diff --git a/charts/kyverno/templates/grafana.yaml b/charts/kyverno/templates/grafana/dashboard.yaml similarity index 100% rename from charts/kyverno/templates/grafana.yaml rename to charts/kyverno/templates/grafana/dashboard.yaml diff --git a/go.mod b/go.mod index 89de9090fb..b79a9040a9 100644 --- a/go.mod +++ b/go.mod @@ -21,7 +21,7 @@ require ( github.com/go-logr/zapr v1.2.3 github.com/google/gnostic v0.6.9 github.com/google/go-containerregistry v0.12.1 - github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221206220611-47f093330862 + github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221207205823-37bf5df38e6f github.com/in-toto/in-toto-golang v0.5.0 github.com/jmespath/go-jmespath v0.4.0 github.com/jmoiron/jsonq v0.0.0-20150511023944-e874b168d07e @@ -41,7 +41,7 @@ require ( github.com/spf13/cobra v1.6.1 github.com/stretchr/testify v1.8.1 github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.32.0 + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.37.0 go.opentelemetry.io/otel v1.11.2 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.34.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.11.2 @@ -55,7 +55,7 @@ require ( go.uber.org/multierr v1.8.0 go.uber.org/zap v1.24.0 golang.org/x/crypto v0.4.0 - golang.org/x/exp v0.0.0-20221205204356-47842c84f3db + golang.org/x/exp v0.0.0-20221208152030-732eee02a75a golang.org/x/text v0.5.0 google.golang.org/grpc v1.51.0 gopkg.in/inf.v0 v0.9.1 @@ -191,7 +191,7 @@ require ( github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/trillian v1.5.1-0.20220819043421-0a389c4bb8d9 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect github.com/googleapis/gax-go/v2 v2.7.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0 // indirect @@ -227,7 +227,7 @@ require ( github.com/leodido/go-urn v1.2.1 // indirect github.com/letsencrypt/boulder v0.0.0-20221206002405-4a348feb4ea9 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/magiconair/properties v1.8.6 // indirect + github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.16 // indirect @@ -251,7 +251,7 @@ require ( github.com/oklog/ulid v1.3.1 // indirect github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 // indirect github.com/open-policy-agent/gatekeeper v0.0.0-20210824170141-dd97b8a7e966 // indirect - github.com/open-policy-agent/opa v0.47.0 // indirect + github.com/open-policy-agent/opa v0.47.2 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.0-rc2 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect @@ -262,7 +262,7 @@ require ( github.com/pjbgf/sha1cd v0.2.3 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_model v0.3.0 // indirect - github.com/prometheus/common v0.37.0 // indirect + github.com/prometheus/common v0.38.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/protocolbuffers/txtpbfmt v0.0.0-20221206070812-31e4035b9046 // indirect github.com/r3labs/diff v1.1.0 // indirect @@ -303,7 +303,7 @@ require ( github.com/xlab/treeprint v1.1.0 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect github.com/zeebo/errs v1.3.0 // indirect - go.mongodb.org/mongo-driver v1.11.0 // indirect + go.mongodb.org/mongo-driver v1.11.1 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2 // indirect go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.34.0 // indirect @@ -320,7 +320,7 @@ require ( golang.org/x/tools v0.4.0 // indirect google.golang.org/api v0.104.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6 // indirect + google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect diff --git a/go.sum b/go.sum index 34562d6935..581965e5a5 100644 --- a/go.sum +++ b/go.sum @@ -295,7 +295,6 @@ github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/charithe/durationcheck v0.0.6/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg= @@ -431,7 +430,6 @@ github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94= -github.com/felixge/httpsnoop v1.0.2/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= @@ -476,11 +474,9 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= -github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v0.3.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= @@ -691,8 +687,8 @@ github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-containerregistry v0.12.1 h1:W1mzdNUTx4Zla4JaixCRLhORcR7G6KxE5hHl5fkPsp8= github.com/google/go-containerregistry v0.12.1/go.mod h1:sdIK+oHQO7B93xI8UweYdl887YhuIwg9vz8BSLH3+8k= -github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221206220611-47f093330862 h1:eia5liyUgxYV8WvKpUi29ruPSvkSNhLTnVFEz3LChrQ= -github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221206220611-47f093330862/go.mod h1:T6IXbpoY0IGBh0cyHZsIi/zmMBI5yInMr7ob1b+SCz0= +github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221207205823-37bf5df38e6f h1:l6QGSipmZar601dlG5EXnKJN7/0Zaj3shmhB2CZynVY= +github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221207205823-37bf5df38e6f/go.mod h1:T6IXbpoY0IGBh0cyHZsIi/zmMBI5yInMr7ob1b+SCz0= github.com/google/go-github/v45 v45.2.0 h1:5oRLszbrkvxDDqBCNj2hjDZMKmvexaZ1xw/FCD+K3FI= github.com/google/go-github/v45 v45.2.0/go.mod h1:FObaZJEDSTa/WGCzZ2Z3eoCDXWJKMenWWTrd8jrta28= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -737,8 +733,8 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= -github.com/googleapis/enterprise-certificate-proxy v0.2.0 h1:y8Yozv7SZtlU//QXbezB6QkpuE6jMD2/gfzk4AftXjs= -github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= +github.com/googleapis/enterprise-certificate-proxy v0.2.1 h1:RY7tHKZcRlk788d5WSo/e83gOyyy742E8GSs771ySpg= +github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= @@ -982,8 +978,8 @@ github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQ github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= -github.com/magiconair/properties v1.8.6 h1:5ibWZ6iY0NctNGWo87LalDlEZ6R41TqbbDamhfG/Qzo= -github.com/magiconair/properties v1.8.6/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= +github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= +github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= @@ -1150,8 +1146,8 @@ github.com/open-policy-agent/gatekeeper v0.0.0-20210824170141-dd97b8a7e966 h1:p8 github.com/open-policy-agent/gatekeeper v0.0.0-20210824170141-dd97b8a7e966/go.mod h1:JO6AV/tyZ/MsNGsvnjTK6lGpiJyMLtt7UxkT6Eq9kDE= github.com/open-policy-agent/opa v0.24.0/go.mod h1:qEyD/i8j+RQettHGp4f86yjrjvv+ZYia+JHCMv2G7wA= github.com/open-policy-agent/opa v0.29.4/go.mod h1:ZCOTD3yyFR8JvF8ETdWdiSPn9WcF1dXeQWOv7VoPorU= -github.com/open-policy-agent/opa v0.47.0 h1:d6g0oDNLraIcWl9LXW8cBzRYf2zt7vSbPGEd2+8K3Lg= -github.com/open-policy-agent/opa v0.47.0/go.mod h1:cM7ngEoEdAIfyu9mOHaVcgLAHYkY6amrYfotm+BSkYQ= +github.com/open-policy-agent/opa v0.47.2 h1:9QmIumL6MRPYoXboBDSU/c1fG2PN5J4lo800RK36jrc= +github.com/open-policy-agent/opa v0.47.2/go.mod h1:I5DbT677OGqfk9gvu5i54oIt0rrVf4B5pedpqDquAXo= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= @@ -1216,7 +1212,6 @@ github.com/prometheus/client_golang v1.6.0/go.mod h1:ZLOG9ck3JLRdB5MgO8f+lLTe83A github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.9.0/go.mod h1:FqZLKOZnGdFAhOK4nqGHa7D66IdsO+O441Eve7ptJDU= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= @@ -1240,9 +1235,8 @@ github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE= -github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= +github.com/prometheus/common v0.38.0 h1:VTQitp6mXTdUoCmDMugDVOJ1opi6ADftKfp/yeqTR/E= +github.com/prometheus/common v0.38.0/go.mod h1:MBXfmBQZrK5XpbCkjofnXs96LD2QQ7fEq4C0xjC/yec= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1253,7 +1247,6 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.1/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= github.com/prometheus/statsd_exporter v0.20.0/go.mod h1:YL3FWCG8JBBtaUSxAg4Gz2ZYu22bS84XM89ZQXXTWmQ= @@ -1521,8 +1514,8 @@ go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3C go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= -go.mongodb.org/mongo-driver v1.11.0 h1:FZKhBSTydeuffHj9CBjXlR8vQLee1cQyTWYPA6/tqiE= -go.mongodb.org/mongo-driver v1.11.0/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sfd6Rp2HBB8= +go.mongodb.org/mongo-driver v1.11.1 h1:QP0znIRTuL0jf1oBQoAoM0C6ZJfBK4kx0Uumtv1A7w8= +go.mongodb.org/mongo-driver v1.11.1/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sfd6Rp2HBB8= go.mozilla.org/mozlog v0.0.0-20170222151521-4bb13139d403/go.mod h1:jHoPAGnDrCy6kaI2tAze5Prf0Nr0w/oNkROt2lw3n3o= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -1535,9 +1528,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.32.0 h1:mac9BKRqwaX6zxHPDe3pvmWpwuuIM0vuXv2juCnQevE= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.32.0/go.mod h1:5eCOqeGphOyz6TsY3ZDNjE33SM/TFAK3RGuCL2naTgY= -go.opentelemetry.io/otel v1.7.0/go.mod h1:5BdUoMIz5WEs0vt0CUEMtSSaTSHBBVwrhnz7+nrD5xk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.37.0 h1:yt2NKzK7Vyo6h0+X8BA4FpreZQTlVEIarnsBP/H5mzs= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.37.0/go.mod h1:+ARmXlUlc51J7sZeCBkBJNdHGySrdOzgzxp6VWRWM1U= go.opentelemetry.io/otel v1.11.2 h1:YBZcQlsVekzFsFbjygXMOXSs6pialIZxcjfO/mBDmR0= go.opentelemetry.io/otel v1.11.2/go.mod h1:7p4EUV+AqgdlNV9gL97IgUZiVR3yrFXYo53f9BM3tRI= go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2 h1:htgM8vZIF8oPSCxa341e3IZ4yr/sKxgu8KZYllByiVY= @@ -1552,14 +1544,12 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.2 h1:ERwKP go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.2/go.mod h1:jWZUM2MWhWCJ9J9xVbRx7tzK1mXKpAlze4CeulycwVY= go.opentelemetry.io/otel/exporters/prometheus v0.34.0 h1:L5D+HxdaC/ORB47ribbTBbkXRZs9JzPjq0EoIOMWncM= go.opentelemetry.io/otel/exporters/prometheus v0.34.0/go.mod h1:6gUoJyfhoWqF0tOLaY0ZmKgkQRcvEQx6p5rVlKHp3s4= -go.opentelemetry.io/otel/metric v0.30.0/go.mod h1:/ShZ7+TS4dHzDFmfi1kSXMhMVubNoP0oIaBp70J6UXU= go.opentelemetry.io/otel/metric v0.34.0 h1:MCPoQxcg/26EuuJwpYN1mZTeCYAUGx8ABxfW07YkjP8= go.opentelemetry.io/otel/metric v0.34.0/go.mod h1:ZFuI4yQGNCupurTXCwkeD/zHBt+C2bR7bw5JqUm/AP8= go.opentelemetry.io/otel/sdk v1.11.2 h1:GF4JoaEx7iihdMFu30sOyRx52HDHOkl9xQ8SMqNXUiU= go.opentelemetry.io/otel/sdk v1.11.2/go.mod h1:wZ1WxImwpq+lVRo4vsmSOxdd+xwoUJ6rqyLc3SyX9aU= go.opentelemetry.io/otel/sdk/metric v0.34.0 h1:7ElxfQpXCFZlRTvVRTkcUvK8Gt5DC8QzmzsLsO2gdzo= go.opentelemetry.io/otel/sdk/metric v0.34.0/go.mod h1:l4r16BIqiqPy5rd14kkxllPy/fOI4tWo1jkpD9Z3ffQ= -go.opentelemetry.io/otel/trace v1.7.0/go.mod h1:fzLSB9nqR2eXzxPXb2JW9IKE+ScyXA48yyE4TNvoHqU= go.opentelemetry.io/otel/trace v1.11.2 h1:Xf7hWSF2Glv0DE3MH7fBHvtpSBsjcBUe5MYAmZM/+y0= go.opentelemetry.io/otel/trace v1.11.2/go.mod h1:4N+yC7QEz7TTsG9BSRLNAa63eg5E06ObSbKPmxQ/pKA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= @@ -1637,8 +1627,8 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw= -golang.org/x/exp v0.0.0-20221205204356-47842c84f3db h1:D/cFflL63o2KSLJIwjlcIt8PR064j/xsmdEJL/YvY/o= -golang.org/x/exp v0.0.0-20221205204356-47842c84f3db/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= +golang.org/x/exp v0.0.0-20221208152030-732eee02a75a h1:4iLhBPcpqFmylhnkbY3W0ONLUYYkDAW9xMFLfxgsvCw= +golang.org/x/exp v0.0.0-20221208152030-732eee02a75a/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181023182221-1baf3a9d7d67/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -1874,7 +1864,6 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -2190,8 +2179,8 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6 h1:AGXp12e/9rItf6/4QymU7WsAUwCf+ICW75cuR91nJIc= -google.golang.org/genproto v0.0.0-20221206210731-b1a01be3a5f6/go.mod h1:1dOng4TWOomJrDGhpXjfCD35wQC6jnC7HpRmOFRqEV0= +google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 h1:jmIfw8+gSvXcZSgaFAGyInDXeWzUhvYH57G/5GKMn70= +google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index dec075b1f3..834717282a 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -68,8 +68,8 @@ func VerifySignature(ctx context.Context, rclient registryclient.Client, opts Op signatures, bundleVerified, err := tracing.ChildSpan3( ctx, - "cosign", - "verify_image_signatures", + "", + "VERIFY IMG SIGS", func(ctx context.Context, span trace.Span) ([]oci.Signature, bool, error) { cosignOpts, err := buildCosignOptions(ctx, rclient, opts) if err != nil { @@ -261,8 +261,8 @@ func FetchAttestations(ctx context.Context, rclient registryclient.Client, opts signatures, bundleVerified, err := tracing.ChildSpan3( ctx, - "cosign_operations", - "verify_image_signatures", + "", + "VERIFY IMG ATTESTATIONS", func(ctx context.Context, span trace.Span) (checkedAttestations []oci.Signature, bundleVerified bool, err error) { ref, err := name.ParseReference(opts.ImageRef) if err != nil { diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index bd394c626f..a8f2bda398 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -18,10 +18,12 @@ import ( "github.com/kyverno/kyverno/pkg/engine/variables" "github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/registryclient" + "github.com/kyverno/kyverno/pkg/tracing" apiutils "github.com/kyverno/kyverno/pkg/utils/api" "github.com/kyverno/kyverno/pkg/utils/jsonpointer" "github.com/kyverno/kyverno/pkg/utils/wildcard" "github.com/pkg/errors" + "go.opentelemetry.io/otel/trace" "go.uber.org/multierr" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -92,53 +94,64 @@ func VerifyAndPatchImages( for i := range rules { rule := &rules[i] - if len(rule.VerifyImages) == 0 { - continue - } - if !matches(logger, rule, policyContext) { - continue - } + tracing.ChildSpan( + ctx, + "pkg/engine", + fmt.Sprintf("RULE %s", rule.Name), + func(ctx context.Context, span trace.Span) { + if len(rule.VerifyImages) == 0 { + return + } - logger.V(3).Info("processing image verification rule", "ruleSelector", applyRules) + if !matches(logger, rule, policyContext) { + return + } - var err error - ruleImages, imageRefs, err := extractMatchingImages(policyContext, rule) - if err != nil { - appendResponse(resp, rule, fmt.Sprintf("failed to extract images: %s", err.Error()), response.RuleStatusError) - continue - } - if len(ruleImages) == 0 { - appendResponse(resp, rule, - fmt.Sprintf("skip run verification as image in resource not found in imageRefs '%s'", - imageRefs), response.RuleStatusSkip) - continue - } + logger.V(3).Info("processing image verification rule", "ruleSelector", applyRules) - policyContext.jsonContext.Restore() - if err := LoadContext(ctx, logger, rclient, rule.Context, policyContext, rule.Name); err != nil { - appendResponse(resp, rule, fmt.Sprintf("failed to load context: %s", err.Error()), response.RuleStatusError) - continue - } + var err error + ruleImages, imageRefs, err := extractMatchingImages(policyContext, rule) + if err != nil { + appendResponse(resp, rule, fmt.Sprintf("failed to extract images: %s", err.Error()), response.RuleStatusError) + return + } + if len(ruleImages) == 0 { + appendResponse( + resp, + rule, + fmt.Sprintf("skip run verification as image in resource not found in imageRefs '%s'", imageRefs), + response.RuleStatusSkip, + ) + return + } - ruleCopy, err := substituteVariables(rule, policyContext.jsonContext, logger) - if err != nil { - appendResponse(resp, rule, fmt.Sprintf("failed to substitute variables: %s", err.Error()), response.RuleStatusError) - continue - } + policyContext.jsonContext.Restore() + if err := LoadContext(ctx, logger, rclient, rule.Context, policyContext, rule.Name); err != nil { + appendResponse(resp, rule, fmt.Sprintf("failed to load context: %s", err.Error()), response.RuleStatusError) + return + } - iv := &imageVerifier{ - logger: logger, - rclient: rclient, - policyContext: policyContext, - rule: ruleCopy, - resp: resp, - ivm: ivm, - } + ruleCopy, err := substituteVariables(rule, policyContext.jsonContext, logger) + if err != nil { + appendResponse(resp, rule, fmt.Sprintf("failed to substitute variables: %s", err.Error()), response.RuleStatusError) + return + } - for _, imageVerify := range ruleCopy.VerifyImages { - iv.verify(ctx, imageVerify, ruleImages) - } + iv := &imageVerifier{ + logger: logger, + rclient: rclient, + policyContext: policyContext, + rule: ruleCopy, + resp: resp, + ivm: ivm, + } + + for _, imageVerify := range ruleCopy.VerifyImages { + iv.verify(ctx, imageVerify, ruleImages) + } + }, + ) if applyRules == kyvernov1.ApplyOne && resp.PolicyResponse.RulesAppliedCount > 0 { break diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index d80c803422..b7fd2e87a7 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -15,7 +15,9 @@ import ( "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/registryclient" + "github.com/kyverno/kyverno/pkg/tracing" "github.com/kyverno/kyverno/pkg/utils/api" + "go.opentelemetry.io/otel/trace" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -49,107 +51,112 @@ func Mutate(ctx context.Context, rclient registryclient.Client, policyContext *P if !rule.HasMutate() { continue } - - logger := logger.WithValues("rule", rule.Name) - var excludeResource []string - if len(policyContext.excludeGroupRole) > 0 { - excludeResource = policyContext.excludeGroupRole - } - - kindsInPolicy := append(rule.MatchResources.GetKinds(), rule.ExcludeResources.GetKinds()...) - subresourceGVKToAPIResource := GetSubresourceGVKToAPIResourceMap(kindsInPolicy, policyContext) - if err = MatchesResourceDescription(subresourceGVKToAPIResource, matchedResource, rule, policyContext.admissionInfo, excludeResource, policyContext.namespaceLabels, policyContext.policy.GetNamespace(), policyContext.subresource); err != nil { - logger.V(4).Info("rule not matched", "reason", err.Error()) - skippedRules = append(skippedRules, rule.Name) - continue - } - - logger.V(3).Info("processing mutate rule", "applyRules", applyRules) - resource, err := policyContext.jsonContext.Query("request.object") - policyContext.jsonContext.Reset() - if err == nil && resource != nil { - if err := enginectx.AddResource(resource.(map[string]interface{})); err != nil { - logger.Error(err, "unable to update resource object") - } - } else { - logger.Error(err, "failed to query resource object") - } - - if err := LoadContext(ctx, logger, rclient, rule.Context, policyContext, rule.Name); err != nil { - if _, ok := err.(gojmespath.NotFoundError); ok { - logger.V(3).Info("failed to load context", "reason", err.Error()) - } else { - logger.Error(err, "failed to load context") - } - continue - } - - ruleCopy := rule.DeepCopy() - var patchedResources []resourceInfo - if !policyContext.admissionOperation && rule.IsMutateExisting() { - targets, err := loadTargets(ruleCopy.Mutation.Targets, policyContext, logger) - if err != nil { - rr := ruleResponse(rule, response.Mutation, err.Error(), response.RuleStatusError) - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *rr) - } else { - patchedResources = append(patchedResources, targets...) - } - } else { - var parentResourceGVR metav1.GroupVersionResource - if policyContext.subresource != "" { - parentResourceGVR = policyContext.requestResource - } - patchedResources = append(patchedResources, resourceInfo{ - unstructured: matchedResource, - subresource: policyContext.subresource, - parentResourceGVR: parentResourceGVR, - }) - } - - for _, patchedResource := range patchedResources { - if reflect.DeepEqual(patchedResource, unstructured.Unstructured{}) { - continue - } - - if !policyContext.admissionOperation && rule.IsMutateExisting() { - policyContext := policyContext.Copy() - if err := policyContext.jsonContext.AddTargetResource(patchedResource.unstructured.Object); err != nil { - logging.Error(err, "failed to add target resource to the context") - continue - } - } - - logger.V(4).Info("apply rule to resource", "rule", rule.Name, "resource namespace", patchedResource.unstructured.GetNamespace(), "resource name", patchedResource.unstructured.GetName()) - var mutateResp *mutate.Response - if rule.Mutation.ForEachMutation != nil { - m := &forEachMutator{ - rule: ruleCopy, - foreach: rule.Mutation.ForEachMutation, - policyContext: policyContext, - resource: patchedResource, - log: logger, - rclient: rclient, - nesting: 0, + tracing.ChildSpan( + ctx, + "pkg/engine", + fmt.Sprintf("RULE %s", rule.Name), + func(ctx context.Context, span trace.Span) { + logger := logger.WithValues("rule", rule.Name) + var excludeResource []string + if len(policyContext.excludeGroupRole) > 0 { + excludeResource = policyContext.excludeGroupRole } - mutateResp = m.mutateForEach(ctx) - } else { - mutateResp = mutateResource(ruleCopy, policyContext, patchedResource.unstructured, logger) - } + kindsInPolicy := append(rule.MatchResources.GetKinds(), rule.ExcludeResources.GetKinds()...) + subresourceGVKToAPIResource := GetSubresourceGVKToAPIResourceMap(kindsInPolicy, policyContext) + if err = MatchesResourceDescription(subresourceGVKToAPIResource, matchedResource, rule, policyContext.admissionInfo, excludeResource, policyContext.namespaceLabels, policyContext.policy.GetNamespace(), policyContext.subresource); err != nil { + logger.V(4).Info("rule not matched", "reason", err.Error()) + skippedRules = append(skippedRules, rule.Name) + return + } - matchedResource = mutateResp.PatchedResource - ruleResponse := buildRuleResponse(ruleCopy, mutateResp, patchedResource) - - if ruleResponse != nil { - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResponse) - if ruleResponse.Status == response.RuleStatusError { - incrementErrorCount(resp) + logger.V(3).Info("processing mutate rule", "applyRules", applyRules) + resource, err := policyContext.jsonContext.Query("request.object") + policyContext.jsonContext.Reset() + if err == nil && resource != nil { + if err := enginectx.AddResource(resource.(map[string]interface{})); err != nil { + logger.Error(err, "unable to update resource object") + } } else { - incrementAppliedCount(resp) + logger.Error(err, "failed to query resource object") } - } - } + if err := LoadContext(ctx, logger, rclient, rule.Context, policyContext, rule.Name); err != nil { + if _, ok := err.(gojmespath.NotFoundError); ok { + logger.V(3).Info("failed to load context", "reason", err.Error()) + } else { + logger.Error(err, "failed to load context") + } + return + } + + ruleCopy := rule.DeepCopy() + var patchedResources []resourceInfo + if !policyContext.admissionOperation && rule.IsMutateExisting() { + targets, err := loadTargets(ruleCopy.Mutation.Targets, policyContext, logger) + if err != nil { + rr := ruleResponse(rule, response.Mutation, err.Error(), response.RuleStatusError) + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *rr) + } else { + patchedResources = append(patchedResources, targets...) + } + } else { + var parentResourceGVR metav1.GroupVersionResource + if policyContext.subresource != "" { + parentResourceGVR = policyContext.requestResource + } + patchedResources = append(patchedResources, resourceInfo{ + unstructured: matchedResource, + subresource: policyContext.subresource, + parentResourceGVR: parentResourceGVR, + }) + } + + for _, patchedResource := range patchedResources { + if reflect.DeepEqual(patchedResource, unstructured.Unstructured{}) { + continue + } + + if !policyContext.admissionOperation && rule.IsMutateExisting() { + policyContext := policyContext.Copy() + if err := policyContext.jsonContext.AddTargetResource(patchedResource.unstructured.Object); err != nil { + logging.Error(err, "failed to add target resource to the context") + continue + } + } + + logger.V(4).Info("apply rule to resource", "rule", rule.Name, "resource namespace", patchedResource.unstructured.GetNamespace(), "resource name", patchedResource.unstructured.GetName()) + var mutateResp *mutate.Response + if rule.Mutation.ForEachMutation != nil { + m := &forEachMutator{ + rule: ruleCopy, + foreach: rule.Mutation.ForEachMutation, + policyContext: policyContext, + resource: patchedResource, + log: logger, + rclient: rclient, + nesting: 0, + } + + mutateResp = m.mutateForEach(ctx) + } else { + mutateResp = mutateResource(ruleCopy, policyContext, patchedResource.unstructured, logger) + } + + matchedResource = mutateResp.PatchedResource + ruleResponse := buildRuleResponse(ruleCopy, mutateResp, patchedResource) + + if ruleResponse != nil { + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResponse) + if ruleResponse.Status == response.RuleStatusError { + incrementErrorCount(resp) + } else { + incrementAppliedCount(resp) + } + } + } + }, + ) if applyRules == kyvernov1.ApplyOne && resp.PolicyResponse.RulesAppliedCount > 0 { break } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 94d996c4d4..8e9d1f6452 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -20,9 +20,11 @@ import ( "github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/pss" "github.com/kyverno/kyverno/pkg/registryclient" + "github.com/kyverno/kyverno/pkg/tracing" "github.com/kyverno/kyverno/pkg/utils" "github.com/kyverno/kyverno/pkg/utils/api" "github.com/pkg/errors" + "go.opentelemetry.io/otel/trace" appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" @@ -112,31 +114,36 @@ func validateResource(ctx context.Context, log logr.Logger, rclient registryclie for i := range rules { rule := &rules[i] - hasValidate := rule.HasValidate() - hasValidateImage := rule.HasImagesValidationChecks() - hasYAMLSignatureVerify := rule.HasYAMLSignatureVerify() - if !hasValidate && !hasValidateImage { - continue - } - - log = log.WithValues("rule", rule.Name) - if !matches(log, rule, enginectx) { - continue - } - log.V(3).Info("processing validation rule", "matchCount", matchCount, "applyRules", applyRules) enginectx.jsonContext.Reset() startTime := time.Now() - - var ruleResp *response.RuleResponse - if hasValidate && !hasYAMLSignatureVerify { - ruleResp = processValidationRule(ctx, log, rclient, enginectx, rule) - } else if hasValidateImage { - ruleResp = processImageValidationRule(ctx, log, rclient, enginectx, rule) - } else if hasYAMLSignatureVerify { - ruleResp = processYAMLValidationRule(log, enginectx, rule) - } - + ruleResp := tracing.ChildSpan1( + ctx, + "pkg/engine", + fmt.Sprintf("RULE %s", rule.Name), + func(ctx context.Context, span trace.Span) *response.RuleResponse { + hasValidate := rule.HasValidate() + hasValidateImage := rule.HasImagesValidationChecks() + hasYAMLSignatureVerify := rule.HasYAMLSignatureVerify() + if !hasValidate && !hasValidateImage { + return nil + } + log = log.WithValues("rule", rule.Name) + if !matches(log, rule, enginectx) { + return nil + } + log.V(3).Info("processing validation rule", "matchCount", matchCount, "applyRules", applyRules) + enginectx.jsonContext.Reset() + if hasValidate && !hasYAMLSignatureVerify { + return processValidationRule(ctx, log, rclient, enginectx, rule) + } else if hasValidateImage { + return processImageValidationRule(ctx, log, rclient, enginectx, rule) + } else if hasYAMLSignatureVerify { + return processYAMLValidationRule(log, enginectx, rule) + } + return nil + }, + ) if ruleResp != nil { addRuleResponse(log, resp, ruleResp, startTime) if applyRules == kyvernov1.ApplyOne && resp.PolicyResponse.RulesAppliedCount > 0 { diff --git a/pkg/webhooks/resource/imageverification/handler.go b/pkg/webhooks/resource/imageverification/handler.go index d997298dfa..1856b4e3ee 100644 --- a/pkg/webhooks/resource/imageverification/handler.go +++ b/pkg/webhooks/resource/imageverification/handler.go @@ -3,6 +3,7 @@ package imageverification import ( "context" "errors" + "fmt" "reflect" "github.com/go-logr/logr" @@ -12,10 +13,12 @@ import ( "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/registryclient" + "github.com/kyverno/kyverno/pkg/tracing" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" jsonutils "github.com/kyverno/kyverno/pkg/utils/json" reportutils "github.com/kyverno/kyverno/pkg/utils/report" webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils" + "go.opentelemetry.io/otel/trace" admissionv1 "k8s.io/api/admission/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -26,6 +29,14 @@ type ImageVerificationHandler interface { Handle(context.Context, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext) ([]byte, []string, error) } +type imageVerificationHandler struct { + kyvernoClient versioned.Interface + rclient registryclient.Client + log logr.Logger + eventGen event.Interface + admissionReports bool +} + func NewImageVerificationHandler( log logr.Logger, kyvernoClient versioned.Interface, @@ -42,14 +53,6 @@ func NewImageVerificationHandler( } } -type imageVerificationHandler struct { - kyvernoClient versioned.Interface - rclient registryclient.Client - log logr.Logger - eventGen event.Interface - admissionReports bool -} - func (h *imageVerificationHandler) Handle( ctx context.Context, request *admissionv1.AdmissionRequest, @@ -74,17 +77,23 @@ func (h *imageVerificationHandler) handleVerifyImages( if len(policies) == 0 { return true, "", nil, nil } - var engineResponses []*response.EngineResponse var patches [][]byte verifiedImageData := &engine.ImageVerificationMetadata{} - for _, p := range policies { - policyContext := policyContext.WithPolicy(p) - resp, ivm := engine.VerifyAndPatchImages(ctx, h.rclient, policyContext) + for _, policy := range policies { + tracing.ChildSpan( + ctx, + "", + fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()), + func(ctx context.Context, span trace.Span) { + policyContext := policyContext.WithPolicy(policy) + resp, ivm := engine.VerifyAndPatchImages(ctx, h.rclient, policyContext) - engineResponses = append(engineResponses, resp) - patches = append(patches, resp.GetPatches()...) - verifiedImageData.Merge(ivm) + engineResponses = append(engineResponses, resp) + patches = append(patches, resp.GetPatches()...) + verifiedImageData.Merge(ivm) + }, + ) } failurePolicy := policies[0].GetSpec().GetFailurePolicy() @@ -110,7 +119,7 @@ func (h *imageVerificationHandler) handleVerifyImages( } } - go h.handleAudit(context.TODO(), policyContext.NewResource(), request, nil, engineResponses...) + go h.handleAudit(ctx, policyContext.NewResource(), request, nil, engineResponses...) warnings := webhookutils.GetWarningMessages(engineResponses) return true, "", jsonutils.JoinPatches(patches...), warnings @@ -155,16 +164,24 @@ func (v *imageVerificationHandler) handleAudit( if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) { return } - report := reportutils.BuildAdmissionReport(resource, request, request.Kind, engineResponses...) - // if it's not a creation, the resource already exists, we can set the owner - if request.Operation != admissionv1.Create { - gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version} - controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID()) - } - if len(report.GetResults()) > 0 { - _, err := reportutils.CreateReport(context.Background(), report, v.kyvernoClient) - if err != nil { - v.log.Error(err, "failed to create report") - } - } + tracing.Span( + context.Background(), + "", + fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind), + func(ctx context.Context, span trace.Span) { + report := reportutils.BuildAdmissionReport(resource, request, request.Kind, engineResponses...) + // if it's not a creation, the resource already exists, we can set the owner + if request.Operation != admissionv1.Create { + gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version} + controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID()) + } + if len(report.GetResults()) > 0 { + _, err := reportutils.CreateReport(context.Background(), report, v.kyvernoClient) + if err != nil { + v.log.Error(err, "failed to create report") + } + } + }, + trace.WithLinks(trace.LinkFromContext(ctx)), + ) } diff --git a/pkg/webhooks/resource/mutation/mutation.go b/pkg/webhooks/resource/mutation/mutation.go index 8360843095..3dd3eef8d0 100644 --- a/pkg/webhooks/resource/mutation/mutation.go +++ b/pkg/webhooks/resource/mutation/mutation.go @@ -15,11 +15,13 @@ import ( "github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/openapi" "github.com/kyverno/kyverno/pkg/registryclient" + "github.com/kyverno/kyverno/pkg/tracing" "github.com/kyverno/kyverno/pkg/utils" engineutils "github.com/kyverno/kyverno/pkg/utils/engine" jsonutils "github.com/kyverno/kyverno/pkg/utils/json" webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils" "github.com/pkg/errors" + "go.opentelemetry.io/otel/trace" admissionv1 "k8s.io/api/admission/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -99,28 +101,41 @@ func (v *mutationHandler) applyMutations( if !spec.HasMutate() { continue } - v.log.V(3).Info("applying policy mutate rules", "policy", policy.GetName()) - currentContext := policyContext.WithPolicy(policy) - engineResponse, policyPatches, err := v.applyMutation(ctx, request, currentContext) + + err := tracing.ChildSpan1( + ctx, + "", + fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()), + func(ctx context.Context, span trace.Span) error { + v.log.V(3).Info("applying policy mutate rules", "policy", policy.GetName()) + currentContext := policyContext.WithPolicy(policy) + engineResponse, policyPatches, err := v.applyMutation(ctx, request, currentContext) + if err != nil { + return fmt.Errorf("mutation policy %s error: %v", policy.GetName(), err) + } + + if len(policyPatches) > 0 { + patches = append(patches, policyPatches...) + rules := engineResponse.GetSuccessRules() + if len(rules) != 0 { + v.log.Info("mutation rules from policy applied successfully", "policy", policy.GetName(), "rules", rules) + } + } + + policyContext = currentContext.WithNewResource(engineResponse.PatchedResource) + engineResponses = append(engineResponses, engineResponse) + + // registering the kyverno_policy_results_total metric concurrently + go webhookutils.RegisterPolicyResultsMetricMutation(context.TODO(), v.log, v.metrics, string(request.Operation), policy, *engineResponse) + // registering the kyverno_policy_execution_duration_seconds metric concurrently + go webhookutils.RegisterPolicyExecutionDurationMetricMutate(context.TODO(), v.log, v.metrics, string(request.Operation), policy, *engineResponse) + + return nil + }, + ) if err != nil { - return nil, nil, fmt.Errorf("mutation policy %s error: %v", policy.GetName(), err) + return nil, nil, err } - - if len(policyPatches) > 0 { - patches = append(patches, policyPatches...) - rules := engineResponse.GetSuccessRules() - if len(rules) != 0 { - v.log.Info("mutation rules from policy applied successfully", "policy", policy.GetName(), "rules", rules) - } - } - - policyContext = currentContext.WithNewResource(engineResponse.PatchedResource) - engineResponses = append(engineResponses, engineResponse) - - // registering the kyverno_policy_results_total metric concurrently - go webhookutils.RegisterPolicyResultsMetricMutation(context.TODO(), v.log, v.metrics, string(request.Operation), policy, *engineResponse) - // registering the kyverno_policy_execution_duration_seconds metric concurrently - go webhookutils.RegisterPolicyExecutionDurationMetricMutate(context.TODO(), v.log, v.metrics, string(request.Operation), policy, *engineResponse) } // generate annotations diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index 7f455eac42..087c981b9d 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -2,6 +2,7 @@ package validation import ( "context" + "fmt" "reflect" "time" @@ -14,10 +15,12 @@ import ( "github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/policycache" "github.com/kyverno/kyverno/pkg/registryclient" + "github.com/kyverno/kyverno/pkg/tracing" admissionutils "github.com/kyverno/kyverno/pkg/utils/admission" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" reportutils "github.com/kyverno/kyverno/pkg/utils/report" webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils" + "go.opentelemetry.io/otel/trace" admissionv1 "k8s.io/api/admission/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -74,7 +77,7 @@ func (v *validationHandler) HandleValidation( ) (bool, string, []string) { if len(policies) == 0 { // invoke handleAudit as we may have some policies in audit mode to consider - go v.handleAudit(context.TODO(), policyContext.NewResource(), request, namespaceLabels) + go v.handleAudit(ctx, policyContext.NewResource(), request, namespaceLabels) return true, "", nil } @@ -97,30 +100,37 @@ func (v *validationHandler) HandleValidation( var engineResponses []*response.EngineResponse failurePolicy := kyvernov1.Ignore for _, policy := range policies { - policyContext := policyContext.WithPolicy(policy).WithNamespaceLabels(namespaceLabels) - if policy.GetSpec().GetFailurePolicy() == kyvernov1.Fail { - failurePolicy = kyvernov1.Fail - } + tracing.ChildSpan( + ctx, + "pkg/webhooks/resource/validate", + fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()), + func(ctx context.Context, span trace.Span) { + policyContext := policyContext.WithPolicy(policy).WithNamespaceLabels(namespaceLabels) + if policy.GetSpec().GetFailurePolicy() == kyvernov1.Fail { + failurePolicy = kyvernov1.Fail + } - engineResponse := engine.Validate(ctx, v.rclient, policyContext) - if engineResponse.IsNil() { - // we get an empty response if old and new resources created the same response - // allow updates if resource update doesnt change the policy evaluation - continue - } + engineResponse := engine.Validate(ctx, v.rclient, policyContext) + if engineResponse.IsNil() { + // we get an empty response if old and new resources created the same response + // allow updates if resource update doesnt change the policy evaluation + return + } - go webhookutils.RegisterPolicyResultsMetricValidation(context.TODO(), logger, v.metrics, string(request.Operation), policyContext.Policy(), *engineResponse) - go webhookutils.RegisterPolicyExecutionDurationMetricValidate(context.TODO(), logger, v.metrics, string(request.Operation), policyContext.Policy(), *engineResponse) + go webhookutils.RegisterPolicyResultsMetricValidation(ctx, logger, v.metrics, string(request.Operation), policyContext.Policy(), *engineResponse) + go webhookutils.RegisterPolicyExecutionDurationMetricValidate(ctx, logger, v.metrics, string(request.Operation), policyContext.Policy(), *engineResponse) - engineResponses = append(engineResponses, engineResponse) - if !engineResponse.IsSuccessful() { - logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) - continue - } + engineResponses = append(engineResponses, engineResponse) + if !engineResponse.IsSuccessful() { + logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) + return + } - if len(engineResponse.GetSuccessRules()) > 0 { - logger.V(2).Info("validation passed", "policy", policy.GetName()) - } + if len(engineResponse.GetSuccessRules()) > 0 { + logger.V(2).Info("validation passed", "policy", policy.GetName()) + } + }, + ) } blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger) @@ -134,7 +144,7 @@ func (v *validationHandler) HandleValidation( return false, webhookutils.GetBlockedMessages(engineResponses), nil } - go v.handleAudit(context.TODO(), policyContext.NewResource(), request, namespaceLabels, engineResponses...) + go v.handleAudit(ctx, policyContext.NewResource(), request, namespaceLabels, engineResponses...) warnings := webhookutils.GetWarningMessages(engineResponses) return true, "", warnings @@ -153,8 +163,15 @@ func (v *validationHandler) buildAuditResponses( } var responses []*response.EngineResponse for _, policy := range policies { - policyContext := policyContext.WithPolicy(policy).WithNamespaceLabels(namespaceLabels) - responses = append(responses, engine.Validate(ctx, v.rclient, policyContext)) + tracing.ChildSpan( + ctx, + "pkg/webhooks/resource/validate", + fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()), + func(ctx context.Context, span trace.Span) { + policyContext := policyContext.WithPolicy(policy).WithNamespaceLabels(namespaceLabels) + responses = append(responses, engine.Validate(ctx, v.rclient, policyContext)) + }, + ) } return responses, nil } @@ -180,21 +197,29 @@ func (v *validationHandler) handleAudit( if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) { return } - responses, err := v.buildAuditResponses(ctx, resource, request, namespaceLabels) - if err != nil { - v.log.Error(err, "failed to build audit responses") - } - responses = append(responses, engineResponses...) - report := reportutils.BuildAdmissionReport(resource, request, request.Kind, responses...) - // if it's not a creation, the resource already exists, we can set the owner - if request.Operation != admissionv1.Create { - gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version} - controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID()) - } - if len(report.GetResults()) > 0 { - _, err = reportutils.CreateReport(context.Background(), report, v.kyvernoClient) - if err != nil { - v.log.Error(err, "failed to create report") - } - } + tracing.Span( + context.Background(), + "", + fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind), + func(ctx context.Context, span trace.Span) { + responses, err := v.buildAuditResponses(ctx, resource, request, namespaceLabels) + if err != nil { + v.log.Error(err, "failed to build audit responses") + } + responses = append(responses, engineResponses...) + report := reportutils.BuildAdmissionReport(resource, request, request.Kind, responses...) + // if it's not a creation, the resource already exists, we can set the owner + if request.Operation != admissionv1.Create { + gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version} + controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID()) + } + if len(report.GetResults()) > 0 { + _, err = reportutils.CreateReport(ctx, report, v.kyvernoClient) + if err != nil { + v.log.Error(err, "failed to create report") + } + } + }, + trace.WithLinks(trace.LinkFromContext(ctx)), + ) } diff --git a/pkg/webhooks/resource/validation_test.go b/pkg/webhooks/resource/validation_test.go index 96b1146f76..feb59d6127 100644 --- a/pkg/webhooks/resource/validation_test.go +++ b/pkg/webhooks/resource/validation_test.go @@ -18,7 +18,6 @@ import ( ) func TestValidate_failure_action_overrides(t *testing.T) { - testcases := []struct { rawPolicy []byte rawResource []byte