Resource
resorceRef := &corev1.ObjectReference{
Kind: resource.GetKind(),
Name: resource.GetName(),
Namespace: resource.GetNamespace(),
UID: resource.GetUID(),
APIVersion: resource.GetAPIVersion(),
ResourceVersion: resource.GetResourceVersion(),
}
if ruleResponse.Status() == engineapi.RuleStatusSkip {
result.Result = policyreportv1alpha2.StatusSkip
} else if ruleResponse.Status() == engineapi.RuleStatusError {
result.Result = policyreportv1alpha2.StatusError
} else if ruleResponse.Status() == engineapi.RuleStatusPass {
result.Result = policyreportv1alpha2.StatusPass
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
if !scored || (audit && auditWarn) {
result := reportutils.ToPolicyReportResult(policyType, policyName, ruleResponse, policy.GetAnnotations(), resorceRef)
if result.Result == policyreportv1alpha2.StatusFail {
audit := engineResponse.GetValidationFailureAction().Audit()
if audit && auditWarn {
result.Result = policyreportv1alpha2.StatusWarn
} else {
result.Result = policyreportv1alpha2.StatusFail
}
} else {
result.Result = policyreportv1alpha2.StatusError
}
if policy.GetType() == engineapi.KyvernoPolicyType {
result.Rule = ruleResponse.Name()
}
result.Message = ruleResponse.Message()
result.Source = kyverno.ValueKyvernoApp
result.Timestamp = metav1.Timestamp{Seconds: ruleResponse.Stats().Timestamp()}
return result
}

View file

@ -5,7 +5,6 @@ import (
"testing"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
report "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"gotest.tools/assert"
@ -120,7 +119,7 @@ func TestMergeClusterReport(t *testing.T) {
clustered := []policyreportv1alpha2.ClusterPolicyReport{{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterPolicyReport",
APIVersion: report.SchemeGroupVersion.String(),
APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: "cpolr-4",
@ -128,13 +127,13 @@ func TestMergeClusterReport(t *testing.T) {
Results: []policyreportv1alpha2.PolicyReportResult{
{
Policy: "cpolr-4",
Result: report.StatusFail,
Result: policyreportv1alpha2.StatusFail,
},
},
}, {
TypeMeta: metav1.TypeMeta{
Kind: "ClusterPolicyReport",
APIVersion: report.SchemeGroupVersion.String(),
APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
},
ObjectMeta: metav1.ObjectMeta{
Name: "cpolr-5",
@ -142,19 +141,19 @@ func TestMergeClusterReport(t *testing.T) {
Results: []policyreportv1alpha2.PolicyReportResult{
{
Policy: "cpolr-5",
Result: report.StatusFail,
Result: policyreportv1alpha2.StatusFail,
},
},
}}
expectedResults := []policyreportv1alpha2.PolicyReportResult{{
Policy: "cpolr-4",
Result: report.StatusFail,
Result: policyreportv1alpha2.StatusFail,
}, {
Policy: "cpolr-5",
Result: report.StatusFail,
Result: policyreportv1alpha2.StatusFail,
}}
cpolr := MergeClusterReports(clustered)
assert.Equal(t, cpolr.APIVersion, report.SchemeGroupVersion.String())
assert.Equal(t, cpolr.APIVersion, policyreportv1alpha2.SchemeGroupVersion.String())
assert.Equal(t, cpolr.Kind, "ClusterPolicyReport")
assert.DeepEqual(t, cpolr.Results, expectedResults)
assert.Equal(t, cpolr.Summary.Pass, 0)
@ -261,7 +260,7 @@ func TestComputePolicyReportResult(t *testing.T) {
Source: "kyverno",
Policy: "pod-requirements",
Rule: "xxx",
Result: policyreportv1alpha2.StatusError,
Result: policyreportv1alpha2.StatusWarn,
Resources: []corev1.ObjectReference{{}},
Message: "test",
Scored: true,
@ -280,6 +279,46 @@ func TestComputePolicyReportResult(t *testing.T) {
}
}
func TestPSSComputePolicyReportResult(t *testing.T) {
policies, _, _, err := policy.Load(nil, "", "../_testdata/policies/restricted.yaml")
assert.NilError(t, err)
assert.Equal(t, len(policies), 1)
policy := policies[0]
tests := []struct {
name string
auditWarn bool
engineResponse engineapi.EngineResponse
ruleResponse engineapi.RuleResponse
want policyreportv1alpha2.PolicyReportResult
}{{
name: "fail",
auditWarn: false,
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
ruleResponse: *engineapi.RuleFail("xxx", engineapi.Mutation, "test"),
want: policyreportv1alpha2.PolicyReportResult{
Source: "kyverno",
Policy: "psa",
Rule: "xxx",
Result: policyreportv1alpha2.StatusFail,
Resources: []corev1.ObjectReference{{}},
Message: "test",
Scored: true,
Category: "Pod Security Standards (Restricted)",
Severity: policyreportv1alpha2.SeverityMedium,
Properties: nil,
},
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse)
got.Timestamp = metav1.Timestamp{}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("ComputePolicyReportResult() = %v, want %v", got, tt.want)
}
})
}
}
func TestComputePolicyReportResultsPerPolicy(t *testing.T) {
tests := []struct {
name string

View file

@ -12,6 +12,7 @@ import (
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/tools/cache"
)
@ -86,72 +87,76 @@ func SeverityFromString(severity string) policyreportv1alpha2.PolicySeverity {
return ""
}
func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
pol := response.Policy()
var results []policyreportv1alpha2.PolicyReportResult
if pol.GetType() == engineapi.KyvernoPolicyType {
key, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
for _, ruleResult := range response.PolicyResponse.Rules {
annotations := pol.GetAnnotations()
result := policyreportv1alpha2.PolicyReportResult{
Source: kyverno.ValueKyvernoApp,
Policy: key,
Rule: ruleResult.Name(),
Message: ruleResult.Message(),
Result: toPolicyResult(ruleResult.Status()),
Scored: annotations[kyverno.AnnotationPolicyScored] != "false",
Timestamp: metav1.Timestamp{
Seconds: time.Now().Unix(),
},
Category: annotations[kyverno.AnnotationPolicyCategory],
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
}
if ruleResult.Exception() != nil {
result.Properties = map[string]string{
"exception": ruleResult.Exception().Name,
}
}
pss := ruleResult.PodSecurityChecks()
if pss != nil {
var controls []string
for _, check := range pss.Checks {
if !check.CheckResult.Allowed {
controls = append(controls, check.ID)
}
}
if len(controls) > 0 {
sort.Strings(controls)
result.Properties = map[string]string{
"standard": string(pss.Level),
"version": pss.Version,
"controls": strings.Join(controls, ","),
}
}
}
if result.Result == "fail" && !result.Scored {
result.Result = "warn"
}
results = append(results, result)
}
} else {
for _, ruleResult := range response.PolicyResponse.Rules {
result := policyreportv1alpha2.PolicyReportResult{
Source: "ValidatingAdmissionPolicy",
Policy: ruleResult.Name(),
Message: ruleResult.Message(),
Result: toPolicyResult(ruleResult.Status()),
Timestamp: metav1.Timestamp{
Seconds: time.Now().Unix(),
},
}
if ruleResult.ValidatingAdmissionPolicyBinding() != nil {
result.Properties = map[string]string{
"binding": ruleResult.ValidatingAdmissionPolicyBinding().Name,
}
}
results = append(results, result)
func addProperty(k, v string, result *policyreportv1alpha2.PolicyReportResult) {
if result.Properties == nil {
result.Properties = map[string]string{}
}
result.Properties[k] = v
}
func ToPolicyReportResult(policyType engineapi.PolicyType, policyName string, ruleResult engineapi.RuleResponse, annotations map[string]string, resource *corev1.ObjectReference) policyreportv1alpha2.PolicyReportResult {
result := policyreportv1alpha2.PolicyReportResult{
Source: kyverno.ValueKyvernoApp,
Policy: policyName,
Rule: ruleResult.Name(),
Message: ruleResult.Message(),
Result: toPolicyResult(ruleResult.Status()),
Scored: annotations[kyverno.AnnotationPolicyScored] != "false",
Timestamp: metav1.Timestamp{
Seconds: time.Now().Unix(),
},
Category: annotations[kyverno.AnnotationPolicyCategory],
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
}
if result.Result == "fail" && !result.Scored {
result.Result = "warn"
}
if resource != nil {
result.Resources = []corev1.ObjectReference{
*resource,
}
}
if ruleResult.Exception() != nil {
addProperty("exception", ruleResult.Exception().Name, &result)
}
pss := ruleResult.PodSecurityChecks()
if pss != nil && len(pss.Checks) > 0 {
var controls []string
for _, check := range pss.Checks {
if !check.CheckResult.Allowed {
controls = append(controls, check.ID)
}
}
if len(controls) > 0 {
sort.Strings(controls)
addProperty("standard", string(pss.Level), &result)
addProperty("version", pss.Version, &result)
addProperty("controls", strings.Join(controls, ","), &result)
}
}
if policyType == engineapi.ValidatingAdmissionPolicyType {
result.Source = "ValidatingAdmissionPolicy"
result.Policy = ruleResult.Name()
if ruleResult.ValidatingAdmissionPolicyBinding() != nil {
addProperty("binding", ruleResult.ValidatingAdmissionPolicyBinding().Name, &result)
}
}
return result
}
func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
pol := response.Policy()
policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
policyType := pol.GetType()
annotations := pol.GetAnnotations()
var results []policyreportv1alpha2.PolicyReportResult
for _, ruleResult := range response.PolicyResponse.Rules {
result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil)
results = append(results, result)
}
return results
}