1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

Enable flexible registry credential configurations (#7114)

* types added

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added secret fetching and client creation

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* codegen

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* validate target resource scope & namespace settings (#7098)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: mutation code (#7095)

* fix: mutation code

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* lazy loading of context vars (#7071)

* lazy loading of context vars

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* gofumpt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add kuttl tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* moved to policy context

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* removed errors

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* RegistryClientLoader

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* [Feature] Add kuttl tests with policy exceptions disabled (#7117)

* added tests

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* removed redundant code

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* typo fix and README changes

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

---------

Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Conditions message (#7113)

* add message to conditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* extend tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#7123)

Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.1.2 to 2.1.3.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](21991cec25...555a30da26)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.14.1 to 0.14.2 (#7121)

Bumps [sigs.k8s.io/kustomize/kyaml](https://github.com/kubernetes-sigs/kustomize) from 0.14.1 to 0.14.2.
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](https://github.com/kubernetes-sigs/kustomize/compare/kyaml/v0.14.1...kyaml/v0.14.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/kustomize/kyaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump oras.land/oras-go/v2 from 2.0.2 to 2.1.0 (#7102)

Bumps [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) from 2.0.2 to 2.1.0.
- [Release notes](https://github.com/oras-project/oras-go/releases)
- [Commits](https://github.com/oras-project/oras-go/compare/v2.0.2...v2.1.0)

---
updated-dependencies:
- dependency-name: oras.land/oras-go/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* add condition msg to v2beta1 (#7126)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: print container flags and their values (#7127)

* add condition msg to v2beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* print flags settings

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove the container flag genWorker from the admission controller (#7132)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#7103)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.54.0...v1.55.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove the duplicate entry (#7125)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.2 to 0.13.3 (#7120)

Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.2 to 0.13.3.
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.2...api/v0.13.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/kustomize/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* update background scan logging messages (#7142)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Update chart with v2 to v3 migration guidance. (#7144)

* add Saxo Bank and Velux as adopters

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* update chart README and validations

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* add Controller Internals info (#7147)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command) (#6656)

* feat: add policy reporter to the dev lab

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: remove obsolete structs from CLI

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Supporting ValidatingAdmissionPolicy in kyverno apply

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* chore: bump k8s from v0.26.3 to v0.27.0-rc.0

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Support validating admission policy in kyverno apply

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Support validating admission policy in kyverno test

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* refactoring

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Adding kyverno apply tests for validating admission policy

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* running codegen-all

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Adding IsVap field in TestResults

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* chore: bump k8s from v0.27.0-rc.0 to v0.27.1

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Fix vap in engine response

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.3 to 0.13.4 (#7150)

Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.3 to 0.13.4.
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.3...api/v0.13.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/kustomize/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#7149)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.8.0 to 0.9.0.
- [Commits](https://github.com/golang/crypto/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Added `omit-events` flag to allow disabling of event emission  (#7010)

* added comma seperated flag

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* reason added in logs

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added requested changes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* kuttl test init

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated kuttl tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated behavior

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed flawed behavior

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated test location and added readme

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated step

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* omit events

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: let reports controller quit when loosing the lead (#7153)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump slsa-framework/slsa-github-generator (#7160)

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore: bump otel deps (#7152)

* chore: bump otel deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 (#7172)

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/docker/distribution (#7171)

Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 (#7177)

Bumps [github.com/go-logr/zapr](https://github.com/go-logr/zapr) from 1.2.3 to 1.2.4.
- [Release notes](https://github.com/go-logr/zapr/releases)
- [Commits](https://github.com/go-logr/zapr/compare/v1.2.3...v1.2.4)

---
updated-dependencies:
- dependency-name: github.com/go-logr/zapr
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Add refactor note (#7169)

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed typo in the v2 to v3 helm migration guide (#7163)

* fixed typo in the v2 to v3 helm migration guide

Signed-off-by: Richard Parke <richardparke15@gmail.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Richard Parke <richardparke15@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/distribution/distribution (#7178)

Bumps [github.com/distribution/distribution](https://github.com/distribution/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/distribution/distribution/releases)
- [Commits](https://github.com/distribution/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/distribution/distribution
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* tweaks (#7166)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: add logging feature to helm chart (#7181)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* refactor: hide json context from caller (#7139)

* refactor: hide json context from caller

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* unit tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: add omit-events feature in helm chart (#7185)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: preconditions in mutate existing rules (#7183)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: use structured jsonpatch instead of byte arrays (#7186)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added secret lister

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* changes from review

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added rclientloader to policy context

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* refactor changes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added RegistryClientLoaderNewOrDie to policy context

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* CI fixes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: panic for policy variable validation (#7079)

* fix panic

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* check errors

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: remove policy-reporter from dev lab (#7196)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: cleanup controller metrics name (#7198)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: http request metrics (#7197)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove unused code (#7203)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* handle Deny rules where conditions eval to true (#7204)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* [Bug] Enforce message wrong (#7208)

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fixed tests

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

---------

Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump codecov/codecov-action from 3.1.3 to 3.1.4 (#7207)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](894ff025c7...eaaf4bedf3)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#7215)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](204a51a57a...03d0fecf17)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: panic in reports controller (#7220)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: mutate existing auth check (#7219)

* fix auth check when using variables in ns

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: do not exclude kube-system service accounts by default (#7225)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* docs: add reports system design doc (#6949)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/apimachinery from 0.27.1 to 0.27.2 (#7227)

Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/cli-runtime from 0.27.1 to 0.27.2 (#7228)

Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/cli-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#7229)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](03d0fecf17...dd6b2e2b61)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/pod-security-admission from 0.27.1 to 0.27.2 (#7232)

Bumps [k8s.io/pod-security-admission](https://github.com/kubernetes/pod-security-admission) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/pod-security-admission/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/pod-security-admission
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: match logic misbehave (#7218)

* add rule name in ur for mutate existing

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix match logic

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* linter fixes

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix the match logic to only apply to the new object, unless it's a delete request

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#7240)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#7239)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/kube-aggregator from 0.27.1 to 0.27.2 (#7241)

Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/kube-aggregator
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/apiextensions-apiserver from 0.27.1 to 0.27.2 (#7242)

Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.27.1 to 0.27.2.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* passing rclientloader directly

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* lazy evaluate vars in conditions (#7238)

* lazy evaluate vars in conditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unnecessary conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml

Signed-off-by: shuting <shutting06@gmail.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md

Signed-off-by: shuting <shutting06@gmail.com>

* added error check in test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* quote image in error (#7259)

Signed-off-by: bakito <github@bakito.ch>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: auto update webhooks not configuring fail endpoint (#7261)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix latest version check (#7263)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270)

Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](7319e4733e...58d5258088)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272)

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: add yaml util to check empty document (#7276)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Azure to ACR

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* go mod fix

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* codegen

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* adding kuttl test

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* use pointer

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cleanup

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* global client

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cleanup

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* added kubeclient

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added nil kubeclient check

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* context

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* factory

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* secrets lister

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* flags

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix cli

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* factories

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Signed-off-by: Richard Parke <richardparke15@gmail.com>
Signed-off-by: shuting <shutting06@gmail.com>
Signed-off-by: bakito <github@bakito.ch>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com>
Co-authored-by: rparke <50015370+rparke@users.noreply.github.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com>
Co-authored-by: Marc Brugger <github@bakito.ch>
This commit is contained in:
Vishal Choudhary 2023-06-16 19:07:08 +05:30 committed by GitHub
parent 6939716675
commit 43685aedc2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
43 changed files with 4828 additions and 182 deletions

View file

@ -118,6 +118,10 @@ type ImageRegistry struct {
// the image reference.
// +optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
}
// ConfigMapReference refers to a ConfigMap

View file

@ -13,9 +13,19 @@ import (
// +kubebuilder:default=Cosign
type ImageVerificationType string
// ImageRegistryCredentialsHelpersType provides the list of credential helpers required.
// +kubebuilder:validation:Enum=default;amazon;azure;google;github
type ImageRegistryCredentialsHelpersType string
const (
Cosign ImageVerificationType = "Cosign"
Notary ImageVerificationType = "Notary"
DEFAULT ImageRegistryCredentialsHelpersType = "default"
AWS ImageRegistryCredentialsHelpersType = "amazon"
ACR ImageRegistryCredentialsHelpersType = "azure"
GCP ImageRegistryCredentialsHelpersType = "google"
GHCR ImageRegistryCredentialsHelpersType = "github"
)
// ImageVerification validates that images that match the specified pattern
@ -95,6 +105,10 @@ type ImageVerification struct {
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
Required bool `json:"required" yaml:"required"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
}
type AttestorSet struct {
@ -254,6 +268,22 @@ type Attestation struct {
Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}
type ImageRegistryCredentials struct {
// AllowInsecureRegistry allows insecure access to a registry
// +kubebuilder:validation:Optional
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
// Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
// It can be of one of these values: AWS, ACR, GCP, GHCR
// +kubebuilder:validation:Optional
Helpers []ImageRegistryCredentialsHelpersType `json:"helpers,omitempty" yaml:"helpers,omitempty"`
// Secrets specifies a list of secrets that are provided for credentials
// Secrets must live in the Kyverno namespace
// +kubebuilder:validation:Optional
Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
}
func (iv *ImageVerification) GetType() ImageVerificationType {
if iv.Type != "" {
return iv.Type

View file

@ -434,7 +434,7 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
if in.ImageRegistry != nil {
in, out := &in.ImageRegistry, &out.ImageRegistry
*out = new(ImageRegistry)
**out = **in
(*in).DeepCopyInto(*out)
}
if in.Variable != nil {
in, out := &in.Variable, &out.Variable
@ -673,6 +673,11 @@ func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry) {
*out = *in
if in.ImageRegistryCredentials != nil {
in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
*out = new(ImageRegistryCredentials)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.
@ -685,6 +690,31 @@ func (in *ImageRegistry) DeepCopy() *ImageRegistry {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageRegistryCredentials) DeepCopyInto(out *ImageRegistryCredentials) {
*out = *in
if in.Helpers != nil {
in, out := &in.Helpers, &out.Helpers
*out = make([]ImageRegistryCredentialsHelpersType, len(*in))
copy(*out, *in)
}
if in.Secrets != nil {
in, out := &in.Secrets, &out.Secrets
*out = make([]string, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistryCredentials.
func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
if in == nil {
return nil
}
out := new(ImageRegistryCredentials)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
*out = *in
@ -721,6 +751,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
(*out)[key] = val
}
}
if in.ImageRegistryCredentials != nil {
in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
*out = new(ImageRegistryCredentials)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

View file

@ -5,16 +5,6 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field"
)
// ImageVerificationType selects the type of verification algorithm
// +kubebuilder:validation:Enum=Cosign;Notary
// +kubebuilder:default=Cosign
type ImageVerificationType string
const (
Cosign ImageVerificationType = "Cosign"
Notary ImageVerificationType = "Notary"
)
// ImageVerification validates that images that match the specified pattern
// are signed with the supplied public key. Once the image is verified it is
// mutated to include the SHA digest retrieved during the registration.
@ -22,7 +12,7 @@ type ImageVerification struct {
// Type specifies the method of signature validation. The allowed options
// are Cosign and Notary. By default Cosign is used if a type is not specified.
// +kubebuilder:validation:Optional
Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
// ImageReferences is a list of matching image reference patterns. At least one pattern in the
// list must match the image for the rule to apply. Each image reference consists of a registry
@ -60,6 +50,10 @@ type ImageVerification struct {
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
Required bool `json:"required" yaml:"required"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// +kubebuilder:validation:Optional
ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
}
// Validate implements programmatic validation
@ -86,7 +80,7 @@ func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Pat
errs = append(errs, attestorErrors...)
}
if iv.Type == Notary {
if iv.Type == kyvernov1.Notary {
for _, attestorSet := range iv.Attestors {
for _, attestor := range attestorSet.Entries {
if attestor.Keyless != nil {

View file

@ -184,6 +184,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ImageRegistryCredentials != nil {
in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
*out = new(v1.ImageRegistryCredentials)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

File diff suppressed because it is too large Load diff

View file

@ -23,7 +23,6 @@ import (
"github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/policy"
"github.com/kyverno/kyverno/pkg/registryclient"
kubeinformers "k8s.io/client-go/informers"
kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
)
@ -39,7 +38,6 @@ func createrLeaderControllers(
kyvernoInformer kyvernoinformer.SharedInformerFactory,
kyvernoClient versioned.Interface,
dynamicClient dclient.Interface,
rclient registryclient.Client,
configuration config.Configuration,
metricsConfig metrics.MetricsConfigManager,
eventGenerator event.Interface,
@ -160,6 +158,7 @@ func main() {
setup.RegistryClient,
setup.KubeClient,
setup.KyvernoClient,
setup.RegistrySecretLister,
)
// start informers and wait for cache sync
if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer) {
@ -189,7 +188,6 @@ func main() {
kyvernoInformer,
setup.KyvernoClient,
setup.KyvernoDynamicClient,
setup.RegistryClient,
setup.Configuration,
setup.MetricsManager,
eventGenerator,

View file

@ -848,7 +848,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
fmt.Printf("Failed to mock dynamic client")
return nil, err
}
client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
cfg := config.NewDefaultConfiguration(false)
c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
@ -857,7 +856,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
jmespath.New(cfg),
adapters.Client(client),
nil,
nil,
store.ContextLoaderFactory(nil),
nil,
"",

View file

@ -13,6 +13,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/registryclient"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@ -117,8 +118,7 @@ OuterLoop:
config.NewDefaultMetricsConfiguration(),
jmespath.New(cfg),
adapters.Client(c.Client),
adapters.ImageDataClient(rclient),
rclient,
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
store.ContextLoaderFactory(nil),
nil,
"",

View file

@ -8,6 +8,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/logging"
)
@ -16,7 +17,7 @@ func ContextLoaderFactory(
cmResolver engineapi.ConfigmapResolver,
) engineapi.ContextLoaderFactory {
return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
inner := engineapi.DefaultContextLoaderFactory(cmResolver)
inner := factories.DefaultContextLoaderFactory(cmResolver)
if IsMock() {
return &mockContextLoader{
logger: logging.WithName("MockContextLoaderFactory"),
@ -39,7 +40,7 @@ func (l *mockContextLoader) Load(
ctx context.Context,
jp jmespath.Interface,
client engineapi.RawClient,
_ engineapi.ImageDataClient,
_ engineapi.RegistryClientFactory,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error {
@ -57,7 +58,7 @@ func (l *mockContextLoader) Load(
for _, entry := range contextEntries {
if entry.ImageRegistry != nil && hasRegistryAccess {
rclient := GetRegistryClient()
if err := engineapi.LoadImageData(ctx, jp, adapters.ImageDataClient(rclient), l.logger, entry, jsonContext); err != nil {
if err := engineapi.LoadImageData(ctx, jp, factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil), l.logger, entry, jsonContext); err != nil {
return err
}
} else if entry.Variable != nil {

View file

@ -14,9 +14,11 @@ import (
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/registryclient"
"k8s.io/client-go/kubernetes"
corev1listers "k8s.io/client-go/listers/core/v1"
)
func NewEngine(
@ -29,6 +31,7 @@ func NewEngine(
rclient registryclient.Client,
kubeClient kubernetes.Interface,
kyvernoClient versioned.Interface,
secretLister corev1listers.SecretNamespaceLister,
) engineapi.Engine {
configMapResolver := NewConfigMapResolver(ctx, logger, kubeClient, 15*time.Minute)
exceptionsSelector := NewExceptionSelector(ctx, logger, kyvernoClient, 15*time.Minute)
@ -39,9 +42,8 @@ func NewEngine(
metricsConfiguration,
jp,
adapters.Client(client),
adapters.ImageDataClient(rclient),
rclient,
engineapi.DefaultContextLoaderFactory(configMapResolver),
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), secretLister),
factories.DefaultContextLoaderFactory(configMapResolver),
exceptionsSelector,
imageSignatureRepository,
)

View file

@ -10,22 +10,23 @@ import (
"github.com/kyverno/kyverno/pkg/registryclient"
kubeinformers "k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
corev1listers "k8s.io/client-go/listers/core/v1"
)
func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) registryclient.Client {
func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) (registryclient.Client, corev1listers.SecretNamespaceLister) {
logger = logger.WithName("registry-client").WithValues("secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
logger.Info("setup registry client...")
factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
// start informers and wait for cache sync
if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
}
registryOptions := []registryclient.Option{
registryclient.WithTracing(),
}
secrets := strings.Split(imagePullSecrets, ",")
if imagePullSecrets != "" && len(secrets) > 0 {
factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
// start informers and wait for cache sync
if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
}
registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, secretLister, secrets...))
}
if allowInsecureRegistry {
@ -36,5 +37,5 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
}
registryClient, err := registryclient.New(registryOptions...)
checkError(logger, err, "failed to create registry client")
return registryClient
return registryClient, secretLister
}

View file

@ -15,6 +15,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/registryclient"
corev1listers "k8s.io/client-go/listers/core/v1"
)
func shutdown(logger logr.Logger, sdowns ...context.CancelFunc) context.CancelFunc {
@ -37,6 +38,7 @@ type SetupResult struct {
KubeClient kubeclient.UpstreamInterface
LeaderElectionClient kubeclient.UpstreamInterface
RegistryClient registryclient.Client
RegistrySecretLister corev1listers.SecretNamespaceLister
KyvernoClient kyvernoclient.UpstreamInterface
DynamicClient dynamicclient.UpstreamInterface
ApiServerClient apiserverclient.UpstreamInterface
@ -59,8 +61,9 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
configuration := startConfigController(ctx, logger, client, skipResourceFilters)
sdownTracing := SetupTracing(logger, name, client)
var registryClient registryclient.Client
var registrySecretLister corev1listers.SecretNamespaceLister
if config.UsesRegistryClient() {
registryClient = setupRegistryClient(ctx, logger, client)
registryClient, registrySecretLister = setupRegistryClient(ctx, logger, client)
}
var leaderElectionClient kubeclient.UpstreamInterface
if config.UsesLeaderElection() {
@ -96,6 +99,7 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
KubeClient: client,
LeaderElectionClient: leaderElectionClient,
RegistryClient: registryClient,
RegistrySecretLister: registrySecretLister,
KyvernoClient: kyvernoClient,
DynamicClient: dynamicClient,
ApiServerClient: apiServerClient,

View file

@ -300,6 +300,7 @@ func main() {
setup.RegistryClient,
setup.KubeClient,
setup.KyvernoClient,
setup.RegistrySecretLister,
)
// create non leader controllers
nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
@ -414,7 +415,6 @@ func main() {
engine,
setup.KyvernoDynamicClient,
setup.KyvernoClient,
setup.RegistryClient,
setup.Configuration,
setup.MetricsManager,
policyCache,

View file

@ -23,7 +23,6 @@ import (
"github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/leaderelection"
"github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/registryclient"
kubeinformers "k8s.io/client-go/informers"
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
@ -41,7 +40,6 @@ func createReportControllers(
backgroundScanWorkers int,
client dclient.Interface,
kyvernoClient versioned.Interface,
rclient registryclient.Client,
metadataFactory metadatainformers.SharedInformerFactory,
kubeInformer kubeinformers.SharedInformerFactory,
kyvernoInformer kyvernoinformer.SharedInformerFactory,
@ -132,7 +130,6 @@ func createrLeaderControllers(
metadataInformer metadatainformers.SharedInformerFactory,
kyvernoClient versioned.Interface,
dynamicClient dclient.Interface,
rclient registryclient.Client,
configuration config.Configuration,
jp jmespath.Interface,
eventGenerator event.Interface,
@ -146,7 +143,6 @@ func createrLeaderControllers(
backgroundScanWorkers,
dynamicClient,
kyvernoClient,
rclient,
metadataInformer,
kubeInformer,
kyvernoInformer,
@ -233,6 +229,7 @@ func main() {
setup.RegistryClient,
setup.KubeClient,
setup.KyvernoClient,
setup.RegistrySecretLister,
)
// start informers and wait for cache sync
if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kyvernoInformer) {
@ -269,7 +266,6 @@ func main() {
metadataInformer,
setup.KyvernoClient,
setup.KyvernoDynamicClient,
setup.RegistryClient,
setup.Configuration,
setup.Jp,
eventGenerator,

View file

@ -220,6 +220,37 @@ spec:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI Registry
names, whose authentication helpers are provided It
can be of one of these values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType provides
the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned

View file

@ -220,6 +220,37 @@ spec:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure access
to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI Registry
names, whose authentication helpers are provided It
can be of one of these values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType provides
the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned

View file

@ -258,6 +258,38 @@ spec:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct
@ -1923,6 +1955,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -2221,6 +2288,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -2620,6 +2722,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -3708,6 +3845,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI Registry
names, whose authentication helpers are provided
It can be of one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items:
type: string
type: array
type: object
issuer:
description: Issuer is the certificate issuer used for
keyless signing. Deprecated. Use KeylessAttestor instead.
@ -4013,6 +4182,40 @@ spec:
description: ImageRegistry defines requests to an
OCI/Docker V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of
OCI Registry names, whose authentication
helpers are provided It can be of one of
these values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers
required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets
must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
@ -5755,6 +5958,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -6067,6 +6306,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -6489,6 +6764,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -7626,6 +7937,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
issuer:
description: Issuer is the certificate issuer used
for keyless signing. Deprecated. Use KeylessAttestor
@ -8028,6 +8371,38 @@ spec:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct
@ -9267,6 +9642,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -9565,6 +9975,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -10146,6 +10591,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -11213,6 +11693,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI Registry
names, whose authentication helpers are provided
It can be of one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items:
type: string
type: array
type: object
mutateDigest:
default: true
description: MutateDigest enables replacement of image
@ -11499,6 +12011,40 @@ spec:
description: ImageRegistry defines requests to an
OCI/Docker V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of
OCI Registry names, whose authentication
helpers are provided It can be of one of
these values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers
required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets
must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
@ -13241,6 +13787,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -13553,6 +14135,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -13975,6 +14593,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -15112,6 +15766,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
issuer:
description: Issuer is the certificate issuer used
for keyless signing. Deprecated. Use KeylessAttestor

View file

@ -259,6 +259,38 @@ spec:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct
@ -1924,6 +1956,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -2222,6 +2289,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -2621,6 +2723,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -3709,6 +3846,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI Registry
names, whose authentication helpers are provided
It can be of one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items:
type: string
type: array
type: object
issuer:
description: Issuer is the certificate issuer used for
keyless signing. Deprecated. Use KeylessAttestor instead.
@ -4015,6 +4184,40 @@ spec:
description: ImageRegistry defines requests to an
OCI/Docker V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of
OCI Registry names, whose authentication
helpers are provided It can be of one of
these values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers
required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets
must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
@ -5757,6 +5960,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -6069,6 +6308,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -6491,6 +6766,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -7628,6 +7939,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
issuer:
description: Issuer is the certificate issuer used
for keyless signing. Deprecated. Use KeylessAttestor
@ -8031,6 +8374,38 @@ spec:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct
@ -9270,6 +9645,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -9568,6 +9978,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -10149,6 +10594,41 @@ spec:
to an OCI/Docker V2 registry to fetch image
details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list
of OCI Registry names, whose authentication
helpers are provided It can be of
one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list
of secrets that are provided for credentials
Secrets must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
@ -11216,6 +11696,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI Registry
names, whose authentication helpers are provided
It can be of one of these values: AWS, ACR, GCP,
GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items:
type: string
type: array
type: object
mutateDigest:
default: true
description: MutateDigest enables replacement of image
@ -11502,6 +12014,40 @@ spec:
description: ImageRegistry defines requests to an
OCI/Docker V2 registry to fetch image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials provides
credentials that will be used for authentication
with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows
insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of
OCI Registry names, whose authentication
helpers are provided It can be of one of
these values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers
required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets
must live in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
@ -13244,6 +13790,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -13556,6 +14138,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -13978,6 +14596,42 @@ spec:
to an OCI/Docker V2 registry to fetch
image details.
properties:
imageRegistryCredentials:
description: ImageRegistryCredentials
provides credentials that will be
used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry
allows insecure access to a registry
type: boolean
helpers:
description: 'Helpers specifies
a list of OCI Registry names,
whose authentication helpers are
provided It can be of one of these
values: AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential
helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a
list of secrets that are provided
for credentials Secrets must live
in the Kyverno namespace
items:
type: string
type: array
type: object
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
@ -15115,6 +15769,38 @@ spec:
items:
type: string
type: array
imageRegistryCredentials:
description: ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties:
allowInsecureRegistry:
description: AllowInsecureRegistry allows insecure
access to a registry
type: boolean
helpers:
description: 'Helpers specifies a list of OCI
Registry names, whose authentication helpers
are provided It can be of one of these values:
AWS, ACR, GCP, GHCR'
items:
description: ImageRegistryCredentialsHelpersType
provides the list of credential helpers required.
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
description: Secrets specifies a list of secrets
that are provided for credentials Secrets must
live in the Kyverno namespace
items:
type: string
type: array
type: object
issuer:
description: Issuer is the certificate issuer used
for keyless signing. Deprecated. Use KeylessAttestor

File diff suppressed because it is too large Load diff

View file

@ -1951,9 +1951,89 @@ transform the ImageData struct returned as a result of processing
the image reference.</p>
</td>
</tr>
<tr>
<td>
<code>imageRegistryCredentials</code><br/>
<em>
<a href="#kyverno.io/v1.ImageRegistryCredentials">
ImageRegistryCredentials
</a>
</em>
</td>
<td>
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ImageRegistry">ImageRegistry</a>,
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>,
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>allowInsecureRegistry</code><br/>
<em>
bool
</em>
</td>
<td>
<p>AllowInsecureRegistry allows insecure access to a registry</p>
</td>
</tr>
<tr>
<td>
<code>helpers</code><br/>
<em>
<a href="#kyverno.io/v1.ImageRegistryCredentialsHelpersType">
[]ImageRegistryCredentialsHelpersType
</a>
</em>
</td>
<td>
<p>Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
It can be of one of these values: AWS, ACR, GCP, GHCR</p>
</td>
</tr>
<tr>
<td>
<code>secrets</code><br/>
<em>
[]string
</em>
</td>
<td>
<p>Secrets specifies a list of secrets that are provided for credentials
Secrets must live in the Kyverno namespace</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ImageRegistryCredentialsHelpersType">ImageRegistryCredentialsHelpersType
(<code>string</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials</a>)
</p>
<p>
<p>ImageRegistryCredentialsHelpersType provides the list of credential helpers required.</p>
</p>
<h3 id="kyverno.io/v1.ImageVerification">ImageVerification
</h3>
<p>
@ -2163,6 +2243,19 @@ bool
<p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
</td>
</tr>
<tr>
<td>
<code>imageRegistryCredentials</code><br/>
<em>
<a href="#kyverno.io/v1.ImageRegistryCredentials">
ImageRegistryCredentials
</a>
</em>
</td>
<td>
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
</td>
</tr>
</tbody>
</table>
<hr />
@ -2170,7 +2263,8 @@ bool
(<code>string</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>)
<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>,
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
</p>
<p>
<p>ImageVerificationType selects the type of verification algorithm</p>
@ -6377,7 +6471,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<td>
<code>type</code><br/>
<em>
<a href="#kyverno.io/v2beta1.ImageVerificationType">
<a href="#kyverno.io/v1.ImageVerificationType">
ImageVerificationType
</a>
</em>
@ -6476,18 +6570,22 @@ bool
<p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
</td>
</tr>
<tr>
<td>
<code>imageRegistryCredentials</code><br/>
<em>
<a href="#kyverno.io/v1.ImageRegistryCredentials">
ImageRegistryCredentials
</a>
</em>
</td>
<td>
<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2beta1.ImageVerificationType">ImageVerificationType
(<code>string</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
</p>
<p>
<p>ImageVerificationType selects the type of verification algorithm</p>
</p>
<h3 id="kyverno.io/v2beta1.MatchResources">MatchResources
</h3>
<p>

View file

@ -10,10 +10,10 @@ import (
)
type rclientAdapter struct {
client registryclient.Client
registryclient.Client
}
func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
func RegistryClient(client registryclient.Client) engineapi.RegistryClient {
if client == nil {
return nil
}
@ -21,7 +21,7 @@ func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
}
func (a *rclientAdapter) ForRef(ctx context.Context, ref string) (*engineapi.ImageData, error) {
desc, err := a.client.FetchImageDescriptor(ctx, ref)
desc, err := a.Client.FetchImageDescriptor(ctx, ref)
if err != nil {
return nil, fmt.Errorf("failed to fetch image descriptor: %s, error: %v", ref, err)
}

View file

@ -4,6 +4,9 @@ import (
"context"
"io"
"github.com/google/go-containerregistry/pkg/authn"
gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/sigstore/cosign/pkg/oci/remote"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -46,4 +49,20 @@ type ImageData struct {
type ImageDataClient interface {
ForRef(ctx context.Context, ref string) (*ImageData, error)
FetchImageDescriptor(context.Context, string) (*gcrremote.Descriptor, error)
}
type KeychainClient interface {
Keychain() authn.Keychain
RefreshKeychainPullSecrets(ctx context.Context) error
}
type CosignClient interface {
BuildRemoteOption(context.Context) remote.Option
}
type RegistryClient interface {
ImageDataClient
KeychainClient
CosignClient
}

View file

@ -75,8 +75,8 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con
}
}
func LoadImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
imageData, err := fetchImageData(ctx, jp, client, logger, entry, enginectx)
func LoadImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
imageData, err := fetchImageData(ctx, jp, rclientFactory, logger, entry, enginectx)
if err != nil {
return err
}
@ -113,7 +113,7 @@ func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.Cont
return nil
}
func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
func fetchImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
ref, err := variables.SubstituteAll(logger, enginectx, entry.ImageRegistry.Reference)
if err != nil {
return nil, fmt.Errorf("ailed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.Reference, err)
@ -126,6 +126,10 @@ func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageData
if err != nil {
return nil, fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.JMESPath, err)
}
client, err := rclientFactory.GetClient(ctx, entry.ImageRegistry.ImageRegistryCredentials)
if err != nil {
return nil, fmt.Errorf("failed to get registry client %s: %v", entry.Name, err)
}
imageData, err := fetchImageDataMap(ctx, client, refString)
if err != nil {
return nil, err

View file

@ -2,15 +2,16 @@ package api
import (
"context"
"fmt"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/logging"
)
type RegistryClientFactory interface {
GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (RegistryClient, error)
}
// ContextLoaderFactory provides a ContextLoader given a policy context and rule name
type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader
@ -20,83 +21,8 @@ type ContextLoader interface {
ctx context.Context,
jp jmespath.Interface,
client RawClient,
imgClient ImageDataClient,
rclientFactory RegistryClientFactory,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error
}
func DefaultContextLoaderFactory(
cmResolver ConfigmapResolver,
) ContextLoaderFactory {
return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader {
return &contextLoader{
logger: logging.WithName("DefaultContextLoaderFactory"),
cmResolver: cmResolver,
}
}
}
type contextLoader struct {
logger logr.Logger
cmResolver ConfigmapResolver
}
func (l *contextLoader) Load(
ctx context.Context,
jp jmespath.Interface,
client RawClient,
imgClient ImageDataClient,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error {
for _, entry := range contextEntries {
deferredLoader := l.newDeferredLoader(ctx, jp, client, imgClient, entry, jsonContext)
if deferredLoader == nil {
return fmt.Errorf("invalid context entry %s", entry.Name)
}
jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
}
return nil
}
func (l *contextLoader) newDeferredLoader(
ctx context.Context,
jp jmespath.Interface,
client RawClient,
imgClient ImageDataClient,
entry kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) enginecontext.DeferredLoader {
if entry.ConfigMap != nil {
return func() error {
if err := LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
return err
}
return nil
}
} else if entry.APICall != nil {
return func() error {
if err := LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
return err
}
return nil
}
} else if entry.ImageRegistry != nil {
return func() error {
if err := LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
return err
}
return nil
}
} else if entry.Variable != nil {
return func() error {
if err := LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
return err
}
return nil
}
}
return nil
}

View file

@ -17,7 +17,6 @@ import (
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/registryclient"
"github.com/kyverno/kyverno/pkg/tracing"
stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
"go.opentelemetry.io/otel/metric"
@ -31,8 +30,7 @@ type engine struct {
metricsConfiguration config.MetricsConfiguration
jp jmespath.Interface
client engineapi.Client
imgClient engineapi.ImageDataClient
rclient registryclient.Client
rclientFactory engineapi.RegistryClientFactory
contextLoader engineapi.ContextLoaderFactory
exceptionSelector engineapi.PolicyExceptionSelector
imageSignatureRepository string
@ -48,8 +46,7 @@ func NewEngine(
metricsConfiguration config.MetricsConfiguration,
jp jmespath.Interface,
client engineapi.Client,
imgClient engineapi.ImageDataClient,
rclient registryclient.Client,
rclientFactory engineapi.RegistryClientFactory,
contextLoader engineapi.ContextLoaderFactory,
exceptionSelector engineapi.PolicyExceptionSelector,
imageSignatureRepository string,
@ -74,8 +71,7 @@ func NewEngine(
metricsConfiguration: metricsConfiguration,
jp: jp,
client: client,
imgClient: imgClient,
rclient: rclient,
rclientFactory: rclientFactory,
contextLoader: contextLoader,
exceptionSelector: exceptionSelector,
imageSignatureRepository: imageSignatureRepository,
@ -179,7 +175,7 @@ func (e *engine) ContextLoader(
ctx,
e.jp,
e.client,
e.imgClient,
e.rclientFactory,
contextEntries,
jsonContext,
)

View file

@ -0,0 +1,86 @@
package factories
import (
"context"
"fmt"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/logging"
)
func DefaultContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
return &contextLoader{
logger: logging.WithName("DefaultContextLoaderFactory"),
cmResolver: cmResolver,
}
}
}
type contextLoader struct {
logger logr.Logger
cmResolver engineapi.ConfigmapResolver
}
func (l *contextLoader) Load(
ctx context.Context,
jp jmespath.Interface,
client engineapi.RawClient,
rclientFactory engineapi.RegistryClientFactory,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error {
for _, entry := range contextEntries {
deferredLoader := l.newDeferredLoader(ctx, jp, client, rclientFactory, entry, jsonContext)
if deferredLoader == nil {
return fmt.Errorf("invalid context entry %s", entry.Name)
}
jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
}
return nil
}
func (l *contextLoader) newDeferredLoader(
ctx context.Context,
jp jmespath.Interface,
client engineapi.RawClient,
rclientFactory engineapi.RegistryClientFactory,
entry kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) enginecontext.DeferredLoader {
if entry.ConfigMap != nil {
return func() error {
if err := engineapi.LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
return err
}
return nil
}
} else if entry.APICall != nil {
return func() error {
if err := engineapi.LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
return err
}
return nil
}
} else if entry.ImageRegistry != nil {
return func() error {
if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
return err
}
return nil
}
} else if entry.Variable != nil {
return func() error {
if err := engineapi.LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
return err
}
return nil
}
}
return nil
}

View file

@ -0,0 +1,50 @@
package factories
import (
"context"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/registryclient"
corev1listers "k8s.io/client-go/listers/core/v1"
)
func DefaultRegistryClientFactory(globalClient engineapi.RegistryClient, secretsLister corev1listers.SecretNamespaceLister) engineapi.RegistryClientFactory {
return &registryClientFactory{
globalClient: globalClient,
secretsLister: secretsLister,
}
}
type registryClientFactory struct {
globalClient engineapi.RegistryClient
secretsLister corev1listers.SecretNamespaceLister
}
func (f *registryClientFactory) GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (engineapi.RegistryClient, error) {
if creds != nil {
registryOptions := []registryclient.Option{
registryclient.WithTracing(),
}
if creds.AllowInsecureRegistry {
registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
}
if len(creds.Helpers) > 0 {
var helpers []string
for _, helper := range creds.Helpers {
helpers = append(helpers, string(helper))
}
registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(helpers...))
}
if len(creds.Secrets) > 0 {
registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, f.secretsLister, creds.Secrets...))
}
client, err := registryclient.New(registryOptions...)
if err != nil {
return nil, err
}
return adapters.RegistryClient(client), nil
}
return f.globalClient, nil
}

View file

@ -14,7 +14,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/registryclient"
apiutils "github.com/kyverno/kyverno/pkg/utils/api"
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
"gomodules.xyz/jsonpatch/v2"
@ -23,7 +22,7 @@ import (
type mutateImageHandler struct {
configuration config.Configuration
rclient registryclient.Client
rclientFactory engineapi.RegistryClientFactory
ivm *engineapi.ImageVerificationMetadata
images []apiutils.ImageInfo
imageSignatureRepository string
@ -34,7 +33,7 @@ func NewMutateImageHandler(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
configuration config.Configuration,
rclient registryclient.Client,
rclientFactory engineapi.RegistryClientFactory,
ivm *engineapi.ImageVerificationMetadata,
imageSignatureRepository string,
) (handlers.Handler, error) {
@ -50,7 +49,7 @@ func NewMutateImageHandler(
}
return mutateImageHandler{
configuration: configuration,
rclient: rclient,
rclientFactory: rclientFactory,
ivm: ivm,
images: ruleImages,
imageSignatureRepository: imageSignatureRepository,
@ -72,10 +71,16 @@ func (h mutateImageHandler) Process(
engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to substitute variables", err),
)
}
iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
var engineResponses []*engineapi.RuleResponse
var patches []jsonpatch.JsonPatchOperation
for _, imageVerify := range ruleCopy.VerifyImages {
rclient, err := h.rclientFactory.GetClient(ctx, imageVerify.ImageRegistryCredentials)
if err != nil {
return resource, handlers.WithResponses(
engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err),
)
}
iv := internal.NewImageVerifier(logger, rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration)
patches = append(patches, patch...)
engineResponses = append(engineResponses, ruleResponse...)

View file

@ -40,7 +40,7 @@ func (e *engine) verifyAndPatchImages(
matchedResource,
rule,
e.configuration,
e.rclient,
e.rclientFactory,
&ivm,
e.imageSignatureRepository,
)

View file

@ -15,6 +15,7 @@ import (
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/internal"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
@ -182,9 +183,8 @@ func testVerifyAndPatchImages(
metricsCfg,
jp,
nil,
adapters.ImageDataClient(rclient),
rclient,
engineapi.DefaultContextLoaderFactory(cmResolver),
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
factories.DefaultContextLoaderFactory(cmResolver),
nil,
"",
)

View file

@ -16,7 +16,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/images"
"github.com/kyverno/kyverno/pkg/notary"
"github.com/kyverno/kyverno/pkg/registryclient"
apiutils "github.com/kyverno/kyverno/pkg/utils/api"
"github.com/kyverno/kyverno/pkg/utils/jsonpointer"
"github.com/kyverno/kyverno/pkg/utils/wildcard"
@ -27,7 +26,7 @@ import (
type ImageVerifier struct {
logger logr.Logger
rclient registryclient.Client
rclient engineapi.RegistryClient
policyContext engineapi.PolicyContext
rule kyvernov1.Rule
ivm *engineapi.ImageVerificationMetadata
@ -36,7 +35,7 @@ type ImageVerifier struct {
func NewImageVerifier(
logger logr.Logger,
rclient registryclient.Client,
rclient engineapi.RegistryClient,
policyContext engineapi.PolicyContext,
rule kyvernov1.Rule,
ivm *engineapi.ImageVerificationMetadata,

View file

@ -11,6 +11,7 @@ import (
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/factories"
enginetest "github.com/kyverno/kyverno/pkg/engine/test"
"github.com/kyverno/kyverno/pkg/registryclient"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@ -29,15 +30,14 @@ func testMutate(
contextLoader engineapi.ContextLoaderFactory,
) engineapi.EngineResponse {
if contextLoader == nil {
contextLoader = engineapi.DefaultContextLoaderFactory(nil)
contextLoader = factories.DefaultContextLoaderFactory(nil)
}
e := NewEngine(
cfg,
config.NewDefaultMetricsConfiguration(),
jp,
adapters.Client(client),
adapters.ImageDataClient(rclient),
rclient,
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
contextLoader,
nil,
"",

View file

@ -45,7 +45,7 @@ func (l *mockContextLoader) Load(
ctx context.Context,
jp jmespath.Interface,
client engineapi.RawClient,
imgClient engineapi.ImageDataClient,
rclientFactory engineapi.RegistryClientFactory,
contextEntries []kyvernov1.ContextEntry,
jsonContext enginecontext.Interface,
) error {
@ -62,8 +62,8 @@ func (l *mockContextLoader) Load(
}
// Context Variable should be loaded after the values loaded from values file
for _, entry := range contextEntries {
if entry.ImageRegistry != nil && imgClient != nil {
if err := engineapi.LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
if entry.ImageRegistry != nil && rclientFactory != nil {
if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
return err
}
} else if entry.Variable != nil {

View file

@ -13,6 +13,7 @@ import (
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/factories"
enginetest "github.com/kyverno/kyverno/pkg/engine/test"
"github.com/kyverno/kyverno/pkg/registryclient"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
@ -30,15 +31,14 @@ func testValidate(
contextLoader engineapi.ContextLoaderFactory,
) engineapi.EngineResponse {
if contextLoader == nil {
contextLoader = engineapi.DefaultContextLoaderFactory(nil)
contextLoader = factories.DefaultContextLoaderFactory(nil)
}
e := NewEngine(
cfg,
config.NewDefaultMetricsConfiguration(),
jp,
nil,
adapters.ImageDataClient(rclient),
rclient,
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
contextLoader,
nil,
"",

View file

@ -9,8 +9,8 @@ import (
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/metrics"
@ -40,12 +40,11 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
configuration := config.NewDefaultConfiguration(false)
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
rclient := registryclient.NewOrDie()
jp := jmespath.New(configuration)
rclient := registryclient.NewOrDie()
return &resourceHandlers{
client: dclient,
rclient: rclient,
configuration: configuration,
metricsConfig: metricsConfig,
pCache: policyCache,
@ -60,9 +59,8 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
config.NewDefaultMetricsConfiguration(),
jp,
adapters.Client(dclient),
adapters.ImageDataClient(rclient),
rclient,
engineapi.DefaultContextLoaderFactory(configMapResolver),
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
factories.DefaultContextLoaderFactory(configMapResolver),
peLister,
"",
),

View file

@ -19,7 +19,6 @@ import (
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/openapi"
"github.com/kyverno/kyverno/pkg/policycache"
"github.com/kyverno/kyverno/pkg/registryclient"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@ -38,7 +37,6 @@ type resourceHandlers struct {
// clients
client dclient.Interface
kyvernoClient versioned.Interface
rclient registryclient.Client
engine engineapi.Engine
// config
@ -67,7 +65,6 @@ func NewHandlers(
engine engineapi.Engine,
client dclient.Interface,
kyvernoClient versioned.Interface,
rclient registryclient.Client,
configuration config.Configuration,
metricsConfig metrics.MetricsConfigManager,
pCache policycache.Cache,
@ -86,7 +83,6 @@ func NewHandlers(
engine: engine,
client: client,
kyvernoClient: kyvernoClient,
rclient: rclient,
configuration: configuration,
metricsConfig: metricsConfig,
pCache: pCache,

View file

@ -11,6 +11,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/adapters"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/factories"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
log "github.com/kyverno/kyverno/pkg/logging"
"github.com/kyverno/kyverno/pkg/registryclient"
@ -1058,9 +1059,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
config.NewDefaultMetricsConfiguration(),
jp,
nil,
adapters.ImageDataClient(rclient),
rclient,
engineapi.DefaultContextLoaderFactory(nil),
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)
@ -1161,9 +1161,8 @@ func Test_RuleSelector(t *testing.T) {
config.NewDefaultMetricsConfiguration(),
jp,
nil,
adapters.ImageDataClient(rclient),
rclient,
engineapi.DefaultContextLoaderFactory(nil),
factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
factories.DefaultContextLoaderFactory(nil),
nil,
"",
)

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: secret-in-keys
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,74 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-verify-images
---
apiVersion: v1
kind: ConfigMap
metadata:
name: keys
namespace: test-verify-images
data:
certificate: |-
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
-----END CERTIFICATE-----
---
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: secret-in-keys
spec:
validationFailureAction: Enforce
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: verify-signature-notary
context:
- name: keys
configMap:
name: keys
namespace: test-verify-images
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- type: Notary
imageReferences:
- "ghcr.io/kyverno/test-verify-image*"
attestors:
- count: 1
entries:
- certificates:
cert: "{{ keys.data.certificate }}"
imageRegistryCredentials:
secrets:
- testsecret
---
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0=
kind: Secret
metadata:
name: testsecret
namespace: kyverno
type: kubernetes.io/dockerconfigjson

View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images

View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed
name: test-secret

View file

@ -0,0 +1,3 @@
# Title
This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret.