Merge branch 'main' of https://github.com/kyverno/kyverno into main

.github/workflows/helm-release.yaml

@@ -5,17 +5,44 @@ on:
       - 'main'
     paths:
       - 'charts/kyverno/Chart.yaml'
+      - '.github/workflows/helm-release.yaml'
 
 jobs:
-  create-release:
+  helm-tests:
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.0.1
+
+      - name: Run chart-testing (lint)
+        run: ct lint --target-branch=main --check-version-increment=false
+
+  create-release:
+    runs-on: ubuntu-latest
+    needs: helm-tests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          
       - name: Install Helm
         uses: azure/setup-helm@v1
         with:
-          version: v3.4.0
+          version: v3.4.1
 
       - name: Run chart-releaser
         uses: stefanprodan/helm-gh-pages@v1.4.1
         with:
           token: "${{ secrets.GITHUB_TOKEN }}"
+          linting: off

.github/workflows/helm-test.yaml

@@ -1,15 +1,11 @@
 name: helm-test
 on:
-  push:
-    branches:
-      - 'main'
-    paths:
-      - 'charts/kyverno/**'
   pull_request:
     branches:
       - 'main'
     paths:
       - 'charts/kyverno/**'
+      - '.github/workflows/helm-test.yaml'
 
 jobs:
   helm-tests:
@@ -29,4 +25,4 @@ jobs:
         uses: helm/chart-testing-action@v2.0.1
 
       - name: Run chart-testing (lint)
-        run: ct lint --target-branch=main --check-version-increment=true
+        run: ct lint --target-branch=main --check-version-increment=false

charts/kyverno/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: kyverno
-version: v1.4.3
+version: v1.4.2
 appVersion: v1.4.1
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management

cmd/kyverno/main.go

@@ -4,13 +4,14 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"github.com/kyverno/kyverno/pkg/cosign"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
 	"strings"
 	"time"
 
+	"github.com/kyverno/kyverno/pkg/cosign"
+
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/klog/v2"

pkg/webhooks/server.go

@@ -9,8 +9,6 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/kyverno/kyverno/pkg/engine"
-
 	"github.com/go-logr/logr"
 	"github.com/julienschmidt/httprouter"
 	v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
@@ -20,8 +18,10 @@ import (
 	"github.com/kyverno/kyverno/pkg/common"
 	"github.com/kyverno/kyverno/pkg/config"
 	client "github.com/kyverno/kyverno/pkg/dclient"
+	"github.com/kyverno/kyverno/pkg/engine"
 	enginectx "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/response"
+	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/generate"
 	"github.com/kyverno/kyverno/pkg/metrics"
@@ -373,6 +373,10 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
 		return nil, errors.Wrap(err, "failed to add image information to the policy rule context")
 	}
 
+	if err := mutateResourceWithImageInfo(request.Object.Raw, ctx); err != nil {
+		ws.log.Error(err, "failed to patch images info to resource, policies that mutate images may be impacted")
+	}
+
 	policyContext := &engine.PolicyContext{
 		NewResource:         resource,
 		AdmissionInfo:       userRequestInfo,
@@ -623,3 +627,31 @@ func newVariablesContext(request *v1beta1.AdmissionRequest, userRequestInfo *v1.
 
 	return ctx, nil
 }
+
+func mutateResourceWithImageInfo(raw []byte, ctx *enginectx.Context) error {
+	images := ctx.ImageInfo()
+	if images == nil {
+		return nil
+	}
+
+	var patches [][]byte
+	for _, info := range images.Containers {
+		patches = append(patches, buildJSONPatch("replace", info.JSONPath, info.String()))
+	}
+
+	for _, info := range images.InitContainers {
+		patches = append(patches, buildJSONPatch("replace", info.JSONPath, info.String()))
+	}
+
+	patchedResource, err := engineutils.ApplyPatches(raw, patches)
+	if err != nil {
+		return err
+	}
+
+	return ctx.AddResource(patchedResource)
+}
+
+func buildJSONPatch(op, path, value string) []byte {
+	p := fmt.Sprintf(`{ "op": "%s", "path": "%s", "value":"%s" }`, op, path, value)
+	return []byte(p)
+}