mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

update cosign and other dependencies (#4873)

Browse source 
* update Cosign

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update Golang -> 1.18.x

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix make install-controller-gen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix flag init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* comment out test - runs successfully locally, fails in PR

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* reinstate test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix crds generate and controller-gen version

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Prateek Pandey 2022-10-11 17:45:23 +05:30 committed by GitHub
parent d6a72d4412
commit 925d5fcddd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
29 changed files with 846 additions and 1195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/cli.yaml vendored
View file

@ -32,7 +32,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0

2
.github/workflows/codecov.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: '1.17'
go-version: '1.18'
-
name: Generate Code Coverage Report
run: make code-cov-report

2
.github/workflows/e2e-autogen-internals.yaml vendored
View file

@ -36,7 +36,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Set up Helm
uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab # v1.1

2
.github/workflows/e2e.yaml vendored
View file

@ -34,7 +34,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Set up Helm
uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab # v1.1

2
.github/workflows/fossa.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: "^1.17.x"
go-version: "1.18"
- run: go version
# Runs a set of commands to initialize and analyze with FOSSA
- name: run FOSSA analysis

8
.github/workflows/image-build.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
@ -73,7 +73,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
@ -109,7 +109,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
@ -154,7 +154,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0

2
.github/workflows/release.yaml vendored
View file

@ -72,7 +72,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0

2
.github/workflows/reuse.yaml vendored
View file

@ -48,7 +48,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Install Cosign
uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1

4
.github/workflows/tests.yaml vendored
View file

@ -27,7 +27,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0
@ -88,7 +88,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # v2.1.5
with:
go-version: 1.17
go-version: 1.18
- name: Cache Go modules
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # v1.2.0

6
Makefile
View file

@ -10,7 +10,7 @@ GIT_BRANCH := $(shell git branch | grep \* | cut -d ' ' -f2)
GIT_HASH := $(GIT_BRANCH)/$(shell git log -1 --pretty=format:"%H")
TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
CONTROLLER_GEN=controller-gen
CONTROLLER_GEN_REQ_VERSION := v0.8.0
CONTROLLER_GEN_REQ_VERSION := v0.9.1-0.20220629131006-1878064c4cdf
VERSION ?= $(shell git describe --match "v[0-9]*")
REGISTRY?=ghcr.io
@ -372,8 +372,7 @@ install-controller-gen: ## Install controller-gen
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go mod edit -replace=sigs.k8s.io/controller-tools@$(CONTROLLER_GEN_REQ_VERSION)=github.com/eddycharly/controller-tools@704af868d45a3a78448b9a6a2279c12ea96a621e ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOPATH)/bin/controller-gen
@ -397,6 +396,7 @@ else
CONTROLLER_GEN=$(shell which controller-gen)
endif
.PHONY: deepcopy-autogen
deepcopy-autogen: controller-gen ## Generate deep copy code
$(CONTROLLER_GEN) object:headerFile="scripts/boilerplate.go.txt" paths="./..."

68
charts/kyverno/templates/crds.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '1'
internal.config.kubernetes.io/index: '1'
creationTimestamp: null
@ -198,6 +198,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -233,6 +234,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -260,6 +262,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -324,6 +327,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -359,6 +363,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -386,6 +391,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -445,6 +451,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -480,6 +487,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -507,6 +515,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -627,6 +636,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -662,6 +672,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -689,6 +700,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -753,6 +765,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -788,6 +801,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -815,6 +829,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -874,6 +889,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -909,6 +925,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -936,6 +953,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
@ -1616,7 +1634,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '2'
internal.config.kubernetes.io/index: '2'
creationTimestamp: null
@ -1727,6 +1745,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource checked by the policy and rule
items:
@ -1754,6 +1773,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -1824,6 +1844,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties:
@ -1854,6 +1875,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -1882,7 +1904,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '3'
internal.config.kubernetes.io/index: '3'
creationTimestamp: null
@ -1993,6 +2015,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource checked by the policy and rule
items:
@ -2020,6 +2043,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -2090,6 +2114,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties:
@ -2120,6 +2145,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -2148,7 +2174,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '4'
internal.config.kubernetes.io/index: '4'
creationTimestamp: null
@ -2323,7 +2349,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '5'
internal.config.kubernetes.io/index: '5'
creationTimestamp: null
@ -2518,6 +2544,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -2553,6 +2580,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -2580,6 +2608,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -2644,6 +2673,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -2679,6 +2709,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -2706,6 +2737,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -2765,6 +2797,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -2800,6 +2833,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -2827,6 +2861,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -2947,6 +2982,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -2982,6 +3018,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -3009,6 +3046,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -3073,6 +3111,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -3108,6 +3147,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -3135,6 +3175,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -3194,6 +3235,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
@ -3229,6 +3271,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
@ -3256,6 +3299,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
@ -3936,7 +3980,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '6'
internal.config.kubernetes.io/index: '6'
creationTimestamp: null
@ -4047,6 +4091,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource checked by the policy and rule
items:
@ -4074,6 +4119,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -4144,6 +4190,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties:
@ -4174,6 +4221,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -4202,7 +4250,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '7'
internal.config.kubernetes.io/index: '7'
creationTimestamp: null
@ -4313,6 +4361,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource checked by the policy and rule
items:
@ -4340,6 +4389,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -4410,6 +4460,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
properties:
@ -4440,6 +4491,7 @@ spec:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -4468,7 +4520,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
config.kubernetes.io/index: '8'
internal.config.kubernetes.io/index: '8'
creationTimestamp: null

7
cmd/cli/kubectl-kyverno/main.go
View file

@ -38,10 +38,15 @@ func main() {
}
func configurelog(cli *cobra.Command) {
// clear flags initialized in static dependencies
if flag.CommandLine.Lookup("log_dir") != nil {
flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
}
klog.InitFlags(nil)
cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
log.SetLogger(klogr.New())
cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
_ = cli.PersistentFlags().MarkHidden("alsologtostderr")
_ = cli.PersistentFlags().MarkHidden("logtostderr")
_ = cli.PersistentFlags().MarkHidden("log_dir")

5
cmd/initContainer/main.go
View file

@ -60,6 +60,11 @@ const (
)
func main() {
// clear flags initialized in static dependencies
if flag.CommandLine.Lookup("log_dir") != nil {
flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
}
klog.InitFlags(nil)
log.SetLogger(klogr.New().WithCallDepth(1))
// arguments

5
cmd/kyverno/main.go
View file

@ -73,6 +73,11 @@ var (
)
func main() {
// clear flags initialized in static dependencies
if flag.CommandLine.Lookup("log_dir") != nil {
flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
}
klog.InitFlags(nil)
log.SetLogger(klogr.New().WithCallDepth(1))
flag.IntVar(&webhookTimeout, "webhookTimeout", int(webhookconfig.DefaultWebhookTimeout), "Timeout for webhook configurations.")

20
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: clusterpolicies.kyverno.io
spec:
@ -280,6 +280,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -345,6 +346,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -388,6 +390,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -495,6 +498,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -560,6 +564,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -603,6 +608,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -699,6 +705,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -758,6 +765,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -800,6 +808,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -990,6 +999,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1055,6 +1065,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1098,6 +1109,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1205,6 +1217,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1270,6 +1283,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1313,6 +1327,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1409,6 +1424,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -1468,6 +1484,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -1510,6 +1527,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:

6
config/crds/kyverno.io_clusterreportchangerequests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: clusterreportchangerequests.kyverno.io
spec:
@ -132,6 +132,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -195,6 +196,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -283,6 +285,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -326,6 +329,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:

2
config/crds/kyverno.io_generaterequests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: generaterequests.kyverno.io
spec:

20
config/crds/kyverno.io_policies.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: policies.kyverno.io
spec:
@ -281,6 +281,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -346,6 +347,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -389,6 +391,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -496,6 +499,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -561,6 +565,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -604,6 +609,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -700,6 +706,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -759,6 +766,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -801,6 +809,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -991,6 +1000,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1056,6 +1066,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1099,6 +1110,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1206,6 +1218,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1271,6 +1284,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1314,6 +1328,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1410,6 +1425,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -1469,6 +1485,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -1511,6 +1528,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:

6
config/crds/kyverno.io_reportchangerequests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: reportchangerequests.kyverno.io
spec:
@ -132,6 +132,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -195,6 +196,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -283,6 +285,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -326,6 +329,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:

2
config/crds/kyverno.io_updaterequests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: updaterequests.kyverno.io
spec:

6
config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: clusterpolicyreports.wgpolicyk8s.io
spec:
@ -132,6 +132,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -195,6 +196,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -283,6 +285,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -326,6 +329,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:

6
config/crds/wgpolicyk8s.io_policyreports.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
name: policyreports.wgpolicyk8s.io
spec:
@ -131,6 +131,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -194,6 +195,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -282,6 +284,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -325,6 +328,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:

68
config/install.yaml
View file

@ -14,7 +14,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -297,6 +297,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -362,6 +363,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -405,6 +407,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -512,6 +515,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -577,6 +581,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -620,6 +625,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -716,6 +722,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -775,6 +782,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -817,6 +825,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -1007,6 +1016,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1072,6 +1082,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1115,6 +1126,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1222,6 +1234,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1287,6 +1300,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1330,6 +1344,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1426,6 +1441,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -1485,6 +1501,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -1527,6 +1544,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
@ -2583,7 +2601,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -2718,6 +2736,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -2781,6 +2800,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -2869,6 +2889,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -2912,6 +2933,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -2945,7 +2967,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -3080,6 +3102,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -3143,6 +3166,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -3231,6 +3255,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -3274,6 +3299,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -3307,7 +3333,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -3497,7 +3523,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -3781,6 +3807,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -3846,6 +3873,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -3889,6 +3917,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -3996,6 +4025,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -4061,6 +4091,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -4104,6 +4135,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -4200,6 +4232,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -4259,6 +4292,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -4301,6 +4335,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -4491,6 +4526,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -4556,6 +4592,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -4599,6 +4636,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -4706,6 +4744,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -4771,6 +4810,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -4814,6 +4854,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -4910,6 +4951,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -4969,6 +5011,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -5011,6 +5054,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
@ -6068,7 +6112,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -6202,6 +6246,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -6265,6 +6310,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -6353,6 +6399,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -6396,6 +6443,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -6429,7 +6477,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -6564,6 +6612,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -6627,6 +6676,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -6715,6 +6765,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -6758,6 +6809,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -6791,7 +6843,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno

68
config/install_debug.yaml
View file

@ -13,7 +13,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -295,6 +295,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -360,6 +361,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -403,6 +405,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -510,6 +513,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -575,6 +579,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -618,6 +623,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -714,6 +720,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -773,6 +780,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -815,6 +823,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -1005,6 +1014,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1070,6 +1080,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1113,6 +1124,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1220,6 +1232,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -1285,6 +1298,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -1328,6 +1342,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -1424,6 +1439,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -1483,6 +1499,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -1525,6 +1542,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
@ -2581,7 +2599,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -2715,6 +2733,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -2778,6 +2797,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -2866,6 +2886,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -2909,6 +2930,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -2942,7 +2964,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -3076,6 +3098,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -3139,6 +3162,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -3227,6 +3251,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -3270,6 +3295,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -3303,7 +3329,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -3492,7 +3518,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -3775,6 +3801,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -3840,6 +3867,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -3883,6 +3911,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -3990,6 +4019,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -4055,6 +4085,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -4098,6 +4129,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -4194,6 +4226,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -4253,6 +4286,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -4295,6 +4329,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
@ -4485,6 +4520,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -4550,6 +4586,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -4593,6 +4630,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -4700,6 +4738,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces
names. Each name supports wildcard characters
@ -4765,6 +4804,7 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role
@ -4808,6 +4848,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
@ -4904,6 +4945,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
@ -4963,6 +5005,7 @@ spec:
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
@ -5005,6 +5048,7 @@ spec:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
@ -6062,7 +6106,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -6195,6 +6239,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -6258,6 +6303,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -6346,6 +6392,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -6389,6 +6436,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -6422,7 +6470,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
@ -6556,6 +6604,7 @@ spec:
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
@ -6619,6 +6668,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule execution
@ -6707,6 +6757,7 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
x-kubernetes-map-type: atomic
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
@ -6750,6 +6801,7 @@ spec:
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
summary:
description: PolicyReportSummary provides a summary of results
properties:
@ -6783,7 +6835,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno

262
go.mod
View file

@ -1,6 +1,6 @@
module github.com/kyverno/kyverno
go 1.17
go 1.18
require (
github.com/aquilax/truncate v1.0.0
@ -18,12 +18,12 @@ require (
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
github.com/go-git/go-billy/v5 v5.0.0
github.com/go-git/go-git/v5 v5.2.0
github.com/go-logr/logr v1.2.2
github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839
github.com/go-logr/logr v1.2.3
github.com/google/go-containerregistry v0.11.0
github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220301182634-bfe2ffc6b6bd
github.com/googleapis/gnostic v0.5.5
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
github.com/jmespath/go-jmespath v0.4.0
github.com/julienschmidt/httprouter v1.3.0
github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23
@ -31,20 +31,20 @@ require (
github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7
github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a
github.com/onsi/ginkgo v1.16.5
github.com/onsi/gomega v1.18.1
github.com/onsi/gomega v1.19.0
github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
github.com/patrickmn/go-cache v2.1.0+incompatible
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.12.1
github.com/prometheus/client_golang v1.13.0
github.com/robfig/cron/v3 v3.0.1
github.com/sigstore/cosign v1.9.0
github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5
github.com/spf13/cobra v1.4.0
github.com/stretchr/testify v1.7.1
github.com/sigstore/cosign v1.12.1
github.com/sigstore/sigstore v1.4.1
github.com/spf13/cobra v1.5.0
github.com/stretchr/testify v1.8.0
github.com/xanzy/ssh-agent v0.3.0 // indirect
gopkg.in/inf.v0 v0.9.1
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.0
gopkg.in/yaml.v3 v3.0.1
gotest.tools v2.2.0+incompatible
k8s.io/api v0.23.5
k8s.io/apiextensions-apiserver v0.23.4
@ -60,16 +60,16 @@ require (
)
require (
bitbucket.org/creachadair/shell v0.0.6 // indirect
cloud.google.com/go v0.100.2 // indirect
cloud.google.com/go/compute v1.6.1 // indirect
bitbucket.org/creachadair/shell v0.0.7 // indirect
cloud.google.com/go v0.103.0 // indirect
cloud.google.com/go/compute v1.7.0 // indirect
cloud.google.com/go/iam v0.3.0 // indirect
cloud.google.com/go/kms v1.4.0 // indirect
cloud.google.com/go/storage v1.22.1 // indirect
github.com/Azure/azure-sdk-for-go v63.3.0+incompatible // indirect
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.11.27 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
github.com/Azure/go-autorest/autorest v0.11.28 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
@ -80,128 +80,139 @@ require (
github.com/IGLOU-EU/go-wildcard v1.0.3 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/PaesslerAG/gval v1.0.0 // indirect
github.com/PaesslerAG/jsonpath v0.1.1 // indirect
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect
github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect
github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
github.com/alibabacloud-go/openapi-util v0.0.11 // indirect
github.com/alibabacloud-go/tea v1.1.18 // indirect
github.com/alibabacloud-go/tea-utils v1.4.4 // indirect
github.com/alibabacloud-go/tea-xml v1.1.2 // indirect
github.com/aliyun/credentials-go v1.2.3 // indirect
github.com/armon/go-metrics v0.4.0 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/aws/aws-sdk-go v1.43.45 // indirect
github.com/aws/aws-sdk-go-v2 v1.16.4 // indirect
github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.11.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.6 // indirect
github.com/aws/aws-sdk-go-v2 v1.16.14 // indirect
github.com/aws/aws-sdk-go-v2/config v1.17.5 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.12.18 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.15 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.22 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.8.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.10.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.15.0 // indirect
github.com/aws/smithy-go v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.15 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.18.9 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.21 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.16.17 // indirect
github.com/aws/smithy-go v1.13.2 // indirect
github.com/benbjohnson/clock v1.1.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/speakeasy v0.1.0 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
github.com/cenkalti/backoff/v4 v4.1.3 // indirect
github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/clbanning/mxj/v2 v2.5.6 // indirect
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
github.com/coreos/go-oidc/v3 v3.1.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
github.com/coreos/go-oidc/v3 v3.4.0 // indirect
github.com/coreos/go-semver v0.3.0 // indirect
github.com/coreos/go-systemd/v22 v22.3.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/dimchansky/utfbom v1.1.1 // indirect
github.com/docker/cli v20.10.12+incompatible // indirect
github.com/docker/distribution v2.8.0+incompatible // indirect
github.com/docker/docker v20.10.12+incompatible // indirect
github.com/docker/cli v20.10.17+incompatible // indirect
github.com/docker/distribution v2.8.1+incompatible // indirect
github.com/docker/docker v20.10.17+incompatible // indirect
github.com/docker/docker-credential-helpers v0.6.4 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/emirpasic/gods v1.12.0 // indirect
github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect
github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
github.com/fsnotify/fsnotify v1.5.4 // indirect
github.com/fullstorydev/grpcurl v1.8.2 // indirect
github.com/fullstorydev/grpcurl v1.8.7 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-errors/errors v1.0.1 // indirect
github.com/go-git/gcfg v1.5.0 // indirect
github.com/go-openapi/analysis v0.21.2 // indirect
github.com/go-openapi/errors v0.20.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.6 // indirect
github.com/go-openapi/loads v0.21.1 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/loads v0.21.2 // indirect
github.com/go-openapi/runtime v0.24.1 // indirect
github.com/go-openapi/spec v0.20.4 // indirect
github.com/go-openapi/strfmt v0.21.2 // indirect
github.com/go-openapi/swag v0.21.1 // indirect
github.com/go-openapi/validate v0.21.0 // indirect
github.com/go-openapi/spec v0.20.7 // indirect
github.com/go-openapi/strfmt v0.21.3 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-openapi/validate v0.22.0 // indirect
github.com/go-playground/locales v0.14.0 // indirect
github.com/go-playground/universal-translator v0.18.0 // indirect
github.com/go-playground/validator/v10 v10.10.0 // indirect
github.com/go-stack/stack v1.8.1 // indirect
github.com/go-playground/validator/v10 v10.11.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.3.0 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
github.com/golang/glog v1.0.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/mock v1.6.0 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/certificate-transparency-go v1.1.2 // indirect
github.com/google/go-cmp v0.5.8 // indirect
github.com/google/go-github/v42 v42.0.0 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.3 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-github/v45 v45.2.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/trillian v1.4.0 // indirect
github.com/google/trillian v1.5.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
github.com/googleapis/gax-go/v2 v2.4.0 // indirect
github.com/googleapis/go-type-adapters v1.0.0 // indirect
github.com/gorilla/websocket v1.4.2 // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-hclog v1.2.0 // indirect
github.com/hashicorp/go-hclog v1.2.2 // indirect
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-plugin v1.4.4 // indirect
github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.5 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/go-version v1.5.0 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/vault/api v1.5.0 // indirect
github.com/hashicorp/vault/sdk v0.5.0 // indirect
github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
github.com/hashicorp/vault/api v1.7.2 // indirect
github.com/hashicorp/vault/sdk v0.5.3 // indirect
github.com/hashicorp/yamux v0.1.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect
github.com/jhump/protoreflect v1.9.0 // indirect
github.com/jonboulle/clockwork v0.2.2 // indirect
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
github.com/jellydator/ttlcache/v2 v2.11.1 // indirect
github.com/jhump/protoreflect v1.12.0 // indirect
github.com/jonboulle/clockwork v0.3.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
github.com/klauspost/compress v1.14.2 // indirect
github.com/klauspost/compress v1.15.8 // indirect
github.com/leodido/go-urn v1.2.1 // indirect
github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect
github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/magiconair/properties v1.8.6 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
@ -218,6 +229,7 @@ require (
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
github.com/nxadm/tail v1.4.8 // indirect
github.com/oklog/run v1.1.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
@ -226,13 +238,13 @@ require (
github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.1 // indirect
github.com/pelletier/go-toml/v2 v2.0.5 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pierrec/lz4 v2.6.1+incompatible // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/rogpeppe/go-internal v1.8.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
@ -242,83 +254,81 @@ require (
github.com/segmentio/ksuid v1.0.4 // indirect
github.com/sergi/go-diff v1.2.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect
github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/sigstore/fulcio v0.5.3 // indirect
github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
github.com/soheilhy/cmux v0.1.5 // indirect
github.com/spf13/afero v1.8.2 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.12.0 // indirect
github.com/subosito/gotenv v1.3.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
github.com/spf13/viper v1.13.0 // indirect
github.com/subosito/gotenv v1.4.1 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
github.com/thales-e-security/pool v0.0.2 // indirect
github.com/theupdateframework/go-tuf v0.3.0 // indirect
github.com/theupdateframework/go-tuf v0.5.0 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tjfoc/gmsm v1.3.2 // indirect
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
github.com/transparency-dev/merkle v0.0.1 // indirect
github.com/urfave/cli v1.22.5 // indirect
github.com/urfave/cli v1.22.7 // indirect
github.com/vbatts/tar-split v0.11.2 // indirect
github.com/xanzy/go-gitlab v0.68.0 // indirect
github.com/xanzy/go-gitlab v0.73.1 // indirect
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
go.etcd.io/bbolt v1.3.6 // indirect
go.etcd.io/etcd/api/v3 v3.5.4 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.4 // indirect
go.etcd.io/etcd/client/v2 v2.305.4 // indirect
go.etcd.io/etcd/client/v3 v3.5.4 // indirect
go.etcd.io/etcd/etcdctl/v3 v3.5.0 // indirect
go.etcd.io/etcd/etcdutl/v3 v3.5.0 // indirect
go.etcd.io/etcd/pkg/v3 v3.5.0 // indirect
go.etcd.io/etcd/raft/v3 v3.5.0 // indirect
go.etcd.io/etcd/server/v3 v3.5.0 // indirect
go.etcd.io/etcd/tests/v3 v3.5.0 // indirect
go.etcd.io/etcd/v3 v3.5.0 // indirect
go.mongodb.org/mongo-driver v1.8.3 // indirect
go.etcd.io/etcd/api/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/client/v2 v2.306.0-alpha.0 // indirect
go.etcd.io/etcd/client/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/etcdctl/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/etcdutl/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/pkg/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/raft/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/server/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/tests/v3 v3.6.0-alpha.0 // indirect
go.etcd.io/etcd/v3 v3.6.0-alpha.0 // indirect
go.mongodb.org/mongo-driver v1.10.0 // indirect
go.opencensus.io v0.23.0 // indirect
go.opentelemetry.io/contrib v1.3.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0 // indirect
go.opentelemetry.io/otel v0.20.0 // indirect
go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect
go.opentelemetry.io/otel/metric v0.20.0 // indirect
go.opentelemetry.io/otel/sdk v0.20.0 // indirect
go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect
go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect
go.opentelemetry.io/otel/trace v0.20.0 // indirect
go.opentelemetry.io/proto/otlp v0.12.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0 // indirect
go.opentelemetry.io/otel v1.7.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.7.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.7.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.7.0 // indirect
go.opentelemetry.io/otel/sdk v1.7.0 // indirect
go.opentelemetry.io/otel/trace v1.7.0 // indirect
go.opentelemetry.io/proto/otlp v0.16.0 // indirect
go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.7.0 // indirect
go.uber.org/zap v1.21.0 // indirect
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 // indirect
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
golang.org/x/tools v0.1.10 // indirect
golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect
google.golang.org/api v0.81.0 // indirect
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.23.0 // indirect
golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/net v0.0.0-20220909164309-bea034e7d591 // indirect
golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
golang.org/x/tools v0.1.12 // indirect
google.golang.org/api v0.96.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
google.golang.org/grpc v1.46.2 // indirect
google.golang.org/protobuf v1.28.0 // indirect
google.golang.org/genproto v0.0.0-20220805133916-01dd62135a58 // indirect
google.golang.org/grpc v1.49.0 // indirect
google.golang.org/protobuf v1.28.1 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/ini.v1 v1.66.4 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
knative.dev/pkg v0.0.0-20220325200448-1f7514acd0c2 // indirect
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
sigs.k8s.io/release-utils v0.6.0 // indirect
sigs.k8s.io/release-utils v0.7.3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
)

1336
go.sum
View file

File diff suppressed because it is too large Load diff

116
pkg/cosign/cosign.go
View file

@ -85,11 +85,7 @@ func verifySignature(opts Options) (*Response, error) {
return nil, err
}
if err := matchSubjectAndIssuer(signatures, opts.Subject, opts.Issuer); err != nil {
return nil, err
}
if err := matchExtensions(signatures, opts.AdditionalExtensions); err != nil {
if err := matchCertificate(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
return nil, err
}
@ -182,7 +178,11 @@ func buildCosignOptions(opts Options) (*cosign.CheckOpts, error) {
} else {
// if key, cert, and roots are not provided, default to Fulcio roots
if cosignOpts.RootCerts == nil {
cosignOpts.RootCerts = fulcio.GetRoots()
cosignOpts.RootCerts, err = fulcio.GetRoots()
if err != nil {
return nil, errors.Wrapf(err, "failed to initialize roots")
}
if cosignOpts.RootCerts == nil {
return nil, fmt.Errorf("failed to initialize roots")
}
@ -417,37 +417,8 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (strin
return "", fmt.Errorf("digest not found for " + imgRef)
}
func matchSubjectAndIssuer(signatures []oci.Signature, subject, issuer string) error {
if subject == "" && issuer == "" {
return nil
}
var s string
for _, sig := range signatures {
cert, err := sig.Cert()
if err != nil {
return errors.Wrap(err, "failed to read certificate")
}
if cert == nil {
return errors.Wrap(err, "certificate not found")
}
s = sigs.CertSubject(cert)
i := sigs.CertIssuerExtension(cert)
if subject == "" || wildcard.Match(subject, s) {
if issuer == "" || (issuer == i) {
return nil
} else {
return fmt.Errorf("issuer mismatch: expected %s, got %s", i, issuer)
}
}
}
return fmt.Errorf("subject mismatch: expected %s, got %s", s, subject)
}
func matchExtensions(signatures []oci.Signature, requiredExtensions map[string]string) error {
if len(requiredExtensions) == 0 {
func matchCertificate(signatures []oci.Signature, subject, issuer string, extensions map[string]string) error {
if subject == "" && issuer == "" && len(extensions) == 0 {
return nil
}
@ -458,36 +429,67 @@ func matchExtensions(signatures []oci.Signature, requiredExtensions map[string]s
}
if cert == nil {
return errors.Wrap(err, "certificate not found")
return errors.Errorf("certificate not found")
}
// This will return a map which consists of readable extension-names as keys
// or the raw extensionIDs as fallback and its values.
certExtensions := sigs.CertExtensions(cert)
for requiredKey, requiredValue := range requiredExtensions {
certValue, ok := certExtensions[requiredKey]
if !ok {
// "requiredKey" seems to be an extensionID, try to resolve its human readable name
readableName, ok := sigs.CertExtensionMap[requiredKey]
if !ok {
return fmt.Errorf("key %s not present", requiredKey)
}
certValue, ok = certExtensions[readableName]
if !ok {
return fmt.Errorf("key %s (%s) not present", requiredKey, readableName)
}
if subject != "" {
s := sigs.CertSubject(cert)
if !wildcard.Match(subject, s) {
return fmt.Errorf("subject mismatch: expected %s, received %s", subject, s)
}
}
if requiredValue != "" && !wildcard.Match(requiredValue, certValue) {
return fmt.Errorf("extension mismatch: expected %s for key %s, got %s", requiredValue, requiredKey, certValue)
}
if err := matchExtensions(cert, issuer, extensions); err != nil {
return err
}
}
return nil
}
func matchExtensions(cert *x509.Certificate, issuer string, extensions map[string]string) error {
ce := cosign.CertExtensions{Cert: cert}
if issuer != "" {
val := ce.GetIssuer()
if !wildcard.Match(issuer, val) {
return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val)
}
}
for requiredKey, requiredValue := range extensions {
val, err := extractCertExtensionValue(requiredKey, ce)
if err != nil {
return err
}
if !wildcard.Match(requiredValue, val) {
return fmt.Errorf("extension mismatch: expected %s for key %s, received %s", requiredValue, requiredKey, val)
}
}
return nil
}
func extractCertExtensionValue(key string, ce cosign.CertExtensions) (string, error) {
switch key {
case cosign.CertExtensionOIDCIssuer, cosign.CertExtensionMap[cosign.CertExtensionOIDCIssuer]:
return ce.GetIssuer(), nil
case cosign.CertExtensionGithubWorkflowTrigger, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowTrigger]:
return ce.GetCertExtensionGithubWorkflowTrigger(), nil
case cosign.CertExtensionGithubWorkflowSha, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowSha]:
return ce.GetExtensionGithubWorkflowSha(), nil
case cosign.CertExtensionGithubWorkflowName, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowName]:
return ce.GetCertExtensionGithubWorkflowName(), nil
case cosign.CertExtensionGithubWorkflowRepository, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRepository]:
return ce.GetCertExtensionGithubWorkflowRepository(), nil
case cosign.CertExtensionGithubWorkflowRef, cosign.CertExtensionMap[cosign.CertExtensionGithubWorkflowRef]:
return ce.GetCertExtensionGithubWorkflowRef(), nil
default:
return "", errors.Errorf("invalid certificate extension %s", key)
}
}
func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string) error {
for _, p := range payload {
for key, val := range annotations {

4
pkg/cosign/cosign_test.go
View file

@ -71,11 +71,11 @@ func TestCosignKeyless(t *testing.T) {
}
_, err := verifySignature(opts)
assert.Error(t, err, "subject mismatch: expected jim@nirmata.com, got jim")
assert.Error(t, err, "subject mismatch: expected jim, received jim@nirmata.com")
opts.Subject = "jim@nirmata.com"
_, err = verifySignature(opts)
assert.Error(t, err, "issuer mismatch: expected https://github.com/login/oauth, got https://github.com/")
assert.Error(t, err, "issuer mismatch: expected https://github.com/, received https://github.com/login/oauth")
opts.Issuer = "https://github.com/login/oauth"
_, err = verifySignature(opts)

2
pkg/engine/imageVerify_test.go
View file

@ -316,7 +316,7 @@ var testSampleResource = `{
}`
var testVerifyImageKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END PUBLIC KEY-----\n`
var testOtherKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyBg8yod24/wIcc5QqlVLtCfL+6Te+nwdPdTvMb1AiZn24zBToHJVZvQdYLgRWAbh0Jd+6JhEwsDmnXRrlV7rfw==\n-----END PUBLIC KEY-----\n`
var testOtherKey = `-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpNlOGZ323zMlhs4bcKSpAKQvbcWi5ZLRmijm6SqXDy0Fp0z0Eal+BekFnLzs8rUXUaXlhZ3hNudlgFJH+nFNMw==\n-----END PUBLIC KEY-----\n`
func Test_SignatureGoodSigned(t *testing.T) {
policyContext := buildContext(t, testSampleSingleKeyPolicy, testSampleResource, "")