diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index fb6de95640..f6c04525cb 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: kyverno
-version: 1.2.0
-appVersion: v1.2.0
+version: 1.2.1
+appVersion: v1.2.1
icon: https://github.com/kyverno/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png
description: Kubernetes Native Policy Management
keywords:
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index c13fec3e38..563234ee9a 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -70,6 +70,7 @@ Parameter | Description | Default
`initImage.tag` | Init image tag | `nil`
`livenessProbe` | liveness probe configuration | `{}`
`nameOverride` | override the name of the chart | `nil`
+`namespace` | namespace the chart deploy to | `nil`
`nodeSelector` | node labels for pod assignment | `{}`
`podAnnotations` | annotations to add to each pod | `{}`
`podLabels` | additional labels to add to each pod | `{}`
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index fe0880e71c..7a4108f600 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -47,6 +47,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
{{- end -}}
+
+{{/* Get the namespace name. */}}
+{{- define "kyverno.namespace" -}}
+{{- if .Values.namespace -}}
+ {{- .Values.namespace -}}
+{{- else -}}
+ {{- .Release.Namespace -}}
+{{- end -}}
+{{- end -}}
+
{{/* Create the name of the service to use */}}
{{- define "kyverno.serviceName" -}}
{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
@@ -59,4 +69,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- else -}}
{{ default "default" .Values.rbac.serviceAccount.name }}
{{- end -}}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml
index 87b413a1b7..3ae1dcc6c4 100644
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/clusterrolebinding.yaml
@@ -10,7 +10,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -23,7 +23,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -36,7 +36,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -49,8 +49,8 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
----
+ namespace: {{ template "kyverno.namespace" . }}
+---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -62,5 +62,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
{{- end }}
diff --git a/charts/kyverno/templates/configmap.yaml b/charts/kyverno/templates/configmap.yaml
index cf264ed4c3..92db811de0 100644
--- a/charts/kyverno/templates/configmap.yaml
+++ b/charts/kyverno/templates/configmap.yaml
@@ -4,7 +4,7 @@ kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
name: {{ template "kyverno.configMapName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
data:
# resource types to be skipped by kyverno policy engine
{{- if .Values.config.resourceFilters }}
@@ -16,4 +16,4 @@ data:
{{- if .Values.config.excludeUsername }}
excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
{{- end -}}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml
index 3121cc06f5..22d685aa11 100644
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@@ -3,7 +3,7 @@ kind: Deployment
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
spec:
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
@@ -41,6 +41,15 @@ spec:
- name: kyverno-pre
image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
+ securityContext:
+ runAsUser: 1000
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - all
containers:
- name: kyverno
image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
@@ -51,8 +60,17 @@ spec:
{{- with .Values.resources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
+ securityContext:
+ runAsUser: 1000
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - all
ports:
- - containerPort: 443
+ - containerPort: 9443
name: https
protocol: TCP
env:
diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/secret.yaml
index ad5ba7cf76..7648f2f185 100644
--- a/charts/kyverno/templates/secret.yaml
+++ b/charts/kyverno/templates/secret.yaml
@@ -1,10 +1,10 @@
{{- if .Values.createSelfSignedCert }}
-{{- $ca := .ca | default (genCA (printf "*.%s.svc" .Release.Namespace) 1024) -}}
-{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) .Release.Namespace) nil nil 1024 $ca -}}
+{{- $ca := .ca | default (genCA (printf "*.%s.svc" "kyverno.namespace") 1024) -}}
+{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) "kyverno.namespace") nil nil 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
- name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-ca
+ name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
labels: {{ include "kyverno.labels" . | nindent 4 }}
data:
rootCA.crt: {{ $ca.Cert | b64enc }}
@@ -12,7 +12,7 @@ data:
apiVersion: v1
kind: Secret
metadata:
- name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-pair
+ name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
labels: {{ include "kyverno.labels" . | nindent 4 }}
annotations:
self-signed-cert: "true"
diff --git a/charts/kyverno/templates/service.yaml b/charts/kyverno/templates/service.yaml
index 76d7415c5e..f82e171d87 100644
--- a/charts/kyverno/templates/service.yaml
+++ b/charts/kyverno/templates/service.yaml
@@ -3,7 +3,7 @@ kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno/templates/serviceaccount.yaml b/charts/kyverno/templates/serviceaccount.yaml
index 01a0a238d9..996d93ef4f 100644
--- a/charts/kyverno/templates/serviceaccount.yaml
+++ b/charts/kyverno/templates/serviceaccount.yaml
@@ -7,5 +7,5 @@ metadata:
{{- if .Values.rbac.serviceAccount.annotations }}
annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- end }}
- namespace: {{ .Release.Namespace }}
-{{- end }}
\ No newline at end of file
+ namespace: {{ template "kyverno.namespace" . }}
+{{- end }}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 98ad66b4a0..54b01e905b 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -1,5 +1,6 @@
nameOverride:
fullnameOverride:
+namespace:
rbac:
create: true
@@ -55,7 +56,7 @@ resources:
livenessProbe:
httpGet:
path: /health/liveness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
@@ -69,7 +70,7 @@ livenessProbe:
readinessProbe:
httpGet:
path: /health/readiness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 540edadb23..117ae22482 100755
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -2498,7 +2498,7 @@ metadata:
spec:
ports:
- port: 443
- targetPort: 443
+ targetPort: https
selector:
app: kyverno
---
@@ -2532,13 +2532,13 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
- image: nirmata/kyverno:v1.2.0
+ image: nirmata/kyverno:v1.2.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
httpGet:
path: /health/liveness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@@ -2546,12 +2546,14 @@ spec:
timeoutSeconds: 5
name: kyverno
ports:
- - containerPort: 443
+ - containerPort: 9443
+ name: https
+ protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
path: /health/readiness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@@ -2563,8 +2565,28 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
initContainers:
- - image: nirmata/kyvernopre:v1.2.0
+ - image: nirmata/kyvernopre:v1.2.1
imagePullPolicy: Always
name: kyverno-pre
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ securityContext:
+ runAsNonRoot: true
serviceAccountName: kyverno-service-account
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 1d1f1d8e5d..40f273f410 100755
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -2498,6 +2498,6 @@ metadata:
spec:
ports:
- port: 443
- targetPort: 443
+ targetPort: https
selector:
app: kyverno
diff --git a/definitions/k8s-resource/rbac.yaml b/definitions/k8s-resource/rbac.yaml
index 62f892cc5b..1bf6b08ecb 100755
--- a/definitions/k8s-resource/rbac.yaml
+++ b/definitions/k8s-resource/rbac.yaml
@@ -14,7 +14,7 @@ metadata:
spec:
ports:
- port: 443
- targetPort: 443
+ targetPort: https
selector:
app: kyverno
---
diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml
index d2a6ac47c5..8bf51cf2d2 100755
--- a/definitions/kustomization.yaml
+++ b/definitions/kustomization.yaml
@@ -8,7 +8,7 @@ resources:
images:
- name: nirmata/kyverno
newName: nirmata/kyverno
- newTag: v1.2.0
+ newTag: v1.2.1
- name: nirmata/kyvernopre
newName: nirmata/kyvernopre
- newTag: v1.2.0
+ newTag: v1.2.1
diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml
index 0be4f21d29..37b919a81e 100755
--- a/definitions/manifest/deployment.yaml
+++ b/definitions/manifest/deployment.yaml
@@ -17,13 +17,24 @@ spec:
app: kyverno
spec:
serviceAccountName: kyverno-service-account
+ securityContext:
+ runAsNonRoot: true
initContainers:
- name: kyverno-pre
image: nirmata/kyvernopre:v1.1.9
imagePullPolicy: Always
+ securityContext:
+ runAsUser: 1000
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - all
containers:
- name: kyverno
- image: nirmata/kyverno:v1.1.9
+ image: nirmata/kyverno:latest
imagePullPolicy: Always
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
@@ -33,7 +44,9 @@ spec:
# - "--profile"
- "-v=2"
ports:
- - containerPort: 443
+ - containerPort: 9443
+ name: https
+ protocol: TCP
env:
- name: INIT_CONFIG
value: init-config
@@ -43,6 +56,15 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
+ securityContext:
+ runAsUser: 1000
+ runAsNonRoot: true
+ privileged: false
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop:
+ - all
resources:
requests:
memory: "50Mi"
@@ -52,7 +74,7 @@ spec:
livenessProbe:
httpGet:
path: /health/liveness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@@ -62,11 +84,10 @@ spec:
readinessProbe:
httpGet:
path: /health/readiness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 1
-
diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml
index 454da71fb2..602893f8d7 100755
--- a/definitions/release/install.yaml
+++ b/definitions/release/install.yaml
@@ -1043,7 +1043,7 @@ metadata:
spec:
ports:
- port: 443
- targetPort: 443
+ targetPort: https
selector:
app: kyverno
---
@@ -1077,13 +1077,13 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
- image: nirmata/kyverno:v1.2.0
+ image: nirmata/kyverno:v1.2.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 4
httpGet:
path: /health/liveness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@@ -1091,12 +1091,14 @@ spec:
timeoutSeconds: 5
name: kyverno
ports:
- - containerPort: 443
+ - containerPort: 9443
+ name: https
+ protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
path: /health/readiness
- port: 443
+ port: 9443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
@@ -1108,8 +1110,28 @@ spec:
requests:
cpu: 100m
memory: 50Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
initContainers:
- - image: nirmata/kyvernopre:v1.2.0
+ - image: nirmata/kyvernopre:v1.2.1
imagePullPolicy: Always
name: kyverno-pre
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ securityContext:
+ runAsNonRoot: true
serviceAccountName: kyverno-service-account
diff --git a/pkg/engine/validate/common.go b/pkg/engine/validate/common.go
index 9009da7c03..e9185f742c 100644
--- a/pkg/engine/validate/common.go
+++ b/pkg/engine/validate/common.go
@@ -5,8 +5,12 @@ import (
"strconv"
)
-// convertToString converts value to string
-func convertToString(value interface{}) (string, error) {
+// convertNumberToString converts value to string
+func convertNumberToString(value interface{}) (string, error) {
+ if value == nil {
+ return "0", nil
+ }
+
switch typed := value.(type) {
case string:
return string(typed), nil
@@ -17,7 +21,7 @@ func convertToString(value interface{}) (string, error) {
case int:
return strconv.Itoa(typed), nil
default:
- return "", fmt.Errorf("Could not convert %T to string", value)
+ return "", fmt.Errorf("could not convert %v to string", typed)
}
}
diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go
index 7e2edf23ae..7190ebff62 100644
--- a/pkg/engine/validate/pattern.go
+++ b/pkg/engine/validate/pattern.go
@@ -224,7 +224,7 @@ func validateString(log logr.Logger, value interface{}, pattern string, operator
// validateNumberWithStr compares quantity if pattern type is quantity
// or a wildcard match to pattern string
func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool {
- typedValue, err := convertToString(value)
+ typedValue, err := convertNumberToString(value)
if err != nil {
log.Error(err, "failed to convert to string")
return false
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 0389ddf68a..fb7f368ded 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -43,7 +43,7 @@ import (
// WebhookServer contains configured TLS server with MutationWebhook.
type WebhookServer struct {
- server http.Server
+ server *http.Server
client *client.Client
kyvernoClient *kyvernoclient.Clientset
@@ -213,8 +213,8 @@ func NewWebhookServer(
w.WriteHeader(http.StatusOK)
})
- ws.server = http.Server{
- Addr: ":443", // Listen on port for HTTPS requests
+ ws.server = &http.Server{
+ Addr: ":9443", // Listen on port for HTTPS requests
TLSConfig: &tlsConfig,
Handler: mux,
ReadTimeout: 15 * time.Second,
@@ -511,12 +511,12 @@ func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
logger.Info("failed to sync informer cache")
}
- go func(ws *WebhookServer) {
+ go func () {
logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
logger.Error(err, "failed to listen to requests")
}
- }(ws)
+ }()
logger.Info("starting")
// verifies if the admission control is enabled and active
diff --git a/scripts/verify-deployment.sh b/scripts/verify-deployment.sh
index b265388a54..cf7720071a 100644
--- a/scripts/verify-deployment.sh
+++ b/scripts/verify-deployment.sh
@@ -20,6 +20,10 @@ monitor_timeout() {
local -r wait_pid="$1"
sleep "${timeout}"
echo "Timeout ${timeout} exceeded" >&2
+ kubectl --namespace "${namespace}" get pods
+ docker images | grep "kyverno"
+ kubectl --namespace "${namespace}" describe deployment "${deployment}" -o yaml
+ kubectl --namespace "${namespace}" logs -l app=kyverno
kill "${wait_pid}"
}