From 5b4afa85e2b5ee06557aa7c934a8665b6ef5a813 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 14 Oct 2020 19:23:08 -0700 Subject: [PATCH] add short names --- charts/kyverno/crds/crds.yaml | 6 +- definitions/crds/crds.yaml | 660 ++++++++++++++++++ definitions/crds/kustomization.yaml | 4 +- ...cy.kubernetes.io_clusterpolicyreports.yaml | 0 .../policy.kubernetes.io_policyreports.yaml | 0 definitions/install.yaml | 8 +- definitions/install_debug.yaml | 8 +- pkg/jobs/controller.go | 2 +- pkg/kyverno/report/common.go | 23 +- 9 files changed, 686 insertions(+), 25 deletions(-) mode change 100755 => 100644 definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml mode change 100755 => 100644 definitions/crds/policy.kubernetes.io_policyreports.yaml diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index 2f8909487a..614130f502 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -276,7 +276,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: clusterpolicyreports.policy.kubernetes.io spec: additionalPrinterColumns: @@ -311,6 +310,8 @@ spec: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports + shortNames: + - cpolr singular: clusterpolicyreport scope: Namespaced subresources: {} @@ -1001,7 +1002,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: policyreports.policy.kubernetes.io spec: additionalPrinterColumns: @@ -1036,6 +1036,8 @@ spec: kind: PolicyReport listKind: PolicyReportList plural: policyreports + shortNames: + - polr singular: policyreport scope: Namespaced subresources: {} diff --git a/definitions/crds/crds.yaml b/definitions/crds/crds.yaml index 4efe95fb44..c78f744f88 100755 --- a/definitions/crds/crds.yaml +++ b/definitions/crds/crds.yaml @@ -739,3 +739,663 @@ spec: type: string namespace: type: string +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.4 + name: clusterpolicyreports.policy.kubernetes.io +spec: + additionalPrinterColumns: + - JSONPath: .scope.kind + name: Kind + priority: 1 + type: string + - JSONPath: .scope.name + name: Name + priority: 1 + type: string + - JSONPath: .summary.pass + name: Pass + type: integer + - JSONPath: .summary.fail + name: Fail + type: integer + - JSONPath: .summary.warn + name: Warn + type: integer + - JSONPath: .summary.error + name: Error + type: integer + - JSONPath: .summary.skip + name: Skip + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: policy.kubernetes.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + singular: clusterpolicyreport + shortNames: + - cpolr + scope: Namespaced + subresources: {} + validation: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + data: + additionalProperties: + type: string + description: Data provides additional information for the policy rule + type: object + message: + description: Message is a short user friendly description of the policy + rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy results + that apply to multiple resources. For example, a policy result may + apply to all pods that match a label. Either a Resource or a ResourceSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked + by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual + struct is irrelevant. 5. We cannot easily change it. Because + this type is embedded in many locations, updates to this type will + affect numerous schemas. Don''t make new APIs embed an underspecified + API type they do not control. Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + status: + description: Status indicates the result of the policy rule check + enum: + - Pass + - Fail + - Warn + - Error + - Skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the policy report scope. + For example. the report may be for all resources in a namespace, a for + a node, or cluster-wide. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + required: + - error + - fail + - pass + - skip + - warn + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.4 + name: policyreports.policy.kubernetes.io +spec: + additionalPrinterColumns: + - JSONPath: .scope.kind + name: Kind + priority: 1 + type: string + - JSONPath: .scope.name + name: Name + priority: 1 + type: string + - JSONPath: .summary.pass + name: Pass + type: integer + - JSONPath: .summary.fail + name: Fail + type: integer + - JSONPath: .summary.warn + name: Warn + type: integer + - JSONPath: .summary.error + name: Error + type: integer + - JSONPath: .summary.skip + name: Skip + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: policy.kubernetes.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + singular: policyreport + shortNames: + - polr + scope: Namespaced + subresources: {} + validation: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + data: + additionalProperties: + type: string + description: Data provides additional information for the policy rule + type: object + message: + description: Message is a short user friendly description of the policy + rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy results + that apply to multiple resources. For example, a policy result may + apply to all pods that match a label. Either a Resource or a ResourceSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked + by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual + struct is irrelevant. 5. We cannot easily change it. Because + this type is embedded in many locations, updates to this type will + affect numerous schemas. Don''t make new APIs embed an underspecified + API type they do not control. Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + status: + description: Status indicates the result of the policy rule check + enum: + - Pass + - Fail + - Warn + - Error + - Skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + required: + - error + - fail + - pass + - skip + - warn + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/definitions/crds/kustomization.yaml b/definitions/crds/kustomization.yaml index 3e07e5197d..8adb7f06ef 100755 --- a/definitions/crds/kustomization.yaml +++ b/definitions/crds/kustomization.yaml @@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./crds.yaml -- ./policy.kubernetes.io_clusterpolicyreports.yaml -- ./policy.kubernetes.io_policyreports.yaml \ No newline at end of file +- ./crds.yaml \ No newline at end of file diff --git a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml old mode 100755 new mode 100644 diff --git a/definitions/crds/policy.kubernetes.io_policyreports.yaml b/definitions/crds/policy.kubernetes.io_policyreports.yaml old mode 100755 new mode 100644 diff --git a/definitions/install.yaml b/definitions/install.yaml index ec94dfcd6e..488d7c88be 100755 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -281,7 +281,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: clusterpolicyreports.policy.kubernetes.io spec: additionalPrinterColumns: @@ -316,6 +315,8 @@ spec: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports + shortNames: + - cpolr singular: clusterpolicyreport scope: Namespaced subresources: {} @@ -1006,7 +1007,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: policyreports.policy.kubernetes.io spec: additionalPrinterColumns: @@ -1041,6 +1041,8 @@ spec: kind: PolicyReport listKind: PolicyReportList plural: policyreports + shortNames: + - polr singular: policyreport scope: Namespaced subresources: {} @@ -1613,7 +1615,7 @@ metadata: name: kyverno:policyreport rules: - apiGroups: - - "*" + - '*' resources: - policyreports - clusterpolicyreports diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 08e5e3ffba..92d0c0842c 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -281,7 +281,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: clusterpolicyreports.policy.kubernetes.io spec: additionalPrinterColumns: @@ -316,6 +315,8 @@ spec: kind: ClusterPolicyReport listKind: ClusterPolicyReportList plural: clusterpolicyreports + shortNames: + - cpolr singular: clusterpolicyreport scope: Namespaced subresources: {} @@ -1006,7 +1007,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: policyreports.policy.kubernetes.io spec: additionalPrinterColumns: @@ -1041,6 +1041,8 @@ spec: kind: PolicyReport listKind: PolicyReportList plural: policyreports + shortNames: + - polr singular: policyreport scope: Namespaced subresources: {} @@ -1613,7 +1615,7 @@ metadata: name: kyverno:policyreport rules: - apiGroups: - - policy.kubernetes.io + - '*' resources: - policyreports - clusterpolicyreports diff --git a/pkg/jobs/controller.go b/pkg/jobs/controller.go index 4b0ccb0015..3cfd4e5354 100644 --- a/pkg/jobs/controller.go +++ b/pkg/jobs/controller.go @@ -313,7 +313,7 @@ func (j *Job) CreateJob(args []string, jobType, scope string) error { { Name: strings.ToLower(fmt.Sprintf("%s-%s", jobType, scope)), Image: config.KyvernoCliImage, - ImagePullPolicy: apiv1.PullNever, + ImagePullPolicy: apiv1.PullAlways, Args: args, }, }, diff --git a/pkg/kyverno/report/common.go b/pkg/kyverno/report/common.go index c5a3b25900..381b6a112e 100644 --- a/pkg/kyverno/report/common.go +++ b/pkg/kyverno/report/common.go @@ -172,9 +172,6 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi } policy.MergeResources(resourceMap[constant.App], rMap) } else { - fmt.Println(r.GetName()) - fmt.Println(labels["app"]) - fmt.Println("========") if len(resourceMap[constant.Namespace]) == 0 { resourceMap[constant.Namespace] = make(map[string]unstructured.Unstructured) } @@ -346,7 +343,6 @@ func createResults(policyContext engine.PolicyContext, key string, results map[s Policy: pv.Spec.Policy, Rule: e.Name, Message: e.Message, - Status: policyreportv1alpha1.PolicyStatus(e.Check), } rd := &policyreportv1alpha1.ResourceStatus{ Resource: &corev1.ObjectReference{ @@ -355,6 +351,7 @@ func createResults(policyContext engine.PolicyContext, key string, results map[s APIVersion: pv.Spec.APIVersion, Name: pv.Spec.Name, }, + Status: policyreportv1alpha1.PolicyStatus(e.Check), } result.Resources = append(result.Resources, rd) results[appname] = append(results[appname], *result) @@ -443,7 +440,6 @@ func configmapScan(scope string, wg *sync.WaitGroup, restConfig *rest.Config, lo Policy: pv.Spec.Policy, Rule: r.Name, Message: r.Message, - Status: policyreportv1alpha1.PolicyStatus(r.Check), } rd := &policyreportv1alpha1.ResourceStatus{ Resource: &corev1.ObjectReference{ @@ -452,6 +448,7 @@ func configmapScan(scope string, wg *sync.WaitGroup, restConfig *rest.Config, lo APIVersion: pv.Spec.APIVersion, Name: pv.Spec.Name, }, + Status: policyreportv1alpha1.PolicyStatus(r.Check), } result.Resources = append(result.Resources, rd) @@ -528,10 +525,10 @@ func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1 } } else { rules[key] = &policyreportv1alpha1.PolicyReportResult{ - Policy: v.Policy, - Rule: v.Rule, - Message: v.Message, - Status: v.Status, + Policy: v.Policy, + Rule: v.Rule, + Message: v.Message, + // Status: v.Status, Resources: make([]*policyreportv1alpha1.ResourceStatus, 0), } @@ -555,10 +552,10 @@ func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1 } } else { rules[key] = &policyreportv1alpha1.PolicyReportResult{ - Policy: v.Policy, - Rule: v.Rule, - Message: v.Message, - Status: v.Status, + Policy: v.Policy, + Rule: v.Rule, + Message: v.Message, + // Status: v.Status, Resources: make([]*policyreportv1alpha1.ResourceStatus, 0), } rules[key].Resources = append(rules[key].Resources, r)