mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-14 11:48:53 +00:00
Code Activity

Merge branch 'master' of https://github.com/nirmata/kyverno into hotfix/remove-arm

Browse source
This commit is contained in:
Yuvraj 2020-06-18 15:00:20 +00:00
commit 2ed9507b94
31 changed files with 2891 additions and 1352 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.codeclimate.yml
View file

@ -12,7 +12,7 @@ ratings:
exclude_paths: exclude_paths:
- documentation/ - documentation/
- charts
- definitions - definitions
- gh-pages
- samples - samples
- scripts - scripts

50
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View file

@ -0,0 +1,50 @@
## Related issue
<!--
Please link the GitHub issue this pull request resolves in the format of `#1234`. If you discussed this change
with a maintainer, please mention her/him using the `@` syntax (e.g. `@JimBugwadia`).
If this change neither resolves an existing issue nor has sign-off from one of the maintainers, there is a
chance substantial changes will be requested or that the changes will be rejected.
You can discuss changes with maintainers in the [Kyvrno Slack Channel](https://kubernetes.slack.com/).
-->
**What type of PR is this?**
<!--
> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
>
> /kind api-change
> /kind bug
> /kind cleanup
> /kind design
> /kind documentation
> /kind failing-test
> /kind feature
-->
## Proposed changes
<!--
Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
-->
## Checklist
<!--
Put an `x` in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of
them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.
-->
- [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md).
- [ ] I have added tests that prove my fix is effective or that my feature
works.
- [ ] I have added or changed [the documentation](documentation/).
## Further comments
<!--
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution
you did and what alternatives you considered, etc...
-->

21
.github/PULL_REQUEST_TEMPLATE/pull_request_template.md vendored
View file

@ -1,21 +0,0 @@
**What type of PR is this?**
> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line:
>
> /kind api-change
> /kind bug
> /kind cleanup
> /kind design
> /kind documentation
> /kind failing-test
> /kind feature
**What this PR does / why we need it**:
**Which issue(s) this PR fixes**:
<!--
*Automatically closes linked issue when PR is merged.
Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
_-->
Fixes #
**Special notes for your reviewer**:

17
.github/semantic.yml vendored Normal file
View file

@ -0,0 +1,17 @@
titleOnly: true
commitsOnly: false
titleAndCommits: false
types:
- feat
- fix
- revert
- docs
- style
- refactor
- test
- build
- autogen
- security
- ci
- chore

45
.github/workflows/helm-release.yaml vendored
View file

@ -1,45 +0,0 @@
name: helm-package
on:
push:
tags:
- "*"
paths:
- 'charts/kyverno/**'
env:
HELM_CHART_URL: "https://nirmata.github.io/kyverno/helm-charts/"
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
persist-credentials: false
- name: Install Helm
run: |
curl -sSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get
chmod 700 get_helm.sh
./get_helm.sh
helm init --client-only
- name: Check Chart Version
run: |
helm repo add evalsocket ${{ env.HELM_CHART_URL }} || (echo "Kyverno Repository not available")
helm search nirmata/kyverno --version `cat charts/kyverno/Chart.yaml | grep '^version: [[:alnum:]]' | awk '{print $2}'` > HELM_CHART_STATUS.txt
HELM_CHART_STATUS=`cat HELM_CHART_STATUS.txt`
if [ "${HELM_CHART_STATUS}" != 'No results found' ]; then
echo 'Version already exist, impossible to continue...'
exit 1
fi
- name: Check sintax
run: helm lint charts/kyverno/
- name: Create package
run: |
mkdir -p output/helm-charts/
helm package charts/kyverno/ -d output/helm-charts/
- name: Release
uses: JamesIves/github-pages-deploy-action@releases/v3
with:
ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }}
BRANCH: gh-pages
FOLDER: output

13
.github/workflows/release.yaml vendored
View file

@ -1,9 +1,9 @@
name: releaser name: prereleaser
on: on:
push: push:
tags: tags:
jobs: jobs:
releaser: releaser:
@ -20,6 +20,7 @@ jobs:
uses: actions/setup-go@v2 uses: actions/setup-go@v2
with: with:
go-version: 1.14 go-version: 1.14
- uses: creekorful/goreportcard-action@v1.0
- -
name: Run GoReleaser name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2 uses: goreleaser/goreleaser-action@v2
@ -28,4 +29,12 @@ jobs:
args: release --rm-dist args: release --rm-dist
env: env:
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }} GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
- uses: J12934/helm-gh-pages-action@master
name: Run Helm Publish
with:
access-token: ${{ secrets.ACCESS_TOKEN }}
deploy-branch: gh-pages
charts-folder: charts

19
.goreleaser.yml
View file

@ -1,9 +1,9 @@
project_name: kyverno project_name: kyverno-cli
before: before:
hooks: hooks:
- go mod download - go mod download
builds: builds:
- id: kyverno - id: kyverno-cli
main: cmd/cli/kubectl-kyverno/main.go main: cmd/cli/kubectl-kyverno/main.go
binary: kyverno binary: kyverno
env: env:
@ -16,16 +16,16 @@ builds:
- amd64 - amd64
goarm: [6, 7] goarm: [6, 7]
archives: archives:
- id: kyverno-archive - id: kyverno-cli-archive
name_template: |- name_template: |-
kyverno_{{ .Tag }}_{{ .Os }}_{{ .Arch -}} kyverno-cli_{{ .Tag }}_{{ .Os }}_{{ .Arch -}}
{{- with .Arm -}} {{- with .Arm -}}
{{- if (eq . "6") -}}hf {{- if (eq . "6") -}}hf
{{- else -}}v{{- . -}} {{- else -}}v{{- . -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
builds: builds:
- kyverno - kyverno-cli
replacements: replacements:
386: i386 386: i386
amd64: x86_64 amd64: x86_64
@ -38,3 +38,12 @@ checksum:
algorithm: sha256 algorithm: sha256
release: release:
prerelease: auto prerelease: auto
changelog:
sort: asc
filters:
# commit messages matching the regexp listed here will be removed from
# the changelog
exclude:
- '^docs:'
- typo

15
Makefile
View file

@ -113,4 +113,17 @@ code-cov-report: $(CODE_COVERAGE_FILE_TXT)
# transform to html format # transform to html format
@echo " generating code coverage report" @echo " generating code coverage report"
go tool cover -html=coverage.txt go tool cover -html=coverage.txt
if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi; if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi;
# godownloader create downloading script for kyverno-cli
godownloader:
godownloader .goreleaser.yml --repo nirmata/kyverno -o ./scripts/install-cli.sh --source="raw"
# kustomize-crd will create install.yaml
kustomize-crd:
# Create CRD for helm deployment Helm
kustomize build ./definitions/crds > ./charts/kyverno/crds/crds.yaml
# Generate install.yaml that have all resources for kyverno
kustomize build ./definitions > ./definitions/install.yaml
# Generate install_debug.yaml that for developer testing
kustomize build ./definitions/debug > ./definitions/install_debug.yaml

11
README.md
View file

@ -20,7 +20,16 @@ Mutating policies can be written as overlays (similar to [Kustomize](https://kub
Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources. Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources.
**NOTE** : Your Kubernetes server must be at or later than version v1.14. To check the version, enter kubectl version. **NOTE** : Your Kubernetes cluster version must be above v1.14 which adds webook timeouts. To check the version, enter `kubectl version`.
## Quick Start
Install Kyverno:
```console
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
```
You can also install using the [Helm chart](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#install-kyverno-using-helm). As a next step, import [sample policies](https://github.com/nirmata/kyverno/blob/master/samples/README.md) and learn about [writing policies](https://github.com/nirmata/kyverno/blob/master/documentation/writing-policies.md). You can test policies using the [Kyverno cli](https://github.com/nirmata/kyverno/blob/master/documentation/kyverno-cli.md). See [docs](https://github.com/nirmata/kyverno/#documentation) for more details.
## Examples ## Examples

4
charts/kyverno/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
name: kyverno name: kyverno
version: 0.0.1 version: 1.1.6
appVersion: v1.1.5 appVersion: v1.1.6
description: Kubernetes Native Policy Management description: Kubernetes Native Policy Management
keywords: keywords:
- kubernetes - kubernetes

18
charts/kyverno/README.md
View file

@ -3,7 +3,7 @@
[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to [Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to
* Manage policies as Kubernetes resources. * Manage policies as Kubernetes resources.
* Validate, mutate, and generate configurations. * Validate, mutate, and generate configurations for any resource.
* Select resources based on labels and wildcards. * Select resources based on labels and wildcards.
* View policy enforcement as events. * View policy enforcement as events.
* Detect policy violations for existing resources. * Detect policy violations for existing resources.
@ -12,12 +12,10 @@
```console ```console
## Add the nirmata Helm repository ## Add the nirmata Helm repository
$ helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ $ helm repo add kyverno https://nirmata.github.io/kyverno
## Install the kyverno helm chart ## Install the kyverno helm chart
$ helm install --name my-release --namespace kyverno nirmata/kyverno $ helm install kyverno --namespace kyverno kyverno/kyverno
$ helm install --create-namespace -n kyverno kyverno ./charts/kyverno
``` ```
## Introduction ## Introduction
@ -29,12 +27,16 @@ This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.i
Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno': Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno':
```console ```console
$ helm install --namespace kyverno kyverno ./charts/kyverno $ helm install kyverno --namespace kyverno kyverno ./charts/kyverno
``` ```
Note that Helm by default expects the namespace to already exist before running helm install. If you want Helm to create the namespace, add --create-namespace to the command. Note that Helm by default expects the namespace to already exist before running helm install. Create the namespace using:
The command deploys kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. ```console
$ kubectl create ns kyverno
```
The command deploys Kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
## Uninstalling the Chart ## Uninstalling the Chart

673
charts/kyverno/crds/crds.yaml
View file

@ -4,465 +4,464 @@ metadata:
name: clusterpolicies.kyverno.io name: clusterpolicies.kyverno.io
spec: spec:
group: kyverno.io group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Cluster
names: names:
kind: ClusterPolicy kind: ClusterPolicy
plural: clusterpolicies plural: clusterpolicies
singular: clusterpolicy
shortNames: shortNames:
- cpol - cpol
singular: clusterpolicy
scope: Cluster
subresources: subresources:
status: {} status: {}
validation: validation:
openAPIV3Schema: openAPIV3Schema:
properties: properties:
status: {}
spec: spec:
required:
- rules
properties: properties:
# default values to be handled by user
validationFailureAction:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails.
- audit # allows resource creation and reports the failed validation rules as violations. Default
background: background:
type: boolean type: boolean
rules: rules:
type: array
items: items:
type: object
required:
- name
- match
properties: properties:
name:
type: string
match:
type: object
required:
- resources
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
minProperties: 1
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespaces:
type: array
items:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude: exclude:
type: object
properties: properties:
roles:
type: array
items:
type: string
clusterRoles: clusterRoles:
type: array
items: items:
type: string type: string
subjects:
type: array type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources: resources:
type: object
properties: properties:
kinds: kinds:
type: array
items: items:
type: string type: string
type: array
name: name:
type: string type: string
namespaces: namespaces:
type: array
items: items:
type: string type: string
type: array
selector: selector:
properties: properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions: matchExpressions:
type: array
items: items:
type: object
required:
- key
- operator
properties: properties:
key: key:
type: string type: string
operator: operator:
type: string type: string
values: values:
type: array
items: items:
type: string type: string
preconditions: type: array
type: array required:
items: - key
type: object - operator
required: type: object
- key # can be of any type type: array
- operator # typed matchLabels:
- value # can be of any type additionalProperties:
mutate: type: string
type: object type: object
properties: type: object
overlay: roles:
AnyValue: {} items:
patches: type: string
type: array type: array
subjects:
items: items:
type: object
required:
- path
- op
properties: properties:
path: apiGroup:
type: string type: string
op: kind:
type: string type: string
enum: name:
- add type: string
- replace namespace:
- remove type: string
value: required:
AnyValue: {} - kind
validate: - name
type: object
type: array
type: object type: object
properties:
message:
type: string
pattern:
AnyValue: {}
anyPattern:
AnyValue: {}
deny:
properties:
conditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
properties:
operator:
type: string
enum:
- Equal
- Equals
- NotEqual
- NotEquals
key:
type: string
value:
type: string
generate: generate:
type: object
required:
- kind
- name
properties: properties:
clone:
properties:
name:
type: string
namespace:
type: string
required:
- namespace
- name
type: object
data:
AnyValue: {}
kind: kind:
type: string type: string
name: name:
type: string type: string
namespace: namespace:
type: string type: string
clone: required:
type: object - kind
required: - name
- namespace type: object
- name match:
properties:
clusterRoles:
items:
type: string
type: array
resources:
minProperties: 1
properties: properties:
namespace: kinds:
type: string items:
type: string
type: array
name: name:
type: string type: string
data: namespaces:
items:
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
type: array
required:
- resources
type: object
mutate:
properties:
overlay:
AnyValue: {} AnyValue: {}
patches:
items:
properties:
op:
enum:
- add
- replace
- remove
type: string
path:
type: string
value:
AnyValue: {}
required:
- path
- op
type: object
type: array
type: object
name:
type: string
preconditions:
items:
required:
- key
- operator
- value
type: object
type: array
validate:
properties:
anyPattern:
AnyValue: {}
deny:
properties:
conditions:
items:
properties:
key:
type: string
operator:
enum:
- Equal
- Equals
- NotEqual
- NotEquals
type: string
value:
type: string
required:
- key
- operator
- value
type: object
type: array
message:
type: string
pattern:
AnyValue: {}
type: object
required:
- name
- match
type: object
type: array
validationFailureAction:
enum:
- enforce
- audit
type: string
required:
- rules
status: {}
versions:
- name: v1
served: true
storage: true
--- ---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: clusterpolicyviolations.kyverno.io name: clusterpolicyviolations.kyverno.io
spec: spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Cluster
names: names:
kind: ClusterPolicyViolation kind: ClusterPolicyViolation
plural: clusterpolicyviolations plural: clusterpolicyviolations
singular: clusterpolicyviolation
shortNames: shortNames:
- cpolv - cpolv
singular: clusterpolicyviolation
scope: Cluster
subresources: subresources:
status: {} status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation: validation:
openAPIV3Schema: openAPIV3Schema:
properties: properties:
spec: spec:
required:
- policy
- resource
- rules
properties: properties:
policy: policy:
type: string type: string
resource: resource:
type: object
required:
- kind
- name
properties: properties:
kind: kind:
type: string type: string
name: name:
type: string type: string
required:
- kind
- name
type: object
rules: rules:
type: array
items: items:
type: object
required:
- name
- type
- message
properties: properties:
message:
type: string
name: name:
type: string type: string
type: type:
type: string type: string
message: required:
type: string - name
--- - type
apiVersion: apiextensions.k8s.io/v1beta1 - message
kind: CustomResourceDefinition type: object
metadata: type: array
name: policyviolations.kyverno.io required:
spec: - policy
group: kyverno.io - resource
- rules
versions: versions:
- name: v1 - name: v1
served: true served: true
storage: true storage: true
scope: Namespaced
names:
kind: PolicyViolation
plural: policyviolations
singular: policyviolation
shortNames:
- polv
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
- rules
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
rules:
type: array
items:
type: object
required:
- name
- type
- message
properties:
name:
type: string
type:
type: string
message:
type: string
--- ---
apiVersion: apiextensions.k8s.io/v1beta1 apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
name: generaterequests.kyverno.io name: generaterequests.kyverno.io
spec: spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .spec.resource.namespace
description: The resource namespace that caused the violation
name: ResourceNamespace
type: string
- JSONPath: .status.state
description: Current state of generate request
name: status
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names: names:
kind: GenerateRequest kind: GenerateRequest
plural: generaterequests plural: generaterequests
singular: generaterequest
shortNames: shortNames:
- gr - gr
singular: generaterequest
scope: Namespaced
subresources: subresources:
status: {} status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: ResourceNamespace
type: string
description: The resource namespace that caused the violation
JSONPath: .spec.resource.namespace
- name: status
type : string
description: Current state of generate request
JSONPath: .status.state
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation: validation:
openAPIV3Schema: openAPIV3Schema:
properties: properties:
spec: spec:
required:
- policy
- resource
properties: properties:
policy: policy:
type: string type: string
resource: resource:
type: object
required:
- kind
- name
properties: properties:
kind: kind:
type: string type: string
name: name:
type: string type: string
namespace: namespace:
type: string type: string
required:
- kind
- name
type: object
required:
- policy
- resource
versions:
- name: v1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policyviolations.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.policy
description: The policy that resulted in the violation
name: Policy
type: string
- JSONPath: .spec.resource.kind
description: The resource kind that cause the violation
name: ResourceKind
type: string
- JSONPath: .spec.resource.name
description: The resource name that caused the violation
name: ResourceName
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: PolicyViolation
plural: policyviolations
shortNames:
- polv
singular: policyviolation
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
policy:
type: string
resource:
properties:
kind:
type: string
name:
type: string
required:
- kind
- name
type: object
rules:
items:
properties:
message:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- message
type: object
type: array
required:
- policy
- resource
- rules
versions:
- name: v1
served: true
storage: true

468
definitions/crds/crds.yaml Normal file
View file

@ -0,0 +1,468 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Cluster
names:
kind: ClusterPolicy
plural: clusterpolicies
singular: clusterpolicy
shortNames:
- cpol
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
status: {}
spec:
required:
- rules
properties:
# default values to be handled by user
validationFailureAction:
type: string
enum:
- enforce # blocks the resorce api-reques if a rule fails.
- audit # allows resource creation and reports the failed validation rules as violations. Default
background:
type: boolean
rules:
type: array
items:
type: object
required:
- name
- match
properties:
name:
type: string
match:
type: object
required:
- resources
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
minProperties: 1
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespaces:
type: array
items:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude:
type: object
properties:
roles:
type: array
items:
type: string
clusterRoles:
type: array
items:
type: string
subjects:
type: array
items:
type: object
required:
- kind
- name
properties:
kind:
type: string
apiGroup:
type: string
name:
type: string
namespace:
type: string
resources:
type: object
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespaces:
type: array
items:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
preconditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
mutate:
type: object
properties:
overlay:
AnyValue: {}
patches:
type: array
items:
type: object
required:
- path
- op
properties:
path:
type: string
op:
type: string
enum:
- add
- replace
- remove
value:
AnyValue: {}
validate:
type: object
properties:
message:
type: string
pattern:
AnyValue: {}
anyPattern:
AnyValue: {}
deny:
properties:
conditions:
type: array
items:
type: object
required:
- key # can be of any type
- operator # typed
- value # can be of any type
properties:
operator:
type: string
enum:
- Equal
- Equals
- NotEqual
- NotEquals
key:
type: string
value:
type: string
generate:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
namespace:
type: string
clone:
type: object
required:
- namespace
- name
properties:
namespace:
type: string
name:
type: string
data:
AnyValue: {}
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterpolicyviolations.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Cluster
names:
kind: ClusterPolicyViolation
plural: clusterpolicyviolations
singular: clusterpolicyviolation
shortNames:
- cpolv
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
- rules
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
rules:
type: array
items:
type: object
required:
- name
- type
- message
properties:
name:
type: string
type:
type: string
message:
type: string
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: policyviolations.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names:
kind: PolicyViolation
plural: policyviolations
singular: policyviolation
shortNames:
- polv
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
- rules
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
rules:
type: array
items:
type: object
required:
- name
- type
- message
properties:
name:
type: string
type:
type: string
message:
type: string
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
group: kyverno.io
versions:
- name: v1
served: true
storage: true
scope: Namespaced
names:
kind: GenerateRequest
plural: generaterequests
singular: generaterequest
shortNames:
- gr
subresources:
status: {}
additionalPrinterColumns:
- name: Policy
type: string
description: The policy that resulted in the violation
JSONPath: .spec.policy
- name: ResourceKind
type: string
description: The resource kind that cause the violation
JSONPath: .spec.resource.kind
- name: ResourceName
type: string
description: The resource name that caused the violation
JSONPath: .spec.resource.name
- name: ResourceNamespace
type: string
description: The resource namespace that caused the violation
JSONPath: .spec.resource.namespace
- name: status
type : string
description: Current state of generate request
JSONPath: .status.state
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
validation:
openAPIV3Schema:
properties:
spec:
required:
- policy
- resource
properties:
policy:
type: string
resource:
type: object
required:
- kind
- name
properties:
kind:
type: string
name:
type: string
namespace:
type: string

5
definitions/crds/kustomization.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./crds.yaml

6
definitions/debug/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../crds/
- ../rbac/

1147
definitions/install.yaml
View file

File diff suppressed because it is too large Load diff

944
definitions/install_debug.yaml
View file

File diff suppressed because it is too large Load diff

7
definitions/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./crds/
- ./manifest/
- ./rbac/

64
definitions/manifest/deployment.yaml Normal file
View file

@ -0,0 +1,64 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: kyverno
name: kyverno
labels:
app: kyverno
spec:
selector:
matchLabels:
app: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
spec:
serviceAccountName: kyverno-service-account
initContainers:
- name: kyverno-pre
image: nirmata/kyvernopre:v1.1.6
containers:
- name: kyverno
image: nirmata/kyverno:v1.1.6
imagePullPolicy: Always
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
# customize webhook timeout
#- "--webhooktimeout=4"
# enable profiling
# - "--profile"
- "-v=2"
ports:
- containerPort: 443
env:
- name: INIT_CONFIG
value: init-config
resources:
requests:
memory: "50Mi"
cpu: "100m"
limits:
memory: "128Mi"
livenessProbe:
httpGet:
path: /health/liveness
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1
readinessProbe:
httpGet:
path: /health/readiness
port: 443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1

5
definitions/manifest/kustomization.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./deployment.yaml

5
definitions/rbac/kustomization.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./rbac.yaml

266
definitions/rbac/rbac.yaml Normal file
View file

@ -0,0 +1,266 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: "kyverno"
---
apiVersion: v1
kind: Service
metadata:
namespace: kyverno
name: kyverno-svc
labels:
app: kyverno
spec:
ports:
- port: 443
targetPort: 443
selector:
app: kyverno
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:policyviolations
rules:
- apiGroups: ["kyverno.io"]
resources:
- policyviolations
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:webhook
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:userinfo
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:customresources
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:policycontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno:generatecontroller
subjects:
- kind: ServiceAccount
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:webhook
rules:
# Dynamic creation of webhooks, events & certs
- apiGroups:
- '*'
resources:
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- create
- delete
- get
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- signers
resourceNames:
- kubernetes.io/legacy-unknown
verbs:
- approve
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:userinfo
rules:
# get the roleRef for incoming api-request user
- apiGroups:
- "*"
resources:
- rolebindings
- clusterrolebindings
- configmaps
verbs:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:customresources
rules:
# Kyverno CRs
- apiGroups:
- '*'
resources:
- clusterpolicies
- clusterpolicies/status
- clusterpolicyviolations
- clusterpolicyviolations/status
- policyviolations
- policyviolations/status
- generaterequests
- generaterequests/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:policycontroller
rules:
# background processing, identify all existing resources
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:generatecontroller
rules:
# process generate rules to generate resources
- apiGroups:
- "*"
resources:
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- create
- update
- delete
- get
# dynamic watches on trigger resources for generate rules
# re-evaluate the policy if the resource is updated
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- watch
---
apiVersion: v1
kind: ConfigMap
metadata:
name: init-config
namespace: kyverno
data:
# resource types to be skipped by kyverno policy engine
resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:view-policyviolations
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["kyverno.io"]
resources:
- policyviolations
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: kyverno:view-clusterpolicyviolations
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["kyverno.io"]
resources:
- clusterpolicyviolations
verbs: ["get", "list", "watch"]

20
documentation/installation.md
View file

@ -7,15 +7,19 @@ You can install Kyverno using the Helm chart or YAML files in this repository.
## Install Kyverno using Helm ## Install Kyverno using Helm
```sh ```sh
## Add the nirmata Helm repository ## Add the nirmata Helm repository
helm repo add kyverno https://nirmata.github.io/kyverno/helm-charts/ helm repo add kyverno https://nirmata.github.io/kyverno/
## Create the Kyverno namespace
kubectl create ns kyverno
## Install the kyverno helm chart ## Install the kyverno helm chart
helm install --name my-release --namespace kyverno nirmata/kyverno helm install kyverno --namespace kyverno kyverno/kyverno
``` ```
Note: the namespace must be `kyverno`. Note: the namespace must be `kyverno`. See issue #841.
## Install Kyverno using YAMLs ## Install Kyverno using YAMLs
@ -31,15 +35,15 @@ Kyverno can request a CA signed certificate-key pair from `kube-controller-manag
To install Kyverno in a cluster that supports certificate signing, run the following command on a host with kubectl `cluster-admin` access: To install Kyverno in a cluster that supports certificate signing, run the following command on a host with kubectl `cluster-admin` access:
````sh
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
````
Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag. Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag.
To check the Kyverno controller status, run the command: To check the Kyverno controller status, run the command:
````sh ```sh
## Install Kyverno
kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml
## Check pod status
kubectl get pods -n kyverno kubectl get pods -n kyverno
```` ````

45
documentation/kyverno-cli.md
View file

@ -1,10 +1,13 @@
<small>*[documentation](/README.md#documentation) / kyverno-cli*</small> <small>_[documentation](/README.md#documentation) / kyverno-cli_</small>
# Kyverno CLI # Kyverno CLI
The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI. The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI.
## Install the CLI
The Kyverno CLI binary is distributed with each release. You can install the CLI for your platform from the [releases](https://github.com/nirmata/kyverno/releases) site.
## Build the CLI ## Build the CLI
You can build the CLI binary locally, then move the binary into a directory in your PATH. You can build the CLI binary locally, then move the binary into a directory in your PATH.
@ -16,6 +19,12 @@ make cli
mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno
``` ```
You can also use curl to install kyverno-cli
```bash
curl -L https://raw.githubusercontent.com/nirmata/kyverno/master/scripts/install-cli.sh | bash
```
## Install via AUR (archlinux) ## Install via AUR (archlinux)
You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay)) You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay))
@ -30,39 +39,55 @@ yay -S kyverno-git
Prints the version of kyverno used by the CLI. Prints the version of kyverno used by the CLI.
Example: Example:
``` ```
kyverno version kyverno version
``` ```
#### Validate #### Validate
Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description
files. Currently supports files with resource description in yaml. Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description
files. Currently supports files with resource description in YAML.
Example: Example:
``` ```
kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies
``` ```
#### Apply #### Apply
Applies policies on resources, and supports applying multiple policies on multiple resources in a single command. Applies policies on resources, and supports applying multiple policies on multiple resources in a single command.
Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster. Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster.
Will return results to stdout. Will return results to stdout.
Apply to a resource: Apply to a resource:
```
```bash
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml
``` ```
Apply to all matching resources in a cluster: Apply to all matching resources in a cluster:
```
```bash
kyverno apply /path/to/policy.yaml --cluster > policy-results.txt kyverno apply /path/to/policy.yaml --cluster > policy-results.txt
``` ```
Apply multiple policies to multiple resources: Apply multiple policies to multiple resources:
```
```bash
kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster
``` ```
##### Exit Codes
<small>*Read Next >> [Sample Policies](/samples/README.md)*</small> The CLI exits with diffenent exit codes:
| Message | Exit Code |
| ------------------------------------- | --------- |
| executes successfully | 0 |
| one or more policy rules are violated | 1 |
| policy validation failed | 2 |
<small>_Read Next >> [Sample Policies](/samples/README.md)_</small>

2
pkg/engine/mutate/overlayCondition.go
View file

@ -112,7 +112,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat
// resource - A: B2 // resource - A: B2
func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) { func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) {
if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
log.Log.V(4).Info("Found anchor on different types of element: overlay %T, resource %T", overlay, resource) log.Log.V(4).Info("Found anchor on different types of element", "overlay", overlay, "resource", resource)
return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)) return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource))
} }

2
pkg/engine/mutation.go
View file

@ -108,7 +108,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message) logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
} else { } else {
if ruleResponse.Success && ruleResponse.Patches != nil { if ruleResponse.Success && ruleResponse.Patches != nil {
logger.V(2).Info("inserted annotation for podTemplate") logger.V(3).Info("inserted annotation for podTemplate")
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
} }
} }

14
pkg/kyverno/apply/command.go
View file

@ -5,6 +5,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"os"
"regexp" "regexp"
"time" "time"
@ -68,7 +69,8 @@ func Command() *cobra.Command {
for _, policy := range policies { for _, policy := range policies {
err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController) err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController)
if err != nil { if err != nil {
return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name)) fmt.Printf("Policy %v is not valid\n", policy.Name)
os.Exit(3)
} }
if policyHasVariables(*policy) { if policyHasVariables(*policy) {
return sanitizedError.New(fmt.Sprintf("Policy %v is not valid - 'apply' does not support policies with variables", policy.Name)) return sanitizedError.New(fmt.Sprintf("Policy %v is not valid - 'apply' does not support policies with variables", policy.Name))
@ -89,7 +91,7 @@ func Command() *cobra.Command {
resources, err := getResources(policies, resourcePaths, dClient) resources, err := getResources(policies, resourcePaths, dClient)
if err != nil { if err != nil {
return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error()) return sanitizedError.NewWithError("Failed to load resources", err)
} }
for i, policy := range policies { for i, policy := range policies {
@ -241,7 +243,7 @@ func getResource(path string) ([]*unstructured.Unstructured, error) {
} }
func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured) error { func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured) error {
responseError := false
fmt.Printf("\n\nApplying Policy %s on Resource %s/%s/%s\n", policy.Name, resource.GetNamespace(), resource.GetKind(), resource.GetName()) fmt.Printf("\n\nApplying Policy %s on Resource %s/%s/%s\n", policy.Name, resource.GetNamespace(), resource.GetKind(), resource.GetName())
mutateResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, NewResource: *resource}) mutateResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, NewResource: *resource})
@ -252,6 +254,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
fmt.Printf("\n%d. %s", i+1, r.Message) fmt.Printf("\n%d. %s", i+1, r.Message)
} }
fmt.Printf("\n\n") fmt.Printf("\n\n")
responseError = true
} else { } else {
if len(mutateResponse.PolicyResponse.Rules) > 0 { if len(mutateResponse.PolicyResponse.Rules) > 0 {
fmt.Printf("\n\nMutation:") fmt.Printf("\n\nMutation:")
@ -274,6 +277,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
fmt.Printf("\n%d. %s", i+1, r.Message) fmt.Printf("\n%d. %s", i+1, r.Message)
} }
fmt.Printf("\n\n") fmt.Printf("\n\n")
responseError = true
} else { } else {
if len(validateResponse.PolicyResponse.Rules) > 0 { if len(validateResponse.PolicyResponse.Rules) > 0 {
fmt.Printf("\n\nValidation:") fmt.Printf("\n\nValidation:")
@ -302,9 +306,13 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
fmt.Printf("\n%d. %s", i+1, r.Message) fmt.Printf("\n%d. %s", i+1, r.Message)
} }
fmt.Printf("\n\n") fmt.Printf("\n\n")
responseError = true
} }
} }
if responseError == true{
os.Exit(1)
}
return nil return nil
} }

3
pkg/kyverno/common/common.go
View file

@ -57,7 +57,8 @@ func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, error error) {
} }
if errString != "" { if errString != "" {
return nil, sanitizedError.New(("falied to extract policies")) fmt.Println("falied to extract policies")
os.Exit(2)
} }
policies = append(policies, getPolicies...) policies = append(policies, getPolicies...)

7
pkg/kyverno/sanitizedError/error.go
View file

@ -1,5 +1,7 @@
package sanitizedError package sanitizedError
import "fmt"
type customError struct { type customError struct {
message string message string
} }
@ -12,6 +14,11 @@ func New(message string) error {
return customError{message: message} return customError{message: message}
} }
func NewWithError(message string, err error) error {
msg := fmt.Sprintf("%s \nCause: %s", message, err.Error())
return customError{message: msg}
}
func IsErrorSanitized(err error) bool { func IsErrorSanitized(err error) bool {
if _, ok := err.(customError); !ok { if _, ok := err.(customError); !ok {
return false return false

6
pkg/kyverno/validate/command.go
View file

@ -2,6 +2,7 @@ package validate
import ( import (
"fmt" "fmt"
"os"
"github.com/nirmata/kyverno/pkg/utils" "github.com/nirmata/kyverno/pkg/utils"
@ -34,15 +35,20 @@ func Command() *cobra.Command {
return err return err
} }
invalidPolicyFound := false
for _, policy := range policies { for _, policy := range policies {
err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController) err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController)
if err != nil { if err != nil {
fmt.Println("Policy " + policy.Name + " is invalid") fmt.Println("Policy " + policy.Name + " is invalid")
invalidPolicyFound = true
} else { } else {
fmt.Println("Policy " + policy.Name + " is valid") fmt.Println("Policy " + policy.Name + " is valid")
} }
} }
if invalidPolicyFound == true {
os.Exit(1)
}
return nil return nil
}, },
} }

337
scripts/install-cli.sh Executable file
View file

@ -0,0 +1,337 @@
#!/bin/sh
set -e
# Code generated by godownloader on 2020-06-04T12:59:08Z. DO NOT EDIT.
#
usage() {
this=$1
cat <<EOF
$this: download binaries for nirmata/kyverno
Usage: $this [-b bindir] [-d] [tag]
-b sets bindir or installation directory, Defaults to ./bin
-d turns on debug logging
[tag] is a tag from
https://github.com/nirmata/kyverno/releases
If tag is missing, then the latest release will be used.
Generated by godownloader
https://github.com/goreleaser/godownloader
EOF
exit 2
}
parse_args() {
#BINDIR is ./bin unless set be ENV
# over-ridden by flag below
BINDIR=${BINDIR:-./bin}
while getopts "b:dh?x" arg; do
case "$arg" in
b) BINDIR="$OPTARG" ;;
d) log_set_priority 10 ;;
h | \?) usage "$0" ;;
x) set -x ;;
esac
done
shift $((OPTIND - 1))
TAG=$1
}
tag_to_version() {
if [ -z "${TAG}" ]; then
log_info "checking GitHub for latest tag"
else
log_info "checking GitHub for tag '${TAG}'"
fi
REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
if test -z "$REALTAG"; then
log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
exit 1
fi
# if version starts with 'v', remove it
TAG="$REALTAG"
VERSION=${TAG#v}
}
adjust_binary() {
if [ "$OS" = "windows" ]; then
NAME="${NAME}.exe"
BINARY="${BINARY}.exe"
fi
}
# wrap all destructive operations into a function
# to prevent curl|bash network truncation and disaster
execute() {
TMPDIR=$(mktemp -d)
log_info "downloading from ${TARBALL_URL}"
http_download "${TMPDIR}/${NAME}" "$TARBALL_URL"
test ! -d "${BINDIR}" && install -d "${BINDIR}"
install "${TMPDIR}/${NAME}" "${BINDIR}/${BINARY}"
log_info "installed ${BINDIR}/${BINARY}"
}
cat /dev/null <<EOF
------------------------------------------------------------------------
https://github.com/client9/shlib - portable posix shell functions
Public domain - http://unlicense.org
https://github.com/client9/shlib/blob/master/LICENSE.md
but credit (and pull requests) appreciated.
------------------------------------------------------------------------
EOF
is_command() {
command -v "$1" >/dev/null
}
echoerr() {
echo "$@" 1>&2
}
log_prefix() {
echo "$0"
}
_logp=6
log_set_priority() {
_logp="$1"
}
log_priority() {
if test -z "$1"; then
echo "$_logp"
return
fi
[ "$1" -le "$_logp" ]
}
log_tag() {
case $1 in
0) echo "emerg" ;;
1) echo "alert" ;;
2) echo "crit" ;;
3) echo "err" ;;
4) echo "warning" ;;
5) echo "notice" ;;
6) echo "info" ;;
7) echo "debug" ;;
*) echo "$1" ;;
esac
}
log_debug() {
log_priority 7 || return 0
echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
}
log_info() {
log_priority 6 || return 0
echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
}
log_err() {
log_priority 3 || return 0
echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
}
log_crit() {
log_priority 2 || return 0
echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
}
uname_os() {
os=$(uname -s | tr '[:upper:]' '[:lower:]')
case "$os" in
cygwin_nt*) os="windows" ;;
mingw*) os="windows" ;;
msys_nt*) os="windows" ;;
esac
echo "$os"
}
uname_arch() {
arch=$(uname -m)
case $arch in
x86_64) arch="amd64" ;;
x86) arch="386" ;;
i686) arch="386" ;;
i386) arch="386" ;;
aarch64) arch="arm64" ;;
armv5*) arch="armv5" ;;
armv6*) arch="armv6" ;;
armv7*) arch="armv7" ;;
esac
echo ${arch}
}
uname_os_check() {
os=$(uname_os)
case "$os" in
darwin) return 0 ;;
dragonfly) return 0 ;;
freebsd) return 0 ;;
linux) return 0 ;;
android) return 0 ;;
nacl) return 0 ;;
netbsd) return 0 ;;
openbsd) return 0 ;;
plan9) return 0 ;;
solaris) return 0 ;;
windows) return 0 ;;
esac
log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
return 1
}
uname_arch_check() {
arch=$(uname_arch)
case "$arch" in
386) return 0 ;;
amd64) return 0 ;;
arm64) return 0 ;;
armv5) return 0 ;;
armv6) return 0 ;;
armv7) return 0 ;;
ppc64) return 0 ;;
ppc64le) return 0 ;;
mips) return 0 ;;
mipsle) return 0 ;;
mips64) return 0 ;;
mips64le) return 0 ;;
s390x) return 0 ;;
amd64p32) return 0 ;;
esac
log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib"
return 1
}
untar() {
tarball=$1
case "${tarball}" in
*.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
*.tar) tar --no-same-owner -xf "${tarball}" ;;
*.zip) unzip "${tarball}" ;;
*)
log_err "untar unknown archive format for ${tarball}"
return 1
;;
esac
}
http_download_curl() {
local_file=$1
source_url=$2
header=$3
if [ -z "$header" ]; then
code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
else
code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
fi
if [ "$code" != "200" ]; then
log_debug "http_download_curl received HTTP status $code"
return 1
fi
return 0
}
http_download_wget() {
local_file=$1
source_url=$2
header=$3
if [ -z "$header" ]; then
wget -q -O "$local_file" "$source_url"
else
wget -q --header "$header" -O "$local_file" "$source_url"
fi
}
http_download() {
log_debug "http_download $2"
if is_command curl; then
http_download_curl "$@"
return
elif is_command wget; then
http_download_wget "$@"
return
fi
log_crit "http_download unable to find wget or curl"
return 1
}
http_copy() {
tmp=$(mktemp)
http_download "${tmp}" "$1" "$2" || return 1
body=$(cat "$tmp")
rm -f "${tmp}"
echo "$body"
}
github_release() {
owner_repo=$1
version=$2
test -z "$version" && version="latest"
giturl="https://github.com/${owner_repo}/releases/${version}"
json=$(http_copy "$giturl" "Accept:application/json")
test -z "$json" && return 1
version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
test -z "$version" && return 1
echo "$version"
}
hash_sha256() {
TARGET=${1:-/dev/stdin}
if is_command gsha256sum; then
hash=$(gsha256sum "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command sha256sum; then
hash=$(sha256sum "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command shasum; then
hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
echo "$hash" | cut -d ' ' -f 1
elif is_command openssl; then
hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
echo "$hash" | cut -d ' ' -f a
else
log_crit "hash_sha256 unable to find command to compute sha-256 hash"
return 1
fi
}
hash_sha256_verify() {
TARGET=$1
checksums=$2
if [ -z "$checksums" ]; then
log_err "hash_sha256_verify checksum file not specified in arg2"
return 1
fi
BASENAME=${TARGET##*/}
want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
if [ -z "$want" ]; then
log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
return 1
fi
got=$(hash_sha256 "$TARGET")
if [ "$want" != "$got" ]; then
log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
return 1
fi
}
cat /dev/null <<EOF
------------------------------------------------------------------------
End of functions from https://github.com/client9/shlib
------------------------------------------------------------------------
EOF
OWNER=nirmata
REPO="kyverno"
BINARY=kyverno
BINDIR=${BINDIR:-./bin}
PREFIX="$OWNER/$REPO"
# use in logging routines
log_prefix() {
echo "$PREFIX"
}
OS=$(uname_os)
ARCH=$(uname_arch)
GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
# make sure we are on a platform that makes sense
uname_os_check "$OS"
uname_arch_check "$ARCH"
# parse_args, show usage and exit if necessary
parse_args "$@"
# setup version from tag
tag_to_version
log_info "found version ${VERSION} for ${TAG}/${OS}/${ARCH}"
NAME=${BINARY}_v${VERSION}_${OS}_${ARCH}
# adjust binary name based on OS
adjust_binary
# compute URL to download
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${NAME}
# do it
execute