mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
[Bug] [CLI] PSS report does not show properties with control details (#9785)
* add properties in pss report Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove tests Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix lint Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore: move chainsaw config at the root of the repo (#9768) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump svenstaro/upload-release-action from 2.7.0 to 2.9.0 (#9767) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.7.0 to 2.9.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](1beeb572c1...04733e069f
) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fill properties field in test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unwanted folders Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remote gitpod file Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: remove unnecessary podSecurity chainsaw test (#9791) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: remove unnecessary validation check for podSecurity rule (#9790) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update versions (#9783) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore: add tests for exceptions in the CLI (#9781) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/sdk/metric (#9799) Bumps [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc (#9797) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump codecov/codecov-action from 4.0.1 to 4.0.2 (#9794) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](e0b68c6749...0cfda1dd0a
) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/prometheus (#9796) Bumps [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) from 0.45.2 to 0.46.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.45.2...example/prometheus/v0.46.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace (#9795) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * changes Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#9798) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump codecov/codecov-action from 4.0.2 to 4.1.0 (#9811) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](0cfda1dd0a...54bcd8715e
) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#9809) Bumps [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.48.0 to 0.49.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.48.0...zpages/v0.49.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 (#9810) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.19.0 to 0.20.0. - [Commits](https://github.com/golang/crypto/compare/v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix lint Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix(globalcontext): old WaitGroup not stopping (#9813) * fix(globalcontext): old waitgroup not stopping Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * chore(globalcontext): add AGE Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * feat(globalcontext): add lastRefreshTime Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix(globalcontext): unhandled intormer run exception Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * chore(globalcontext): comment wording Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * chore(globalcontext): codegen Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix(globalcontext): linter Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> --------- Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add empty declaration of properties Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add changes Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: add podSecurity validation checks for exceptions (#9817) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#9825) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#9821) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#9823) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump kyverno/action-install-chainsaw from 0.1.6 to 0.1.7 (#9832) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.1.6 to 0.1.7. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](204730d723...3bf0752f44
) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#9831) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](84384bd6e7...062f259268
) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#9830) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * [Bug] [CLI] Restore warn-exit-code functionality for apply command (#9828) * Restore warn-exite-code functionality for apply command Signed-off-by: Matt Veitas <mveitas@gmail.com> * Nove error handling Signed-off-by: Matt Veitas <mveitas@gmail.com> * Uncomment println statement Signed-off-by: Matt Veitas <mveitas@gmail.com> * Fixing linting Signed-off-by: Matt Veitas <mveitas@gmail.com> * Adding conformance tets for cli apply command with warn-exit-code Signed-off-by: Matt Veitas <mveitas@gmail.com> * Update path to kubectl-kyverno binary Signed-off-by: Matt Veitas <mveitas@gmail.com> * Add prepare-cli as needed dependency Signed-off-by: Matt Veitas <mveitas@gmail.com> * feat: install kubectl-kyverno in standard conformance tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update chainsaw config Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: move CLI chainsaw tests to a separate action Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: CLI path Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: name Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add chainsaw flag '--no-cluster' Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: CLI name Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: Matt Veitas <mveitas@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#9822) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove comment and shift line 91 Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * added rseperate function for adding properties in result Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for pss report Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove comments Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: remove duplicate chainsaw tests for PSA (#9835) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify policy Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify policy in test_dta Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * docs: Add new adopter to ADOPTERS.md (#9841) Signed-off-by: Younsung Lee <cysl@kakao.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: use gcr crane opts while fetching image descriptors (#9838) Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: add missing unit tests for podSecurity.hostpathVolume check (#9845) * fix: add missing unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update pinned lib Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: uncomment code Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: release CRDs manifests (#9849) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#9842) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix name access for policy types Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify pkg report Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * modify name Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add bindings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Revert "add bindings" This reverts commit c616c11d9bb4dd0554104025fcfb9cf9e25dc02d. Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert add bindings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update chainsaw Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Revert "update name" This reverts commit 84de45b4ce1c5f94d8cbd0a66e893c7907f4a600. Signed-off-by: Jim Bugwadia <jim@nirmata.com> * simplify results Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Suruchi Kumari <suruchikumarimfp4@gmail.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Matt Veitas <mveitas@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Signed-off-by: Younsung Lee <cysl@kakao.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: Matt Veitas <mveitas@gmail.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Younsung Lee <cysl@kakao.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
parent
2656e62c4d
commit
26df05d8c1
5 changed files with 156 additions and 112 deletions
|
@ -1,7 +1,7 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Configuration
|
||||
metadata:
|
||||
name: congiguration
|
||||
name: configuration
|
||||
spec:
|
||||
timeouts:
|
||||
assert: 90s
|
||||
|
|
23
cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
Normal file
23
cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
policies.kyverno.io/category: Pod Security Standards (Restricted)
|
||||
policies.kyverno.io/severity: medium
|
||||
name: psa
|
||||
spec:
|
||||
background: true
|
||||
rules:
|
||||
- name: restricted
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
podSecurity:
|
||||
level: restricted
|
||||
version: latest
|
||||
validationFailureAction: Audit
|
|
@ -1,9 +1,7 @@
|
|||
package report
|
||||
|
||||
import (
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
@ -13,47 +11,26 @@ import (
|
|||
|
||||
func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) policyreportv1alpha2.PolicyReportResult {
|
||||
policy := engineResponse.Policy()
|
||||
policyType := policy.GetType()
|
||||
policyName := cache.MetaObjectToName(policy.MetaObject()).String()
|
||||
audit := engineResponse.GetValidationFailureAction().Audit()
|
||||
scored := annotations.Scored(policy.GetAnnotations())
|
||||
category := annotations.Category(policy.GetAnnotations())
|
||||
severity := annotations.Severity(policy.GetAnnotations())
|
||||
result := policyreportv1alpha2.PolicyReportResult{
|
||||
Policy: policyName,
|
||||
Resources: []corev1.ObjectReference{
|
||||
{
|
||||
Kind: engineResponse.Resource.GetKind(),
|
||||
Namespace: engineResponse.Resource.GetNamespace(),
|
||||
APIVersion: engineResponse.Resource.GetAPIVersion(),
|
||||
Name: engineResponse.Resource.GetName(),
|
||||
UID: engineResponse.Resource.GetUID(),
|
||||
},
|
||||
},
|
||||
Scored: scored,
|
||||
Category: category,
|
||||
Severity: severity,
|
||||
resource := engineResponse.Resource
|
||||
resorceRef := &corev1.ObjectReference{
|
||||
Kind: resource.GetKind(),
|
||||
Name: resource.GetName(),
|
||||
Namespace: resource.GetNamespace(),
|
||||
UID: resource.GetUID(),
|
||||
APIVersion: resource.GetAPIVersion(),
|
||||
ResourceVersion: resource.GetResourceVersion(),
|
||||
}
|
||||
if ruleResponse.Status() == engineapi.RuleStatusSkip {
|
||||
result.Result = policyreportv1alpha2.StatusSkip
|
||||
} else if ruleResponse.Status() == engineapi.RuleStatusError {
|
||||
result.Result = policyreportv1alpha2.StatusError
|
||||
} else if ruleResponse.Status() == engineapi.RuleStatusPass {
|
||||
result.Result = policyreportv1alpha2.StatusPass
|
||||
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
|
||||
if !scored || (audit && auditWarn) {
|
||||
|
||||
result := reportutils.ToPolicyReportResult(policyType, policyName, ruleResponse, policy.GetAnnotations(), resorceRef)
|
||||
if result.Result == policyreportv1alpha2.StatusFail {
|
||||
audit := engineResponse.GetValidationFailureAction().Audit()
|
||||
if audit && auditWarn {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
} else {
|
||||
result.Result = policyreportv1alpha2.StatusFail
|
||||
}
|
||||
} else {
|
||||
result.Result = policyreportv1alpha2.StatusError
|
||||
}
|
||||
if policy.GetType() == engineapi.KyvernoPolicyType {
|
||||
result.Rule = ruleResponse.Name()
|
||||
}
|
||||
result.Message = ruleResponse.Message()
|
||||
result.Source = kyverno.ValueKyvernoApp
|
||||
result.Timestamp = metav1.Timestamp{Seconds: ruleResponse.Stats().Timestamp()}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
|
|
|
@ -5,7 +5,6 @@ import (
|
|||
"testing"
|
||||
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
report "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"gotest.tools/assert"
|
||||
|
@ -120,7 +119,7 @@ func TestMergeClusterReport(t *testing.T) {
|
|||
clustered := []policyreportv1alpha2.ClusterPolicyReport{{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: "ClusterPolicyReport",
|
||||
APIVersion: report.SchemeGroupVersion.String(),
|
||||
APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "cpolr-4",
|
||||
|
@ -128,13 +127,13 @@ func TestMergeClusterReport(t *testing.T) {
|
|||
Results: []policyreportv1alpha2.PolicyReportResult{
|
||||
{
|
||||
Policy: "cpolr-4",
|
||||
Result: report.StatusFail,
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
},
|
||||
},
|
||||
}, {
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: "ClusterPolicyReport",
|
||||
APIVersion: report.SchemeGroupVersion.String(),
|
||||
APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "cpolr-5",
|
||||
|
@ -142,19 +141,19 @@ func TestMergeClusterReport(t *testing.T) {
|
|||
Results: []policyreportv1alpha2.PolicyReportResult{
|
||||
{
|
||||
Policy: "cpolr-5",
|
||||
Result: report.StatusFail,
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
},
|
||||
},
|
||||
}}
|
||||
expectedResults := []policyreportv1alpha2.PolicyReportResult{{
|
||||
Policy: "cpolr-4",
|
||||
Result: report.StatusFail,
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
}, {
|
||||
Policy: "cpolr-5",
|
||||
Result: report.StatusFail,
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
}}
|
||||
cpolr := MergeClusterReports(clustered)
|
||||
assert.Equal(t, cpolr.APIVersion, report.SchemeGroupVersion.String())
|
||||
assert.Equal(t, cpolr.APIVersion, policyreportv1alpha2.SchemeGroupVersion.String())
|
||||
assert.Equal(t, cpolr.Kind, "ClusterPolicyReport")
|
||||
assert.DeepEqual(t, cpolr.Results, expectedResults)
|
||||
assert.Equal(t, cpolr.Summary.Pass, 0)
|
||||
|
@ -261,7 +260,7 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusError,
|
||||
Result: policyreportv1alpha2.StatusWarn,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
|
@ -280,6 +279,46 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestPSSComputePolicyReportResult(t *testing.T) {
|
||||
policies, _, _, err := policy.Load(nil, "", "../_testdata/policies/restricted.yaml")
|
||||
assert.NilError(t, err)
|
||||
assert.Equal(t, len(policies), 1)
|
||||
policy := policies[0]
|
||||
tests := []struct {
|
||||
name string
|
||||
auditWarn bool
|
||||
engineResponse engineapi.EngineResponse
|
||||
ruleResponse engineapi.RuleResponse
|
||||
want policyreportv1alpha2.PolicyReportResult
|
||||
}{{
|
||||
name: "fail",
|
||||
auditWarn: false,
|
||||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RuleFail("xxx", engineapi.Mutation, "test"),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "psa",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Properties: nil,
|
||||
},
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse)
|
||||
got.Timestamp = metav1.Timestamp{}
|
||||
if !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("ComputePolicyReportResult() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestComputePolicyReportResultsPerPolicy(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
|
|
|
@ -12,6 +12,7 @@ import (
|
|||
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
@ -86,72 +87,76 @@ func SeverityFromString(severity string) policyreportv1alpha2.PolicySeverity {
|
|||
return ""
|
||||
}
|
||||
|
||||
func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
|
||||
pol := response.Policy()
|
||||
var results []policyreportv1alpha2.PolicyReportResult
|
||||
if pol.GetType() == engineapi.KyvernoPolicyType {
|
||||
key, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
|
||||
for _, ruleResult := range response.PolicyResponse.Rules {
|
||||
annotations := pol.GetAnnotations()
|
||||
result := policyreportv1alpha2.PolicyReportResult{
|
||||
Source: kyverno.ValueKyvernoApp,
|
||||
Policy: key,
|
||||
Rule: ruleResult.Name(),
|
||||
Message: ruleResult.Message(),
|
||||
Result: toPolicyResult(ruleResult.Status()),
|
||||
Scored: annotations[kyverno.AnnotationPolicyScored] != "false",
|
||||
Timestamp: metav1.Timestamp{
|
||||
Seconds: time.Now().Unix(),
|
||||
},
|
||||
Category: annotations[kyverno.AnnotationPolicyCategory],
|
||||
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
|
||||
}
|
||||
if ruleResult.Exception() != nil {
|
||||
result.Properties = map[string]string{
|
||||
"exception": ruleResult.Exception().Name,
|
||||
}
|
||||
}
|
||||
pss := ruleResult.PodSecurityChecks()
|
||||
if pss != nil {
|
||||
var controls []string
|
||||
for _, check := range pss.Checks {
|
||||
if !check.CheckResult.Allowed {
|
||||
controls = append(controls, check.ID)
|
||||
}
|
||||
}
|
||||
if len(controls) > 0 {
|
||||
sort.Strings(controls)
|
||||
result.Properties = map[string]string{
|
||||
"standard": string(pss.Level),
|
||||
"version": pss.Version,
|
||||
"controls": strings.Join(controls, ","),
|
||||
}
|
||||
}
|
||||
}
|
||||
if result.Result == "fail" && !result.Scored {
|
||||
result.Result = "warn"
|
||||
}
|
||||
results = append(results, result)
|
||||
}
|
||||
} else {
|
||||
for _, ruleResult := range response.PolicyResponse.Rules {
|
||||
result := policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "ValidatingAdmissionPolicy",
|
||||
Policy: ruleResult.Name(),
|
||||
Message: ruleResult.Message(),
|
||||
Result: toPolicyResult(ruleResult.Status()),
|
||||
Timestamp: metav1.Timestamp{
|
||||
Seconds: time.Now().Unix(),
|
||||
},
|
||||
}
|
||||
if ruleResult.ValidatingAdmissionPolicyBinding() != nil {
|
||||
result.Properties = map[string]string{
|
||||
"binding": ruleResult.ValidatingAdmissionPolicyBinding().Name,
|
||||
}
|
||||
}
|
||||
results = append(results, result)
|
||||
func addProperty(k, v string, result *policyreportv1alpha2.PolicyReportResult) {
|
||||
if result.Properties == nil {
|
||||
result.Properties = map[string]string{}
|
||||
}
|
||||
|
||||
result.Properties[k] = v
|
||||
}
|
||||
|
||||
func ToPolicyReportResult(policyType engineapi.PolicyType, policyName string, ruleResult engineapi.RuleResponse, annotations map[string]string, resource *corev1.ObjectReference) policyreportv1alpha2.PolicyReportResult {
|
||||
result := policyreportv1alpha2.PolicyReportResult{
|
||||
Source: kyverno.ValueKyvernoApp,
|
||||
Policy: policyName,
|
||||
Rule: ruleResult.Name(),
|
||||
Message: ruleResult.Message(),
|
||||
Result: toPolicyResult(ruleResult.Status()),
|
||||
Scored: annotations[kyverno.AnnotationPolicyScored] != "false",
|
||||
Timestamp: metav1.Timestamp{
|
||||
Seconds: time.Now().Unix(),
|
||||
},
|
||||
Category: annotations[kyverno.AnnotationPolicyCategory],
|
||||
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
|
||||
}
|
||||
if result.Result == "fail" && !result.Scored {
|
||||
result.Result = "warn"
|
||||
}
|
||||
if resource != nil {
|
||||
result.Resources = []corev1.ObjectReference{
|
||||
*resource,
|
||||
}
|
||||
}
|
||||
if ruleResult.Exception() != nil {
|
||||
addProperty("exception", ruleResult.Exception().Name, &result)
|
||||
}
|
||||
pss := ruleResult.PodSecurityChecks()
|
||||
if pss != nil && len(pss.Checks) > 0 {
|
||||
var controls []string
|
||||
for _, check := range pss.Checks {
|
||||
if !check.CheckResult.Allowed {
|
||||
controls = append(controls, check.ID)
|
||||
}
|
||||
}
|
||||
if len(controls) > 0 {
|
||||
sort.Strings(controls)
|
||||
addProperty("standard", string(pss.Level), &result)
|
||||
addProperty("version", pss.Version, &result)
|
||||
addProperty("controls", strings.Join(controls, ","), &result)
|
||||
}
|
||||
}
|
||||
if policyType == engineapi.ValidatingAdmissionPolicyType {
|
||||
result.Source = "ValidatingAdmissionPolicy"
|
||||
result.Policy = ruleResult.Name()
|
||||
if ruleResult.ValidatingAdmissionPolicyBinding() != nil {
|
||||
addProperty("binding", ruleResult.ValidatingAdmissionPolicyBinding().Name, &result)
|
||||
}
|
||||
}
|
||||
return result
|
||||
}
|
||||
|
||||
func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
|
||||
pol := response.Policy()
|
||||
policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
|
||||
policyType := pol.GetType()
|
||||
annotations := pol.GetAnnotations()
|
||||
|
||||
var results []policyreportv1alpha2.PolicyReportResult
|
||||
for _, ruleResult := range response.PolicyResponse.Rules {
|
||||
result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil)
|
||||
results = append(results, result)
|
||||
}
|
||||
|
||||
return results
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue