mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
Enable flexible registry credential configurations (#7114)
* types added Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added secret fetching and client creation Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * codegen Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * validate target resource scope & namespace settings (#7098) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: mutation code (#7095) * fix: mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * lazy loading of context vars (#7071) * lazy loading of context vars Signed-off-by: Jim Bugwadia <jim@nirmata.com> * gofumpt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * moved to policy context Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed errors Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * RegistryClientLoader Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * [Feature] Add kuttl tests with policy exceptions disabled (#7117) * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed redundant code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * typo fix and README changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Conditions message (#7113) * add message to conditions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * extend tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#7123) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](21991cec25...555a30da26
) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.14.1 to 0.14.2 (#7121) Bumps [sigs.k8s.io/kustomize/kyaml](https://github.com/kubernetes-sigs/kustomize) from 0.14.1 to 0.14.2. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/kyaml/v0.14.1...kyaml/v0.14.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/kyaml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump oras.land/oras-go/v2 from 2.0.2 to 2.1.0 (#7102) Bumps [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/oras-project/oras-go/releases) - [Commits](https://github.com/oras-project/oras-go/compare/v2.0.2...v2.1.0) --- updated-dependencies: - dependency-name: oras.land/oras-go/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * add condition msg to v2beta1 (#7126) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: print container flags and their values (#7127) * add condition msg to v2beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * print flags settings Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove the container flag genWorker from the admission controller (#7132) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#7103) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.54.0...v1.55.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove the duplicate entry (#7125) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.2 to 0.13.3 (#7120) Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.2 to 0.13.3. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.2...api/v0.13.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * update background scan logging messages (#7142) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Update chart with v2 to v3 migration guidance. (#7144) * add Saxo Bank and Velux as adopters Signed-off-by: Chip Zoller <chipzoller@gmail.com> * update chart README and validations Signed-off-by: Chip Zoller <chipzoller@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * add Controller Internals info (#7147) Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command) (#6656) * feat: add policy reporter to the dev lab Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: remove obsolete structs from CLI Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Supporting ValidatingAdmissionPolicy in kyverno apply Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * chore: bump k8s from v0.26.3 to v0.27.0-rc.0 Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support validating admission policy in kyverno apply Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support validating admission policy in kyverno test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * refactoring Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding kyverno apply tests for validating admission policy Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * running codegen-all Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding IsVap field in TestResults Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * chore: bump k8s from v0.27.0-rc.0 to v0.27.1 Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix vap in engine response Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.3 to 0.13.4 (#7150) Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.3 to 0.13.4. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.3...api/v0.13.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#7149) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.8.0 to 0.9.0. - [Commits](https://github.com/golang/crypto/compare/v0.8.0...v0.9.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Added `omit-events` flag to allow disabling of event emission (#7010) * added comma seperated flag Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * reason added in logs Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added requested changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * kuttl test init Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated kuttl tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated behavior Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed flawed behavior Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated test location and added readme Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated step Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * omit events Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: let reports controller quit when loosing the lead (#7153) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump slsa-framework/slsa-github-generator (#7160) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore: bump otel deps (#7152) * chore: bump otel deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 (#7172) Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/docker/distribution (#7171) Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/docker/distribution/releases) - [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/docker/distribution dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 (#7177) Bumps [github.com/go-logr/zapr](https://github.com/go-logr/zapr) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/go-logr/zapr/releases) - [Commits](https://github.com/go-logr/zapr/compare/v1.2.3...v1.2.4) --- updated-dependencies: - dependency-name: github.com/go-logr/zapr dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Add refactor note (#7169) Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed typo in the v2 to v3 helm migration guide (#7163) * fixed typo in the v2 to v3 helm migration guide Signed-off-by: Richard Parke <richardparke15@gmail.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Richard Parke <richardparke15@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/distribution/distribution (#7178) Bumps [github.com/distribution/distribution](https://github.com/distribution/distribution) from 2.8.1+incompatible to 2.8.2+incompatible. - [Release notes](https://github.com/distribution/distribution/releases) - [Commits](https://github.com/distribution/distribution/compare/v2.8.1...v2.8.2) --- updated-dependencies: - dependency-name: github.com/distribution/distribution dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * tweaks (#7166) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add logging feature to helm chart (#7181) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * refactor: hide json context from caller (#7139) * refactor: hide json context from caller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add omit-events feature in helm chart (#7185) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: preconditions in mutate existing rules (#7183) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: use structured jsonpatch instead of byte arrays (#7186) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added secret lister Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * changes from review Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added rclientloader to policy context Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * refactor changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added RegistryClientLoaderNewOrDie to policy context Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * CI fixes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: panic for policy variable validation (#7079) * fix panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * check errors Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: remove policy-reporter from dev lab (#7196) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: cleanup controller metrics name (#7198) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: http request metrics (#7197) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove unused code (#7203) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * handle Deny rules where conditions eval to true (#7204) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * [Bug] Enforce message wrong (#7208) * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump codecov/codecov-action from 3.1.3 to 3.1.4 (#7207) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](894ff025c7...eaaf4bedf3
) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#7215) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](204a51a57a...03d0fecf17
) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: panic in reports controller (#7220) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: mutate existing auth check (#7219) * fix auth check when using variables in ns Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: do not exclude kube-system service accounts by default (#7225) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * docs: add reports system design doc (#6949) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/apimachinery from 0.27.1 to 0.27.2 (#7227) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/cli-runtime from 0.27.1 to 0.27.2 (#7228) Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#7229) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](03d0fecf17...dd6b2e2b61
) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/pod-security-admission from 0.27.1 to 0.27.2 (#7232) Bumps [k8s.io/pod-security-admission](https://github.com/kubernetes/pod-security-admission) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/pod-security-admission/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/pod-security-admission dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: match logic misbehave (#7218) * add rule name in ur for mutate existing Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix match logic Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix the match logic to only apply to the new object, unless it's a delete request Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#7240) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#7239) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/kube-aggregator from 0.27.1 to 0.27.2 (#7241) Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.1 to 0.27.2. - [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/kube-aggregator dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump k8s.io/apiextensions-apiserver from 0.27.1 to 0.27.2 (#7242) Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.27.1 to 0.27.2. - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * passing rclientloader directly Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * lazy evaluate vars in conditions (#7238) * lazy evaluate vars in conditions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unnecessary conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml Signed-off-by: shuting <shutting06@gmail.com> * Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md Signed-off-by: shuting <shutting06@gmail.com> * added error check in test Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * quote image in error (#7259) Signed-off-by: bakito <github@bakito.ch> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: auto update webhooks not configuring fail endpoint (#7261) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix latest version check (#7263) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](7319e4733e...58d5258088
) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add yaml util to check empty document (#7276) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Azure to ACR Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * codegen Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * adding kuttl test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * use pointer Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * global client Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added kubeclient Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added nil kubeclient check Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * context Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * factory Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * secrets lister Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cli Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * factories Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: Richard Parke <richardparke15@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Signed-off-by: bakito <github@bakito.ch> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com> Co-authored-by: rparke <50015370+rparke@users.noreply.github.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com> Co-authored-by: Marc Brugger <github@bakito.ch>
This commit is contained in:
parent
6939716675
commit
43685aedc2
43 changed files with 4828 additions and 182 deletions
|
@ -118,6 +118,10 @@ type ImageRegistry struct {
|
|||
// the image reference.
|
||||
// +optional
|
||||
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
|
||||
|
||||
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
|
||||
// +kubebuilder:validation:Optional
|
||||
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
|
||||
}
|
||||
|
||||
// ConfigMapReference refers to a ConfigMap
|
||||
|
|
|
@ -13,9 +13,19 @@ import (
|
|||
// +kubebuilder:default=Cosign
|
||||
type ImageVerificationType string
|
||||
|
||||
// ImageRegistryCredentialsHelpersType provides the list of credential helpers required.
|
||||
// +kubebuilder:validation:Enum=default;amazon;azure;google;github
|
||||
type ImageRegistryCredentialsHelpersType string
|
||||
|
||||
const (
|
||||
Cosign ImageVerificationType = "Cosign"
|
||||
Notary ImageVerificationType = "Notary"
|
||||
|
||||
DEFAULT ImageRegistryCredentialsHelpersType = "default"
|
||||
AWS ImageRegistryCredentialsHelpersType = "amazon"
|
||||
ACR ImageRegistryCredentialsHelpersType = "azure"
|
||||
GCP ImageRegistryCredentialsHelpersType = "google"
|
||||
GHCR ImageRegistryCredentialsHelpersType = "github"
|
||||
)
|
||||
|
||||
// ImageVerification validates that images that match the specified pattern
|
||||
|
@ -95,6 +105,10 @@ type ImageVerification struct {
|
|||
// +kubebuilder:default=true
|
||||
// +kubebuilder:validation:Optional
|
||||
Required bool `json:"required" yaml:"required"`
|
||||
|
||||
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
|
||||
// +kubebuilder:validation:Optional
|
||||
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
|
||||
}
|
||||
|
||||
type AttestorSet struct {
|
||||
|
@ -254,6 +268,22 @@ type Attestation struct {
|
|||
Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
|
||||
}
|
||||
|
||||
type ImageRegistryCredentials struct {
|
||||
// AllowInsecureRegistry allows insecure access to a registry
|
||||
// +kubebuilder:validation:Optional
|
||||
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
|
||||
|
||||
// Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
|
||||
// It can be of one of these values: AWS, ACR, GCP, GHCR
|
||||
// +kubebuilder:validation:Optional
|
||||
Helpers []ImageRegistryCredentialsHelpersType `json:"helpers,omitempty" yaml:"helpers,omitempty"`
|
||||
|
||||
// Secrets specifies a list of secrets that are provided for credentials
|
||||
// Secrets must live in the Kyverno namespace
|
||||
// +kubebuilder:validation:Optional
|
||||
Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
|
||||
}
|
||||
|
||||
func (iv *ImageVerification) GetType() ImageVerificationType {
|
||||
if iv.Type != "" {
|
||||
return iv.Type
|
||||
|
|
|
@ -434,7 +434,7 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
|
|||
if in.ImageRegistry != nil {
|
||||
in, out := &in.ImageRegistry, &out.ImageRegistry
|
||||
*out = new(ImageRegistry)
|
||||
**out = **in
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Variable != nil {
|
||||
in, out := &in.Variable, &out.Variable
|
||||
|
@ -673,6 +673,11 @@ func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs {
|
|||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry) {
|
||||
*out = *in
|
||||
if in.ImageRegistryCredentials != nil {
|
||||
in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
|
||||
*out = new(ImageRegistryCredentials)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.
|
||||
|
@ -685,6 +690,31 @@ func (in *ImageRegistry) DeepCopy() *ImageRegistry {
|
|||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ImageRegistryCredentials) DeepCopyInto(out *ImageRegistryCredentials) {
|
||||
*out = *in
|
||||
if in.Helpers != nil {
|
||||
in, out := &in.Helpers, &out.Helpers
|
||||
*out = make([]ImageRegistryCredentialsHelpersType, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Secrets != nil {
|
||||
in, out := &in.Secrets, &out.Secrets
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistryCredentials.
|
||||
func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(ImageRegistryCredentials)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
||||
*out = *in
|
||||
|
@ -721,6 +751,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
|||
(*out)[key] = val
|
||||
}
|
||||
}
|
||||
if in.ImageRegistryCredentials != nil {
|
||||
in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
|
||||
*out = new(ImageRegistryCredentials)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
|
||||
|
|
|
@ -5,16 +5,6 @@ import (
|
|||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
)
|
||||
|
||||
// ImageVerificationType selects the type of verification algorithm
|
||||
// +kubebuilder:validation:Enum=Cosign;Notary
|
||||
// +kubebuilder:default=Cosign
|
||||
type ImageVerificationType string
|
||||
|
||||
const (
|
||||
Cosign ImageVerificationType = "Cosign"
|
||||
Notary ImageVerificationType = "Notary"
|
||||
)
|
||||
|
||||
// ImageVerification validates that images that match the specified pattern
|
||||
// are signed with the supplied public key. Once the image is verified it is
|
||||
// mutated to include the SHA digest retrieved during the registration.
|
||||
|
@ -22,7 +12,7 @@ type ImageVerification struct {
|
|||
// Type specifies the method of signature validation. The allowed options
|
||||
// are Cosign and Notary. By default Cosign is used if a type is not specified.
|
||||
// +kubebuilder:validation:Optional
|
||||
Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
|
||||
Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
|
||||
|
||||
// ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||
// list must match the image for the rule to apply. Each image reference consists of a registry
|
||||
|
@ -60,6 +50,10 @@ type ImageVerification struct {
|
|||
// +kubebuilder:default=true
|
||||
// +kubebuilder:validation:Optional
|
||||
Required bool `json:"required" yaml:"required"`
|
||||
|
||||
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
|
||||
// +kubebuilder:validation:Optional
|
||||
ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
|
@ -86,7 +80,7 @@ func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Pat
|
|||
errs = append(errs, attestorErrors...)
|
||||
}
|
||||
|
||||
if iv.Type == Notary {
|
||||
if iv.Type == kyvernov1.Notary {
|
||||
for _, attestorSet := range iv.Attestors {
|
||||
for _, attestor := range attestorSet.Entries {
|
||||
if attestor.Keyless != nil {
|
||||
|
|
|
@ -184,6 +184,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
|||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.ImageRegistryCredentials != nil {
|
||||
in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
|
||||
*out = new(v1.ImageRegistryCredentials)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -23,7 +23,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/policy"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeinformers "k8s.io/client-go/informers"
|
||||
kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
|
||||
)
|
||||
|
@ -39,7 +38,6 @@ func createrLeaderControllers(
|
|||
kyvernoInformer kyvernoinformer.SharedInformerFactory,
|
||||
kyvernoClient versioned.Interface,
|
||||
dynamicClient dclient.Interface,
|
||||
rclient registryclient.Client,
|
||||
configuration config.Configuration,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
eventGenerator event.Interface,
|
||||
|
@ -160,6 +158,7 @@ func main() {
|
|||
setup.RegistryClient,
|
||||
setup.KubeClient,
|
||||
setup.KyvernoClient,
|
||||
setup.RegistrySecretLister,
|
||||
)
|
||||
// start informers and wait for cache sync
|
||||
if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer) {
|
||||
|
@ -189,7 +188,6 @@ func main() {
|
|||
kyvernoInformer,
|
||||
setup.KyvernoClient,
|
||||
setup.KyvernoDynamicClient,
|
||||
setup.RegistryClient,
|
||||
setup.Configuration,
|
||||
setup.MetricsManager,
|
||||
eventGenerator,
|
||||
|
|
|
@ -848,7 +848,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
|
|||
fmt.Printf("Failed to mock dynamic client")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
|
||||
cfg := config.NewDefaultConfiguration(false)
|
||||
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
|
||||
|
@ -857,7 +856,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
|
|||
jmespath.New(cfg),
|
||||
adapters.Client(client),
|
||||
nil,
|
||||
nil,
|
||||
store.ContextLoaderFactory(nil),
|
||||
nil,
|
||||
"",
|
||||
|
|
|
@ -13,6 +13,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
|
@ -117,8 +118,7 @@ OuterLoop:
|
|||
config.NewDefaultMetricsConfiguration(),
|
||||
jmespath.New(cfg),
|
||||
adapters.Client(c.Client),
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
store.ContextLoaderFactory(nil),
|
||||
nil,
|
||||
"",
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
)
|
||||
|
@ -16,7 +17,7 @@ func ContextLoaderFactory(
|
|||
cmResolver engineapi.ConfigmapResolver,
|
||||
) engineapi.ContextLoaderFactory {
|
||||
return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
|
||||
inner := engineapi.DefaultContextLoaderFactory(cmResolver)
|
||||
inner := factories.DefaultContextLoaderFactory(cmResolver)
|
||||
if IsMock() {
|
||||
return &mockContextLoader{
|
||||
logger: logging.WithName("MockContextLoaderFactory"),
|
||||
|
@ -39,7 +40,7 @@ func (l *mockContextLoader) Load(
|
|||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client engineapi.RawClient,
|
||||
_ engineapi.ImageDataClient,
|
||||
_ engineapi.RegistryClientFactory,
|
||||
contextEntries []kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) error {
|
||||
|
@ -57,7 +58,7 @@ func (l *mockContextLoader) Load(
|
|||
for _, entry := range contextEntries {
|
||||
if entry.ImageRegistry != nil && hasRegistryAccess {
|
||||
rclient := GetRegistryClient()
|
||||
if err := engineapi.LoadImageData(ctx, jp, adapters.ImageDataClient(rclient), l.logger, entry, jsonContext); err != nil {
|
||||
if err := engineapi.LoadImageData(ctx, jp, factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil), l.logger, entry, jsonContext); err != nil {
|
||||
return err
|
||||
}
|
||||
} else if entry.Variable != nil {
|
||||
|
|
|
@ -14,9 +14,11 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
func NewEngine(
|
||||
|
@ -29,6 +31,7 @@ func NewEngine(
|
|||
rclient registryclient.Client,
|
||||
kubeClient kubernetes.Interface,
|
||||
kyvernoClient versioned.Interface,
|
||||
secretLister corev1listers.SecretNamespaceLister,
|
||||
) engineapi.Engine {
|
||||
configMapResolver := NewConfigMapResolver(ctx, logger, kubeClient, 15*time.Minute)
|
||||
exceptionsSelector := NewExceptionSelector(ctx, logger, kyvernoClient, 15*time.Minute)
|
||||
|
@ -39,9 +42,8 @@ func NewEngine(
|
|||
metricsConfiguration,
|
||||
jp,
|
||||
adapters.Client(client),
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
engineapi.DefaultContextLoaderFactory(configMapResolver),
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), secretLister),
|
||||
factories.DefaultContextLoaderFactory(configMapResolver),
|
||||
exceptionsSelector,
|
||||
imageSignatureRepository,
|
||||
)
|
||||
|
|
|
@ -10,22 +10,23 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeinformers "k8s.io/client-go/informers"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) registryclient.Client {
|
||||
func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) (registryclient.Client, corev1listers.SecretNamespaceLister) {
|
||||
logger = logger.WithName("registry-client").WithValues("secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
|
||||
logger.Info("setup registry client...")
|
||||
factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
|
||||
secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
|
||||
// start informers and wait for cache sync
|
||||
if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
|
||||
checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||
}
|
||||
registryOptions := []registryclient.Option{
|
||||
registryclient.WithTracing(),
|
||||
}
|
||||
secrets := strings.Split(imagePullSecrets, ",")
|
||||
if imagePullSecrets != "" && len(secrets) > 0 {
|
||||
factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
|
||||
secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
|
||||
// start informers and wait for cache sync
|
||||
if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
|
||||
checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||
}
|
||||
registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, secretLister, secrets...))
|
||||
}
|
||||
if allowInsecureRegistry {
|
||||
|
@ -36,5 +37,5 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
|
|||
}
|
||||
registryClient, err := registryclient.New(registryOptions...)
|
||||
checkError(logger, err, "failed to create registry client")
|
||||
return registryClient
|
||||
return registryClient, secretLister
|
||||
}
|
||||
|
|
|
@ -15,6 +15,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
func shutdown(logger logr.Logger, sdowns ...context.CancelFunc) context.CancelFunc {
|
||||
|
@ -37,6 +38,7 @@ type SetupResult struct {
|
|||
KubeClient kubeclient.UpstreamInterface
|
||||
LeaderElectionClient kubeclient.UpstreamInterface
|
||||
RegistryClient registryclient.Client
|
||||
RegistrySecretLister corev1listers.SecretNamespaceLister
|
||||
KyvernoClient kyvernoclient.UpstreamInterface
|
||||
DynamicClient dynamicclient.UpstreamInterface
|
||||
ApiServerClient apiserverclient.UpstreamInterface
|
||||
|
@ -59,8 +61,9 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
|
|||
configuration := startConfigController(ctx, logger, client, skipResourceFilters)
|
||||
sdownTracing := SetupTracing(logger, name, client)
|
||||
var registryClient registryclient.Client
|
||||
var registrySecretLister corev1listers.SecretNamespaceLister
|
||||
if config.UsesRegistryClient() {
|
||||
registryClient = setupRegistryClient(ctx, logger, client)
|
||||
registryClient, registrySecretLister = setupRegistryClient(ctx, logger, client)
|
||||
}
|
||||
var leaderElectionClient kubeclient.UpstreamInterface
|
||||
if config.UsesLeaderElection() {
|
||||
|
@ -96,6 +99,7 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
|
|||
KubeClient: client,
|
||||
LeaderElectionClient: leaderElectionClient,
|
||||
RegistryClient: registryClient,
|
||||
RegistrySecretLister: registrySecretLister,
|
||||
KyvernoClient: kyvernoClient,
|
||||
DynamicClient: dynamicClient,
|
||||
ApiServerClient: apiServerClient,
|
||||
|
|
|
@ -300,6 +300,7 @@ func main() {
|
|||
setup.RegistryClient,
|
||||
setup.KubeClient,
|
||||
setup.KyvernoClient,
|
||||
setup.RegistrySecretLister,
|
||||
)
|
||||
// create non leader controllers
|
||||
nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
|
||||
|
@ -414,7 +415,6 @@ func main() {
|
|||
engine,
|
||||
setup.KyvernoDynamicClient,
|
||||
setup.KyvernoClient,
|
||||
setup.RegistryClient,
|
||||
setup.Configuration,
|
||||
setup.MetricsManager,
|
||||
policyCache,
|
||||
|
|
|
@ -23,7 +23,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/leaderelection"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeinformers "k8s.io/client-go/informers"
|
||||
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
|
||||
kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
|
||||
|
@ -41,7 +40,6 @@ func createReportControllers(
|
|||
backgroundScanWorkers int,
|
||||
client dclient.Interface,
|
||||
kyvernoClient versioned.Interface,
|
||||
rclient registryclient.Client,
|
||||
metadataFactory metadatainformers.SharedInformerFactory,
|
||||
kubeInformer kubeinformers.SharedInformerFactory,
|
||||
kyvernoInformer kyvernoinformer.SharedInformerFactory,
|
||||
|
@ -132,7 +130,6 @@ func createrLeaderControllers(
|
|||
metadataInformer metadatainformers.SharedInformerFactory,
|
||||
kyvernoClient versioned.Interface,
|
||||
dynamicClient dclient.Interface,
|
||||
rclient registryclient.Client,
|
||||
configuration config.Configuration,
|
||||
jp jmespath.Interface,
|
||||
eventGenerator event.Interface,
|
||||
|
@ -146,7 +143,6 @@ func createrLeaderControllers(
|
|||
backgroundScanWorkers,
|
||||
dynamicClient,
|
||||
kyvernoClient,
|
||||
rclient,
|
||||
metadataInformer,
|
||||
kubeInformer,
|
||||
kyvernoInformer,
|
||||
|
@ -233,6 +229,7 @@ func main() {
|
|||
setup.RegistryClient,
|
||||
setup.KubeClient,
|
||||
setup.KyvernoClient,
|
||||
setup.RegistrySecretLister,
|
||||
)
|
||||
// start informers and wait for cache sync
|
||||
if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kyvernoInformer) {
|
||||
|
@ -269,7 +266,6 @@ func main() {
|
|||
metadataInformer,
|
||||
setup.KyvernoClient,
|
||||
setup.KyvernoDynamicClient,
|
||||
setup.RegistryClient,
|
||||
setup.Configuration,
|
||||
setup.Jp,
|
||||
eventGenerator,
|
||||
|
|
|
@ -220,6 +220,37 @@ spec:
|
|||
description: ImageRegistry defines requests to an OCI/Docker
|
||||
V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure access
|
||||
to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI Registry
|
||||
names, whose authentication helpers are provided It
|
||||
can be of one of these values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType provides
|
||||
the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets that
|
||||
are provided for credentials Secrets must live in
|
||||
the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match Expression
|
||||
that can be used to transform the ImageData struct returned
|
||||
|
|
|
@ -220,6 +220,37 @@ spec:
|
|||
description: ImageRegistry defines requests to an OCI/Docker
|
||||
V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure access
|
||||
to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI Registry
|
||||
names, whose authentication helpers are provided It
|
||||
can be of one of these values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType provides
|
||||
the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets that
|
||||
are provided for credentials Secrets must live in
|
||||
the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match Expression
|
||||
that can be used to transform the ImageData struct returned
|
||||
|
|
|
@ -258,6 +258,38 @@ spec:
|
|||
description: ImageRegistry defines requests to an OCI/Docker
|
||||
V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match Expression
|
||||
that can be used to transform the ImageData struct
|
||||
|
@ -1923,6 +1955,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -2221,6 +2288,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -2620,6 +2722,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -3708,6 +3845,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI Registry
|
||||
names, whose authentication helpers are provided
|
||||
It can be of one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets that
|
||||
are provided for credentials Secrets must live in
|
||||
the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
issuer:
|
||||
description: Issuer is the certificate issuer used for
|
||||
keyless signing. Deprecated. Use KeylessAttestor instead.
|
||||
|
@ -4013,6 +4182,40 @@ spec:
|
|||
description: ImageRegistry defines requests to an
|
||||
OCI/Docker V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of
|
||||
OCI Registry names, whose authentication
|
||||
helpers are provided It can be of one of
|
||||
these values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers
|
||||
required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets
|
||||
must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match
|
||||
Expression that can be used to transform the
|
||||
|
@ -5755,6 +5958,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -6067,6 +6306,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -6489,6 +6764,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -7626,6 +7937,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
issuer:
|
||||
description: Issuer is the certificate issuer used
|
||||
for keyless signing. Deprecated. Use KeylessAttestor
|
||||
|
@ -8028,6 +8371,38 @@ spec:
|
|||
description: ImageRegistry defines requests to an OCI/Docker
|
||||
V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match Expression
|
||||
that can be used to transform the ImageData struct
|
||||
|
@ -9267,6 +9642,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -9565,6 +9975,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -10146,6 +10591,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -11213,6 +11693,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI Registry
|
||||
names, whose authentication helpers are provided
|
||||
It can be of one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets that
|
||||
are provided for credentials Secrets must live in
|
||||
the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
mutateDigest:
|
||||
default: true
|
||||
description: MutateDigest enables replacement of image
|
||||
|
@ -11499,6 +12011,40 @@ spec:
|
|||
description: ImageRegistry defines requests to an
|
||||
OCI/Docker V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of
|
||||
OCI Registry names, whose authentication
|
||||
helpers are provided It can be of one of
|
||||
these values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers
|
||||
required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets
|
||||
must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match
|
||||
Expression that can be used to transform the
|
||||
|
@ -13241,6 +13787,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -13553,6 +14135,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -13975,6 +14593,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -15112,6 +15766,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
issuer:
|
||||
description: Issuer is the certificate issuer used
|
||||
for keyless signing. Deprecated. Use KeylessAttestor
|
||||
|
|
|
@ -259,6 +259,38 @@ spec:
|
|||
description: ImageRegistry defines requests to an OCI/Docker
|
||||
V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match Expression
|
||||
that can be used to transform the ImageData struct
|
||||
|
@ -1924,6 +1956,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -2222,6 +2289,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -2621,6 +2723,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -3709,6 +3846,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI Registry
|
||||
names, whose authentication helpers are provided
|
||||
It can be of one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets that
|
||||
are provided for credentials Secrets must live in
|
||||
the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
issuer:
|
||||
description: Issuer is the certificate issuer used for
|
||||
keyless signing. Deprecated. Use KeylessAttestor instead.
|
||||
|
@ -4015,6 +4184,40 @@ spec:
|
|||
description: ImageRegistry defines requests to an
|
||||
OCI/Docker V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of
|
||||
OCI Registry names, whose authentication
|
||||
helpers are provided It can be of one of
|
||||
these values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers
|
||||
required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets
|
||||
must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match
|
||||
Expression that can be used to transform the
|
||||
|
@ -5757,6 +5960,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -6069,6 +6308,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -6491,6 +6766,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -7628,6 +7939,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
issuer:
|
||||
description: Issuer is the certificate issuer used
|
||||
for keyless signing. Deprecated. Use KeylessAttestor
|
||||
|
@ -8031,6 +8374,38 @@ spec:
|
|||
description: ImageRegistry defines requests to an OCI/Docker
|
||||
V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match Expression
|
||||
that can be used to transform the ImageData struct
|
||||
|
@ -9270,6 +9645,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -9568,6 +9978,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -10149,6 +10594,41 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch image
|
||||
details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list
|
||||
of OCI Registry names, whose authentication
|
||||
helpers are provided It can be of
|
||||
one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list
|
||||
of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON
|
||||
Match Expression that can be used to transform
|
||||
|
@ -11216,6 +11696,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI Registry
|
||||
names, whose authentication helpers are provided
|
||||
It can be of one of these values: AWS, ACR, GCP,
|
||||
GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets that
|
||||
are provided for credentials Secrets must live in
|
||||
the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
mutateDigest:
|
||||
default: true
|
||||
description: MutateDigest enables replacement of image
|
||||
|
@ -11502,6 +12014,40 @@ spec:
|
|||
description: ImageRegistry defines requests to an
|
||||
OCI/Docker V2 registry to fetch image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides
|
||||
credentials that will be used for authentication
|
||||
with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows
|
||||
insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of
|
||||
OCI Registry names, whose authentication
|
||||
helpers are provided It can be of one of
|
||||
these values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers
|
||||
required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets
|
||||
must live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional JSON Match
|
||||
Expression that can be used to transform the
|
||||
|
@ -13244,6 +13790,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -13556,6 +14138,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -13978,6 +14596,42 @@ spec:
|
|||
to an OCI/Docker V2 registry to fetch
|
||||
image details.
|
||||
properties:
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials
|
||||
provides credentials that will be
|
||||
used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry
|
||||
allows insecure access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies
|
||||
a list of OCI Registry names,
|
||||
whose authentication helpers are
|
||||
provided It can be of one of these
|
||||
values: AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential
|
||||
helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a
|
||||
list of secrets that are provided
|
||||
for credentials Secrets must live
|
||||
in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
jmesPath:
|
||||
description: JMESPath is an optional
|
||||
JSON Match Expression that can be
|
||||
|
@ -15115,6 +15769,38 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
imageRegistryCredentials:
|
||||
description: ImageRegistryCredentials provides credentials
|
||||
that will be used for authentication with registry
|
||||
properties:
|
||||
allowInsecureRegistry:
|
||||
description: AllowInsecureRegistry allows insecure
|
||||
access to a registry
|
||||
type: boolean
|
||||
helpers:
|
||||
description: 'Helpers specifies a list of OCI
|
||||
Registry names, whose authentication helpers
|
||||
are provided It can be of one of these values:
|
||||
AWS, ACR, GCP, GHCR'
|
||||
items:
|
||||
description: ImageRegistryCredentialsHelpersType
|
||||
provides the list of credential helpers required.
|
||||
enum:
|
||||
- default
|
||||
- amazon
|
||||
- azure
|
||||
- google
|
||||
- github
|
||||
type: string
|
||||
type: array
|
||||
secrets:
|
||||
description: Secrets specifies a list of secrets
|
||||
that are provided for credentials Secrets must
|
||||
live in the Kyverno namespace
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
issuer:
|
||||
description: Issuer is the certificate issuer used
|
||||
for keyless signing. Deprecated. Use KeylessAttestor
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -1951,9 +1951,89 @@ transform the ImageData struct returned as a result of processing
|
|||
the image reference.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>imageRegistryCredentials</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ImageRegistryCredentials">
|
||||
ImageRegistryCredentials
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials
|
||||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.ImageRegistry">ImageRegistry</a>,
|
||||
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>,
|
||||
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
|
||||
</p>
|
||||
<p>
|
||||
</p>
|
||||
<table class="table table-striped">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>allowInsecureRegistry</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>AllowInsecureRegistry allows insecure access to a registry</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>helpers</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ImageRegistryCredentialsHelpersType">
|
||||
[]ImageRegistryCredentialsHelpersType
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
|
||||
It can be of one of these values: AWS, ACR, GCP, GHCR</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>secrets</code><br/>
|
||||
<em>
|
||||
[]string
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Secrets specifies a list of secrets that are provided for credentials
|
||||
Secrets must live in the Kyverno namespace</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v1.ImageRegistryCredentialsHelpersType">ImageRegistryCredentialsHelpersType
|
||||
(<code>string</code> alias)</p></h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>ImageRegistryCredentialsHelpersType provides the list of credential helpers required.</p>
|
||||
</p>
|
||||
<h3 id="kyverno.io/v1.ImageVerification">ImageVerification
|
||||
</h3>
|
||||
<p>
|
||||
|
@ -2163,6 +2243,19 @@ bool
|
|||
<p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>imageRegistryCredentials</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ImageRegistryCredentials">
|
||||
ImageRegistryCredentials
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
|
@ -2170,7 +2263,8 @@ bool
|
|||
(<code>string</code> alias)</p></h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>)
|
||||
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>,
|
||||
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>ImageVerificationType selects the type of verification algorithm</p>
|
||||
|
@ -6377,7 +6471,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
|
|||
<td>
|
||||
<code>type</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2beta1.ImageVerificationType">
|
||||
<a href="#kyverno.io/v1.ImageVerificationType">
|
||||
ImageVerificationType
|
||||
</a>
|
||||
</em>
|
||||
|
@ -6476,18 +6570,22 @@ bool
|
|||
<p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>imageRegistryCredentials</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ImageRegistryCredentials">
|
||||
ImageRegistryCredentials
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v2beta1.ImageVerificationType">ImageVerificationType
|
||||
(<code>string</code> alias)</p></h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>ImageVerificationType selects the type of verification algorithm</p>
|
||||
</p>
|
||||
<h3 id="kyverno.io/v2beta1.MatchResources">MatchResources
|
||||
</h3>
|
||||
<p>
|
||||
|
|
|
@ -10,10 +10,10 @@ import (
|
|||
)
|
||||
|
||||
type rclientAdapter struct {
|
||||
client registryclient.Client
|
||||
registryclient.Client
|
||||
}
|
||||
|
||||
func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
|
||||
func RegistryClient(client registryclient.Client) engineapi.RegistryClient {
|
||||
if client == nil {
|
||||
return nil
|
||||
}
|
||||
|
@ -21,7 +21,7 @@ func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
|
|||
}
|
||||
|
||||
func (a *rclientAdapter) ForRef(ctx context.Context, ref string) (*engineapi.ImageData, error) {
|
||||
desc, err := a.client.FetchImageDescriptor(ctx, ref)
|
||||
desc, err := a.Client.FetchImageDescriptor(ctx, ref)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to fetch image descriptor: %s, error: %v", ref, err)
|
||||
}
|
||||
|
|
|
@ -4,6 +4,9 @@ import (
|
|||
"context"
|
||||
"io"
|
||||
|
||||
"github.com/google/go-containerregistry/pkg/authn"
|
||||
gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
|
||||
"github.com/sigstore/cosign/pkg/oci/remote"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
|
@ -46,4 +49,20 @@ type ImageData struct {
|
|||
|
||||
type ImageDataClient interface {
|
||||
ForRef(ctx context.Context, ref string) (*ImageData, error)
|
||||
FetchImageDescriptor(context.Context, string) (*gcrremote.Descriptor, error)
|
||||
}
|
||||
|
||||
type KeychainClient interface {
|
||||
Keychain() authn.Keychain
|
||||
RefreshKeychainPullSecrets(ctx context.Context) error
|
||||
}
|
||||
|
||||
type CosignClient interface {
|
||||
BuildRemoteOption(context.Context) remote.Option
|
||||
}
|
||||
|
||||
type RegistryClient interface {
|
||||
ImageDataClient
|
||||
KeychainClient
|
||||
CosignClient
|
||||
}
|
||||
|
|
|
@ -75,8 +75,8 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con
|
|||
}
|
||||
}
|
||||
|
||||
func LoadImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
|
||||
imageData, err := fetchImageData(ctx, jp, client, logger, entry, enginectx)
|
||||
func LoadImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
|
||||
imageData, err := fetchImageData(ctx, jp, rclientFactory, logger, entry, enginectx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -113,7 +113,7 @@ func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.Cont
|
|||
return nil
|
||||
}
|
||||
|
||||
func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
|
||||
func fetchImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
|
||||
ref, err := variables.SubstituteAll(logger, enginectx, entry.ImageRegistry.Reference)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("ailed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.Reference, err)
|
||||
|
@ -126,6 +126,10 @@ func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageData
|
|||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.JMESPath, err)
|
||||
}
|
||||
client, err := rclientFactory.GetClient(ctx, entry.ImageRegistry.ImageRegistryCredentials)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get registry client %s: %v", entry.Name, err)
|
||||
}
|
||||
imageData, err := fetchImageDataMap(ctx, client, refString)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
@ -2,15 +2,16 @@ package api
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
)
|
||||
|
||||
type RegistryClientFactory interface {
|
||||
GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (RegistryClient, error)
|
||||
}
|
||||
|
||||
// ContextLoaderFactory provides a ContextLoader given a policy context and rule name
|
||||
type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader
|
||||
|
||||
|
@ -20,83 +21,8 @@ type ContextLoader interface {
|
|||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client RawClient,
|
||||
imgClient ImageDataClient,
|
||||
rclientFactory RegistryClientFactory,
|
||||
contextEntries []kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) error
|
||||
}
|
||||
|
||||
func DefaultContextLoaderFactory(
|
||||
cmResolver ConfigmapResolver,
|
||||
) ContextLoaderFactory {
|
||||
return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader {
|
||||
return &contextLoader{
|
||||
logger: logging.WithName("DefaultContextLoaderFactory"),
|
||||
cmResolver: cmResolver,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
type contextLoader struct {
|
||||
logger logr.Logger
|
||||
cmResolver ConfigmapResolver
|
||||
}
|
||||
|
||||
func (l *contextLoader) Load(
|
||||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client RawClient,
|
||||
imgClient ImageDataClient,
|
||||
contextEntries []kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) error {
|
||||
for _, entry := range contextEntries {
|
||||
deferredLoader := l.newDeferredLoader(ctx, jp, client, imgClient, entry, jsonContext)
|
||||
if deferredLoader == nil {
|
||||
return fmt.Errorf("invalid context entry %s", entry.Name)
|
||||
}
|
||||
jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (l *contextLoader) newDeferredLoader(
|
||||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client RawClient,
|
||||
imgClient ImageDataClient,
|
||||
entry kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) enginecontext.DeferredLoader {
|
||||
if entry.ConfigMap != nil {
|
||||
return func() error {
|
||||
if err := LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else if entry.APICall != nil {
|
||||
return func() error {
|
||||
if err := LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else if entry.ImageRegistry != nil {
|
||||
return func() error {
|
||||
if err := LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else if entry.Variable != nil {
|
||||
return func() error {
|
||||
if err := LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -17,7 +17,6 @@ import (
|
|||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
"github.com/kyverno/kyverno/pkg/tracing"
|
||||
stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
|
||||
"go.opentelemetry.io/otel/metric"
|
||||
|
@ -31,8 +30,7 @@ type engine struct {
|
|||
metricsConfiguration config.MetricsConfiguration
|
||||
jp jmespath.Interface
|
||||
client engineapi.Client
|
||||
imgClient engineapi.ImageDataClient
|
||||
rclient registryclient.Client
|
||||
rclientFactory engineapi.RegistryClientFactory
|
||||
contextLoader engineapi.ContextLoaderFactory
|
||||
exceptionSelector engineapi.PolicyExceptionSelector
|
||||
imageSignatureRepository string
|
||||
|
@ -48,8 +46,7 @@ func NewEngine(
|
|||
metricsConfiguration config.MetricsConfiguration,
|
||||
jp jmespath.Interface,
|
||||
client engineapi.Client,
|
||||
imgClient engineapi.ImageDataClient,
|
||||
rclient registryclient.Client,
|
||||
rclientFactory engineapi.RegistryClientFactory,
|
||||
contextLoader engineapi.ContextLoaderFactory,
|
||||
exceptionSelector engineapi.PolicyExceptionSelector,
|
||||
imageSignatureRepository string,
|
||||
|
@ -74,8 +71,7 @@ func NewEngine(
|
|||
metricsConfiguration: metricsConfiguration,
|
||||
jp: jp,
|
||||
client: client,
|
||||
imgClient: imgClient,
|
||||
rclient: rclient,
|
||||
rclientFactory: rclientFactory,
|
||||
contextLoader: contextLoader,
|
||||
exceptionSelector: exceptionSelector,
|
||||
imageSignatureRepository: imageSignatureRepository,
|
||||
|
@ -179,7 +175,7 @@ func (e *engine) ContextLoader(
|
|||
ctx,
|
||||
e.jp,
|
||||
e.client,
|
||||
e.imgClient,
|
||||
e.rclientFactory,
|
||||
contextEntries,
|
||||
jsonContext,
|
||||
)
|
||||
|
|
86
pkg/engine/factories/contextloaderfactory.go
Normal file
86
pkg/engine/factories/contextloaderfactory.go
Normal file
|
@ -0,0 +1,86 @@
|
|||
package factories
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
)
|
||||
|
||||
func DefaultContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
|
||||
return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
|
||||
return &contextLoader{
|
||||
logger: logging.WithName("DefaultContextLoaderFactory"),
|
||||
cmResolver: cmResolver,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
type contextLoader struct {
|
||||
logger logr.Logger
|
||||
cmResolver engineapi.ConfigmapResolver
|
||||
}
|
||||
|
||||
func (l *contextLoader) Load(
|
||||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client engineapi.RawClient,
|
||||
rclientFactory engineapi.RegistryClientFactory,
|
||||
contextEntries []kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) error {
|
||||
for _, entry := range contextEntries {
|
||||
deferredLoader := l.newDeferredLoader(ctx, jp, client, rclientFactory, entry, jsonContext)
|
||||
if deferredLoader == nil {
|
||||
return fmt.Errorf("invalid context entry %s", entry.Name)
|
||||
}
|
||||
jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (l *contextLoader) newDeferredLoader(
|
||||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client engineapi.RawClient,
|
||||
rclientFactory engineapi.RegistryClientFactory,
|
||||
entry kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) enginecontext.DeferredLoader {
|
||||
if entry.ConfigMap != nil {
|
||||
return func() error {
|
||||
if err := engineapi.LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else if entry.APICall != nil {
|
||||
return func() error {
|
||||
if err := engineapi.LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else if entry.ImageRegistry != nil {
|
||||
return func() error {
|
||||
if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else if entry.Variable != nil {
|
||||
return func() error {
|
||||
if err := engineapi.LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
50
pkg/engine/factories/registryclientfactory.go
Normal file
50
pkg/engine/factories/registryclientfactory.go
Normal file
|
@ -0,0 +1,50 @@
|
|||
package factories
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
func DefaultRegistryClientFactory(globalClient engineapi.RegistryClient, secretsLister corev1listers.SecretNamespaceLister) engineapi.RegistryClientFactory {
|
||||
return ®istryClientFactory{
|
||||
globalClient: globalClient,
|
||||
secretsLister: secretsLister,
|
||||
}
|
||||
}
|
||||
|
||||
type registryClientFactory struct {
|
||||
globalClient engineapi.RegistryClient
|
||||
secretsLister corev1listers.SecretNamespaceLister
|
||||
}
|
||||
|
||||
func (f *registryClientFactory) GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (engineapi.RegistryClient, error) {
|
||||
if creds != nil {
|
||||
registryOptions := []registryclient.Option{
|
||||
registryclient.WithTracing(),
|
||||
}
|
||||
if creds.AllowInsecureRegistry {
|
||||
registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
|
||||
}
|
||||
if len(creds.Helpers) > 0 {
|
||||
var helpers []string
|
||||
for _, helper := range creds.Helpers {
|
||||
helpers = append(helpers, string(helper))
|
||||
}
|
||||
registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(helpers...))
|
||||
}
|
||||
if len(creds.Secrets) > 0 {
|
||||
registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, f.secretsLister, creds.Secrets...))
|
||||
}
|
||||
client, err := registryclient.New(registryOptions...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return adapters.RegistryClient(client), nil
|
||||
}
|
||||
return f.globalClient, nil
|
||||
}
|
|
@ -14,7 +14,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
apiutils "github.com/kyverno/kyverno/pkg/utils/api"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"gomodules.xyz/jsonpatch/v2"
|
||||
|
@ -23,7 +22,7 @@ import (
|
|||
|
||||
type mutateImageHandler struct {
|
||||
configuration config.Configuration
|
||||
rclient registryclient.Client
|
||||
rclientFactory engineapi.RegistryClientFactory
|
||||
ivm *engineapi.ImageVerificationMetadata
|
||||
images []apiutils.ImageInfo
|
||||
imageSignatureRepository string
|
||||
|
@ -34,7 +33,7 @@ func NewMutateImageHandler(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
configuration config.Configuration,
|
||||
rclient registryclient.Client,
|
||||
rclientFactory engineapi.RegistryClientFactory,
|
||||
ivm *engineapi.ImageVerificationMetadata,
|
||||
imageSignatureRepository string,
|
||||
) (handlers.Handler, error) {
|
||||
|
@ -50,7 +49,7 @@ func NewMutateImageHandler(
|
|||
}
|
||||
return mutateImageHandler{
|
||||
configuration: configuration,
|
||||
rclient: rclient,
|
||||
rclientFactory: rclientFactory,
|
||||
ivm: ivm,
|
||||
images: ruleImages,
|
||||
imageSignatureRepository: imageSignatureRepository,
|
||||
|
@ -72,10 +71,16 @@ func (h mutateImageHandler) Process(
|
|||
engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to substitute variables", err),
|
||||
)
|
||||
}
|
||||
iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
|
||||
var engineResponses []*engineapi.RuleResponse
|
||||
var patches []jsonpatch.JsonPatchOperation
|
||||
for _, imageVerify := range ruleCopy.VerifyImages {
|
||||
rclient, err := h.rclientFactory.GetClient(ctx, imageVerify.ImageRegistryCredentials)
|
||||
if err != nil {
|
||||
return resource, handlers.WithResponses(
|
||||
engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err),
|
||||
)
|
||||
}
|
||||
iv := internal.NewImageVerifier(logger, rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
|
||||
patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration)
|
||||
patches = append(patches, patch...)
|
||||
engineResponses = append(engineResponses, ruleResponse...)
|
||||
|
|
|
@ -40,7 +40,7 @@ func (e *engine) verifyAndPatchImages(
|
|||
matchedResource,
|
||||
rule,
|
||||
e.configuration,
|
||||
e.rclient,
|
||||
e.rclientFactory,
|
||||
&ivm,
|
||||
e.imageSignatureRepository,
|
||||
)
|
||||
|
|
|
@ -15,6 +15,7 @@ import (
|
|||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
|
||||
|
@ -182,9 +183,8 @@ func testVerifyAndPatchImages(
|
|||
metricsCfg,
|
||||
jp,
|
||||
nil,
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
engineapi.DefaultContextLoaderFactory(cmResolver),
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
factories.DefaultContextLoaderFactory(cmResolver),
|
||||
nil,
|
||||
"",
|
||||
)
|
||||
|
|
|
@ -16,7 +16,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
"github.com/kyverno/kyverno/pkg/images"
|
||||
"github.com/kyverno/kyverno/pkg/notary"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
apiutils "github.com/kyverno/kyverno/pkg/utils/api"
|
||||
"github.com/kyverno/kyverno/pkg/utils/jsonpointer"
|
||||
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
|
@ -27,7 +26,7 @@ import (
|
|||
|
||||
type ImageVerifier struct {
|
||||
logger logr.Logger
|
||||
rclient registryclient.Client
|
||||
rclient engineapi.RegistryClient
|
||||
policyContext engineapi.PolicyContext
|
||||
rule kyvernov1.Rule
|
||||
ivm *engineapi.ImageVerificationMetadata
|
||||
|
@ -36,7 +35,7 @@ type ImageVerifier struct {
|
|||
|
||||
func NewImageVerifier(
|
||||
logger logr.Logger,
|
||||
rclient registryclient.Client,
|
||||
rclient engineapi.RegistryClient,
|
||||
policyContext engineapi.PolicyContext,
|
||||
rule kyvernov1.Rule,
|
||||
ivm *engineapi.ImageVerificationMetadata,
|
||||
|
|
|
@ -11,6 +11,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
enginetest "github.com/kyverno/kyverno/pkg/engine/test"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
|
@ -29,15 +30,14 @@ func testMutate(
|
|||
contextLoader engineapi.ContextLoaderFactory,
|
||||
) engineapi.EngineResponse {
|
||||
if contextLoader == nil {
|
||||
contextLoader = engineapi.DefaultContextLoaderFactory(nil)
|
||||
contextLoader = factories.DefaultContextLoaderFactory(nil)
|
||||
}
|
||||
e := NewEngine(
|
||||
cfg,
|
||||
config.NewDefaultMetricsConfiguration(),
|
||||
jp,
|
||||
adapters.Client(client),
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
contextLoader,
|
||||
nil,
|
||||
"",
|
||||
|
|
|
@ -45,7 +45,7 @@ func (l *mockContextLoader) Load(
|
|||
ctx context.Context,
|
||||
jp jmespath.Interface,
|
||||
client engineapi.RawClient,
|
||||
imgClient engineapi.ImageDataClient,
|
||||
rclientFactory engineapi.RegistryClientFactory,
|
||||
contextEntries []kyvernov1.ContextEntry,
|
||||
jsonContext enginecontext.Interface,
|
||||
) error {
|
||||
|
@ -62,8 +62,8 @@ func (l *mockContextLoader) Load(
|
|||
}
|
||||
// Context Variable should be loaded after the values loaded from values file
|
||||
for _, entry := range contextEntries {
|
||||
if entry.ImageRegistry != nil && imgClient != nil {
|
||||
if err := engineapi.LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
|
||||
if entry.ImageRegistry != nil && rclientFactory != nil {
|
||||
if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
|
||||
return err
|
||||
}
|
||||
} else if entry.Variable != nil {
|
||||
|
|
|
@ -13,6 +13,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
enginetest "github.com/kyverno/kyverno/pkg/engine/test"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
|
@ -30,15 +31,14 @@ func testValidate(
|
|||
contextLoader engineapi.ContextLoaderFactory,
|
||||
) engineapi.EngineResponse {
|
||||
if contextLoader == nil {
|
||||
contextLoader = engineapi.DefaultContextLoaderFactory(nil)
|
||||
contextLoader = factories.DefaultContextLoaderFactory(nil)
|
||||
}
|
||||
e := NewEngine(
|
||||
cfg,
|
||||
config.NewDefaultMetricsConfiguration(),
|
||||
jp,
|
||||
nil,
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
contextLoader,
|
||||
nil,
|
||||
"",
|
||||
|
|
|
@ -9,8 +9,8 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
|
@ -40,12 +40,11 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
|||
configuration := config.NewDefaultConfiguration(false)
|
||||
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
||||
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
|
||||
rclient := registryclient.NewOrDie()
|
||||
jp := jmespath.New(configuration)
|
||||
rclient := registryclient.NewOrDie()
|
||||
|
||||
return &resourceHandlers{
|
||||
client: dclient,
|
||||
rclient: rclient,
|
||||
configuration: configuration,
|
||||
metricsConfig: metricsConfig,
|
||||
pCache: policyCache,
|
||||
|
@ -60,9 +59,8 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
|||
config.NewDefaultMetricsConfiguration(),
|
||||
jp,
|
||||
adapters.Client(dclient),
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
engineapi.DefaultContextLoaderFactory(configMapResolver),
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
factories.DefaultContextLoaderFactory(configMapResolver),
|
||||
peLister,
|
||||
"",
|
||||
),
|
||||
|
|
|
@ -19,7 +19,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/openapi"
|
||||
"github.com/kyverno/kyverno/pkg/policycache"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
|
@ -38,7 +37,6 @@ type resourceHandlers struct {
|
|||
// clients
|
||||
client dclient.Interface
|
||||
kyvernoClient versioned.Interface
|
||||
rclient registryclient.Client
|
||||
engine engineapi.Engine
|
||||
|
||||
// config
|
||||
|
@ -67,7 +65,6 @@ func NewHandlers(
|
|||
engine engineapi.Engine,
|
||||
client dclient.Interface,
|
||||
kyvernoClient versioned.Interface,
|
||||
rclient registryclient.Client,
|
||||
configuration config.Configuration,
|
||||
metricsConfig metrics.MetricsConfigManager,
|
||||
pCache policycache.Cache,
|
||||
|
@ -86,7 +83,6 @@ func NewHandlers(
|
|||
engine: engine,
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
rclient: rclient,
|
||||
configuration: configuration,
|
||||
metricsConfig: metricsConfig,
|
||||
pCache: pCache,
|
||||
|
|
|
@ -11,6 +11,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/adapters"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/factories"
|
||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
log "github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/kyverno/kyverno/pkg/registryclient"
|
||||
|
@ -1058,9 +1059,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
|||
config.NewDefaultMetricsConfiguration(),
|
||||
jp,
|
||||
nil,
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
engineapi.DefaultContextLoaderFactory(nil),
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
factories.DefaultContextLoaderFactory(nil),
|
||||
nil,
|
||||
"",
|
||||
)
|
||||
|
@ -1161,9 +1161,8 @@ func Test_RuleSelector(t *testing.T) {
|
|||
config.NewDefaultMetricsConfiguration(),
|
||||
jp,
|
||||
nil,
|
||||
adapters.ImageDataClient(rclient),
|
||||
rclient,
|
||||
engineapi.DefaultContextLoaderFactory(nil),
|
||||
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
|
||||
factories.DefaultContextLoaderFactory(nil),
|
||||
nil,
|
||||
"",
|
||||
)
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: secret-in-keys
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
|
@ -0,0 +1,74 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-verify-images
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: keys
|
||||
namespace: test-verify-images
|
||||
data:
|
||||
certificate: |-
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
|
||||
BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
|
||||
Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
|
||||
MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
|
||||
dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
|
||||
DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
|
||||
b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
|
||||
hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
|
||||
Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
|
||||
Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
|
||||
ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
|
||||
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
|
||||
CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
|
||||
kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
|
||||
Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
|
||||
ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
|
||||
5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
|
||||
uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
|
||||
-----END CERTIFICATE-----
|
||||
---
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: secret-in-keys
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: verify-signature-notary
|
||||
context:
|
||||
- name: keys
|
||||
configMap:
|
||||
name: keys
|
||||
namespace: test-verify-images
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- type: Notary
|
||||
imageReferences:
|
||||
- "ghcr.io/kyverno/test-verify-image*"
|
||||
attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- certificates:
|
||||
cert: "{{ keys.data.certificate }}"
|
||||
imageRegistryCredentials:
|
||||
secrets:
|
||||
- testsecret
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
.dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0=
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: testsecret
|
||||
namespace: kyverno
|
||||
type: kubernetes.io/dockerconfigjson
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-secret-pod
|
||||
namespace: test-verify-images
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-secret-pod
|
||||
namespace: test-verify-images
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
name: test-secret
|
|
@ -0,0 +1,3 @@
|
|||
# Title
|
||||
|
||||
This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret.
|
Loading…
Add table
Reference in a new issue