From 216a4e13bf851856abf973b3f68e89b0e120550d Mon Sep 17 00:00:00 2001 From: georgekaz Date: Mon, 19 Jul 2021 21:01:17 +0100 Subject: [PATCH 1/5] Fix helm-release workflow (#2150) * add checkout step to helm releaser. Signed-off-by: George Kaz Increment version Signed-off-by: George Kaz * disable version check, revert version no. to last released Signed-off-by: George Kaz --- .github/workflows/helm-release.yaml | 5 +++++ .github/workflows/helm-test.yaml | 2 +- charts/kyverno/Chart.yaml | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 1da0e58a9a..498877108e 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -10,6 +10,11 @@ jobs: create-release: runs-on: ubuntu-latest steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Install Helm uses: azure/setup-helm@v1 with: diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 25b96501a8..9aff29369c 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -29,4 +29,4 @@ jobs: uses: helm/chart-testing-action@v2.0.1 - name: Run chart-testing (lint) - run: ct lint --target-branch=main --check-version-increment=true + run: ct lint --target-branch=main --check-version-increment=false diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 4a0f23f6ca..b297190a41 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: kyverno -version: v1.4.3 +version: v1.4.2 appVersion: v1.4.1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management From 2de0af635e786a76ddce6724b4fd997ebbd85008 Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 20 Jul 2021 00:15:33 -0700 Subject: [PATCH 2/5] Bump Helm version (#2167) * bump helm version Signed-off-by: Shuting Zhao * update helm-release trigger paths Signed-off-by: Shuting Zhao --- .github/workflows/helm-release.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 498877108e..0e9f89f3a2 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -5,6 +5,7 @@ on: - 'main' paths: - 'charts/kyverno/Chart.yaml' + - '.github/workflows/helm-release.yaml' jobs: create-release: @@ -18,7 +19,7 @@ jobs: - name: Install Helm uses: azure/setup-helm@v1 with: - version: v3.4.0 + version: v3.4.1 - name: Run chart-releaser uses: stefanprodan/helm-gh-pages@v1.4.1 From 3de61281472743327ac2d285e68bff1d7c2bae0a Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 20 Jul 2021 12:49:37 -0700 Subject: [PATCH 3/5] Bugfixes/helm release (#2173) * bump helm version Signed-off-by: Shuting Zhao * update helm-release trigger paths Signed-off-by: Shuting Zhao * disable linting Signed-off-by: Shuting Zhao * disable linting Signed-off-by: Shuting Zhao --- .github/workflows/helm-release.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 0e9f89f3a2..beb8c1a485 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -24,4 +24,5 @@ jobs: - name: Run chart-releaser uses: stefanprodan/helm-gh-pages@v1.4.1 with: - token: "${{ secrets.GITHUB_TOKEN }}" \ No newline at end of file + token: "${{ secrets.GITHUB_TOKEN }}" + linting: off \ No newline at end of file From c73a14eba2cb50e8d156ea047c5af273108bd670 Mon Sep 17 00:00:00 2001 From: georgekaz Date: Wed, 21 Jul 2021 01:06:56 +0100 Subject: [PATCH 4/5] add tests before release (#2174) Signed-off-by: George Kaz --- .github/workflows/helm-release.yaml | 20 ++++++++++++++++++++ .github/workflows/helm-test.yaml | 6 +----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index beb8c1a485..b804564db5 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -8,8 +8,28 @@ on: - '.github/workflows/helm-release.yaml' jobs: + helm-tests: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Unshallow + run: git fetch --prune --unshallow + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (lint) + run: ct lint --target-branch=main --check-version-increment=false + create-release: runs-on: ubuntu-latest + needs: helm-tests steps: - name: Checkout uses: actions/checkout@v2 diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 9aff29369c..246a024eb8 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -1,15 +1,11 @@ name: helm-test on: - push: - branches: - - 'main' - paths: - - 'charts/kyverno/**' pull_request: branches: - 'main' paths: - 'charts/kyverno/**' + - '.github/workflows/helm-test.yaml' jobs: helm-tests: From b2515fa9eb1bfb4aafce06b8b5a052ad80c7cd02 Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 20 Jul 2021 21:20:37 -0700 Subject: [PATCH 5/5] Add default image registry to patched resource (#2166) --- cmd/kyverno/main.go | 3 ++- pkg/webhooks/server.go | 36 ++++++++++++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index b61936effd..6fead7455b 100755 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -4,13 +4,14 @@ import ( "context" "flag" "fmt" - "github.com/kyverno/kyverno/pkg/cosign" "net/http" _ "net/http/pprof" "os" "strings" "time" + "github.com/kyverno/kyverno/pkg/cosign" + "github.com/prometheus/client_golang/prometheus/promhttp" kubeinformers "k8s.io/client-go/informers" "k8s.io/klog/v2" diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 02166662d2..df1806a878 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -9,8 +9,6 @@ import ( "net/http" "time" - "github.com/kyverno/kyverno/pkg/engine" - "github.com/go-logr/logr" "github.com/julienschmidt/httprouter" v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1" @@ -20,8 +18,10 @@ import ( "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" client "github.com/kyverno/kyverno/pkg/dclient" + "github.com/kyverno/kyverno/pkg/engine" enginectx "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/response" + engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/generate" "github.com/kyverno/kyverno/pkg/metrics" @@ -373,6 +373,10 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a return nil, errors.Wrap(err, "failed to add image information to the policy rule context") } + if err := mutateResourceWithImageInfo(request.Object.Raw, ctx); err != nil { + ws.log.Error(err, "failed to patch images info to resource, policies that mutate images may be impacted") + } + policyContext := &engine.PolicyContext{ NewResource: resource, AdmissionInfo: userRequestInfo, @@ -623,3 +627,31 @@ func newVariablesContext(request *v1beta1.AdmissionRequest, userRequestInfo *v1. return ctx, nil } + +func mutateResourceWithImageInfo(raw []byte, ctx *enginectx.Context) error { + images := ctx.ImageInfo() + if images == nil { + return nil + } + + var patches [][]byte + for _, info := range images.Containers { + patches = append(patches, buildJSONPatch("replace", info.JSONPath, info.String())) + } + + for _, info := range images.InitContainers { + patches = append(patches, buildJSONPatch("replace", info.JSONPath, info.String())) + } + + patchedResource, err := engineutils.ApplyPatches(raw, patches) + if err != nil { + return err + } + + return ctx.AddResource(patchedResource) +} + +func buildJSONPatch(op, path, value string) []byte { + p := fmt.Sprintf(`{ "op": "%s", "path": "%s", "value":"%s" }`, op, path, value) + return []byte(p) +}