Merge commit

charts/kyverno/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: kyverno
-version: 1.2.1
-appVersion: v1.2.1
+version: v1.3.0-rc1
+appVersion: v1.3.0-rc1
 icon: https://github.com/kyverno/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png
 description: Kubernetes Native Policy Management
 keywords:

charts/kyverno/crds/crds.yaml

@@ -3,6 +3,17 @@ kind: CustomResourceDefinition
 metadata:
   name: clusterpolicies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during
+      a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow
+      (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   names:
     kind: ClusterPolicy
@@ -1010,6 +1021,17 @@ kind: CustomResourceDefinition
 metadata:
   name: policies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during
+      a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow
+      (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   names:
     kind: Policy
@@ -1927,4 +1949,4 @@ status:
     kind: ""
     plural: ""
   conditions: []
-  storedVersions: []
+  storedVersions: []

definitions/crds/crds.yaml

@@ -3,6 +3,15 @@ kind: CustomResourceDefinition
 metadata:
   name: clusterpolicies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   versions:
     - name: v1
@@ -277,6 +286,15 @@ kind: CustomResourceDefinition
 metadata:
   name: policies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   versions:
     - name: v1

definitions/install.yaml

@@ -8,6 +8,17 @@ kind: CustomResourceDefinition
 metadata:
   name: clusterpolicies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during
+      a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow
+      (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   names:
     kind: ClusterPolicy
@@ -1015,6 +1026,17 @@ kind: CustomResourceDefinition
 metadata:
   name: policies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during
+      a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow
+      (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   names:
     kind: Policy
@@ -2376,7 +2398,7 @@ spec:
               fieldPath: metadata.namespace
         - name: KYVERNO_SVC
           value: kyverno-svc
-        image: nirmata/kyverno:v1.2.1
+        image: nirmata/kyverno:v1.3.0-rc1
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 4
@@ -2419,7 +2441,7 @@ spec:
           runAsNonRoot: true
           runAsUser: 1000
       initContainers:
-      - image: nirmata/kyvernopre:v1.2.1
+      - image: nirmata/kyvernopre:v1.3.0-rc1
         imagePullPolicy: Always
         name: kyverno-pre
         securityContext:
@@ -2433,4 +2455,4 @@ spec:
           runAsUser: 1000
       securityContext:
         runAsNonRoot: true
-      serviceAccountName: kyverno-service-account
+      serviceAccountName: kyverno-service-account

definitions/install_debug.yaml

@@ -8,6 +8,17 @@ kind: CustomResourceDefinition
 metadata:
   name: clusterpolicies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during
+      a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow
+      (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   names:
     kind: ClusterPolicy
@@ -1015,6 +1026,17 @@ kind: CustomResourceDefinition
 metadata:
   name: policies.kyverno.io
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.background
+    description: Background controls if rules are applied to existing resources during
+      a background scan.
+    name: Background
+    type: string
+  - JSONPath: .spec.validationFailureAction
+    description: ValidationFailureAction controls if a policy failure should disallow
+      (enforce) or allow and report (audit) the admission review request.
+    name: Validation Failure Action
+    type: string
   group: kyverno.io
   names:
     kind: Policy
@@ -2344,4 +2366,4 @@ spec:
   - port: 443
     targetPort: https
   selector:
-    app: kyverno
+    app: kyverno

definitions/kustomization.yaml

@@ -8,7 +8,7 @@ resources:
 images:
 - name: nirmata/kyverno
   newName: nirmata/kyverno
-  newTag: v1.2.1
+  newTag: v1.3.0-rc1
 - name: nirmata/kyvernopre
   newName: nirmata/kyvernopre
-  newTag: v1.2.1
+  newTag: v1.3.0-rc1

go.sum

@@ -349,7 +349,6 @@ github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSN
 github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -433,7 +432,6 @@ github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg=
-github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=

pkg/api/kyverno/v1/types.go

@@ -148,10 +148,11 @@ type Policy struct {
 type Spec struct {
 	// Rules contains the list of rules to be applied to resources
 	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
-	// ValidationFailureAction provides choice to enforce rules to resources during policy violations.
+	// ValidationFailureAction controls if a policy failure should not disallow
+	// an admission review request (enforce), or allow (audit) and report an error.
 	// Default value is "audit".
 	ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
-	// Background provides choice for applying rules to existing resources.
+	// Background controls if rules are applied to existing resources during a background scan.
 	// Default value is "true".
 	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
 }

pkg/engine/utils.go

@@ -232,7 +232,7 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k
 	}
 
 	// creating final error
-	var errorMessage = "rule not matched:"
+	var errorMessage = fmt.Sprintf("rule %s not matched:", ruleRef.Name)
 	for i, reasonForFailure := range reasonsForFailure {
 		if reasonForFailure != nil {
 			errorMessage += "\n " + fmt.Sprint(i+1) + ". " + reasonForFailure.Error()

pkg/engine/validate/common.go

@@ -20,6 +20,8 @@ func convertNumberToString(value interface{}) (string, error) {
 		return strconv.FormatInt(typed, 10), nil
 	case int:
 		return strconv.Itoa(typed), nil
+	case nil:
+		return "", fmt.Errorf("got empty string, expect %v", value)
 	default:
 		return "", fmt.Errorf("could not convert %v to string", typed)
 	}

pkg/engine/validate/pattern.go

@@ -205,7 +205,7 @@ func validateString(log logr.Logger, value interface{}, pattern string, operator
 			ok = false
 		}
 		if !ok {
-			log.Info("unexpected type : ", "type", fmt.Sprintf("%T", value), "value", value)
+			log.V(4).Info("unexpected type", "got", value, "expect", pattern)
 			return false
 		}
 

pkg/engine/validation.go

@@ -274,6 +274,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 
 		if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil {
 			// validation failed
+			logger.V(5).Info(err.Error())
 			resp.Success = false
 			resp.Message = fmt.Sprintf("Validation error: %s; Validation rule %s failed at path %s",
 				rule.Validation.Message, rule.Name, path)

pkg/event/controller.go

@@ -2,13 +2,13 @@ package event
 
 import (
 	"github.com/go-logr/logr"
-
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
 	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
 	kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/constant"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	v1 "k8s.io/api/core/v1"
+	errors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -138,7 +138,9 @@ func (gen *Generator) handleErr(err error, key interface{}) {
 	}
 
 	gen.queue.Forget(key)
-	logger.Error(err, "failed to generate event", "key", key)
+	if !errors.IsNotFound(err) {
+		logger.Error(err, "failed to generate event", "key", key)
+	}
 }
 
 func (gen *Generator) processNextWorkItem() bool {
@@ -184,7 +186,9 @@ func (gen *Generator) syncHandler(key Info) error {
 	default:
 		robj, err = gen.client.GetResource("", key.Kind, key.Namespace, key.Name)
 		if err != nil {
-			logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace)
+			if !errors.IsNotFound(err) {
+				logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace)
+			}
 			return err
 		}
 	}

pkg/kyverno/apply/command.go

@@ -10,12 +10,12 @@ import (
 	"reflect"
 	"strings"
 	"time"
-	"github.com/kyverno/kyverno/pkg/engine/response"
-	yaml1 "sigs.k8s.io/yaml"
+
 	v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/kyverno/common"
 	"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
 	"github.com/kyverno/kyverno/pkg/openapi"
@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	log "sigs.k8s.io/controller-runtime/pkg/log"
+	yaml1 "sigs.k8s.io/yaml"
 )
 
 type resultCounts struct {
@@ -129,6 +130,15 @@ func Command() *cobra.Command {
 			resources, err := getResourceAccordingToResourcePath(resourcePaths, cluster, policies, dClient, namespace)
 			if err != nil {
 				if !sanitizedError.IsErrorSanitized(err) {
+					yamlBytes := []byte(resourceStr)
+					resources, err = common.GetResource(yamlBytes)
+					if err != nil {
+						return sanitizedError.NewWithError("failed to extract the resources", err)
+					}
+				}
+			} else {
+				resources, err = common.GetResources(policies, resourcePaths, dClient)
+				if err != nil {
 					return sanitizedError.NewWithError("failed to load resources", err)
 				}
 				return err

pkg/kyverno/apply/report.go

@@ -155,7 +155,7 @@ func calculateSummary(results []*report.PolicyReportResult) (summary report.Poli
 	for _, res := range results {
 		switch string(res.Status) {
 		case report.StatusPass:
-			summary.Pass ++
+			summary.Pass++
 		case report.StatusFail:
 			summary.Fail++
 		case "warn":

pkg/kyverno/common/fetch.go

@@ -186,6 +186,5 @@ func convertResourceToUnstructured(resourceYaml []byte) (*unstructured.Unstructu
 	if resource.GetNamespace() == "" {
 		resource.SetNamespace("default")
 	}
-
 	return resource, nil
 }

pkg/webhookconfig/registration.go

@@ -93,7 +93,8 @@ func (wrc *WebhookRegistrationClient) RemoveWebhookConfigurations(cleanUp chan<-
 // used to forward request to kyverno webhooks to apply policeis
 // Mutationg webhook is be used for Mutating purpose
 func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error {
-	logger := wrc.log
+	logger := wrc.log.WithValues("kind", MutatingWebhookConfigurationKind)
+
 	var caData []byte
 	var config *admregapi.MutatingWebhookConfiguration
 
@@ -121,6 +122,8 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration
 		logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name)
 		return err
 	}
+
+	logger.V(2).Info("created mutating webhook", "name", config.Name)
 	return nil
 }
 
@@ -152,6 +155,8 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati
 		logger.Error(err, "failed to create resource")
 		return err
 	}
+
+	logger.V(2).Info("created validating webhook", "name", config.Name)
 	return nil
 }
 

pkg/webhookconfig/rwebhookregister.go

@@ -78,8 +78,6 @@ func (rww *ResourceWebhookRegister) createMutatingWebhook() {
 			rww.RegisterResourceWebhook()
 			return
 		}
-
-		rww.log.V(2).Info("created mutating webhook", "name", mutatingConfigName)
 	}
 }
 
@@ -103,8 +101,6 @@ func (rww *ResourceWebhookRegister) createValidateWebhook() {
 			rww.RegisterResourceWebhook()
 			return
 		}
-
-		rww.log.V(2).Info("created validating webhook", "name", validatingConfigName)
 	}
 }