diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index f6c04525cb..de216be85c 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: 1.2.1 -appVersion: v1.2.1 +version: v1.3.0-rc1 +appVersion: v1.3.0-rc1 icon: https://github.com/kyverno/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index ed31bb8100..f8f2ce64be 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -3,6 +3,17 @@ kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: ClusterPolicy @@ -1010,6 +1021,17 @@ kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: Policy @@ -1927,4 +1949,4 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] + storedVersions: [] \ No newline at end of file diff --git a/definitions/crds/crds.yaml b/definitions/crds/crds.yaml index a7e795c1f4..da947f8b35 100755 --- a/definitions/crds/crds.yaml +++ b/definitions/crds/crds.yaml @@ -3,6 +3,15 @@ kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io versions: - name: v1 @@ -277,6 +286,15 @@ kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io versions: - name: v1 diff --git a/definitions/install.yaml b/definitions/install.yaml index f977be9ebc..e4a0571b42 100755 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -8,6 +8,17 @@ kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: ClusterPolicy @@ -1015,6 +1026,17 @@ kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: Policy @@ -2376,7 +2398,7 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: nirmata/kyverno:v1.2.1 + image: nirmata/kyverno:v1.3.0-rc1 imagePullPolicy: Always livenessProbe: failureThreshold: 4 @@ -2419,7 +2441,7 @@ spec: runAsNonRoot: true runAsUser: 1000 initContainers: - - image: nirmata/kyvernopre:v1.2.1 + - image: nirmata/kyvernopre:v1.3.0-rc1 imagePullPolicy: Always name: kyverno-pre securityContext: @@ -2433,4 +2455,4 @@ spec: runAsUser: 1000 securityContext: runAsNonRoot: true - serviceAccountName: kyverno-service-account + serviceAccountName: kyverno-service-account \ No newline at end of file diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 4085774493..de102ec3e8 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -8,6 +8,17 @@ kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: ClusterPolicy @@ -1015,6 +1026,17 @@ kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: Policy @@ -2344,4 +2366,4 @@ spec: - port: 443 targetPort: https selector: - app: kyverno + app: kyverno \ No newline at end of file diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml index 8bf51cf2d2..406e1f0363 100755 --- a/definitions/kustomization.yaml +++ b/definitions/kustomization.yaml @@ -8,7 +8,7 @@ resources: images: - name: nirmata/kyverno newName: nirmata/kyverno - newTag: v1.2.1 + newTag: v1.3.0-rc1 - name: nirmata/kyvernopre newName: nirmata/kyvernopre - newTag: v1.2.1 + newTag: v1.3.0-rc1 diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml index 602893f8d7..dbac53487a 100755 --- a/definitions/release/install.yaml +++ b/definitions/release/install.yaml @@ -8,6 +8,17 @@ kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: ClusterPolicy @@ -279,74 +290,670 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: clusterpolicyviolations.kyverno.io + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: clusterpolicyreports.policy.k8s.io spec: additionalPrinterColumns: - - JSONPath: .spec.policy - description: The policy that resulted in the violation - name: Policy + - JSONPath: .scope.kind + name: Kind + priority: 1 type: string - - JSONPath: .spec.resource.kind - description: The resource kind that cause the violation - name: ResourceKind + - JSONPath: .scope.name + name: Name + priority: 1 type: string - - JSONPath: .spec.resource.name - description: The resource name that caused the violation - name: ResourceName + - JSONPath: .summary.pass + name: Pass + type: integer + - JSONPath: .summary.fail + name: Fail + type: integer + - JSONPath: .summary.warn + name: Warn + type: integer + - JSONPath: .summary.error + name: Error + type: integer + - JSONPath: .summary.skip + name: Skip + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: policy.k8s.io + names: + kind: ClusterPolicyReport + listKind: ClusterPolicyReportList + plural: clusterpolicyreports + shortNames: + - cpolr + singular: clusterpolicyreport + scope: Namespaced + subresources: {} + validation: + openAPIV3Schema: + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy rule + type: object + message: + description: Message is a short user friendly description of the policy + rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy results + that apply to multiple resources. For example, a policy result may + apply to all pods that match a label. Either a Resource or a ResourceSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked + by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual + struct is irrelevant. 5. We cannot easily change it. Because + this type is embedded in many locations, updates to this type will + affect numerous schemas. Don''t make new APIs embed an underspecified + API type they do not control. Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: clusterreportchangerequests.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .scope.kind + name: Kind + priority: 1 type: string + - JSONPath: .scope.name + name: Name + priority: 1 + type: string + - JSONPath: .summary.pass + name: Pass + type: integer + - JSONPath: .summary.fail + name: Fail + type: integer + - JSONPath: .summary.warn + name: Warn + type: integer + - JSONPath: .summary.error + name: Error + type: integer + - JSONPath: .summary.skip + name: Skip + type: integer - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: - kind: ClusterPolicyViolation - plural: clusterpolicyviolations - shortNames: - - cpolv - singular: clusterpolicyviolation - scope: Cluster - subresources: - status: {} + kind: ClusterReportChangeRequest + listKind: ClusterReportChangeRequestList + plural: clusterreportchangerequests + singular: clusterreportchangerequest + scope: Namespaced + subresources: {} validation: openAPIV3Schema: + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API properties: - spec: - properties: - policy: - type: string - resource: - properties: - kind: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: type: string - name: - type: string - required: - - kind - - name - type: object - rules: - items: + description: Data provides additional information for the policy rule + type: object + message: + description: Message is a short user friendly description of the policy + rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy results + that apply to multiple resources. For example, a policy result may + apply to all pods that match a label. Either a Resource or a ResourceSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: - message: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked + by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual + struct is irrelevant. 5. We cannot easily change it. Because + this type is embedded in many locations, updates to this type will + affect numerous schemas. Don''t make new APIs embed an underspecified + API type they do not control. Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. type: string - name: - type: string - type: + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array required: - - name - - type - - message + - key + - operator type: object type: array - required: - - policy - - resource - - rules + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + version: v1alpha1 versions: - - name: v1 + - name: v1alpha1 served: true storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -419,6 +1026,17 @@ kind: CustomResourceDefinition metadata: name: policies.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.background + description: Background controls if rules are applied to existing resources during + a background scan. + name: Background + type: string + - JSONPath: .spec.validationFailureAction + description: ValidationFailureAction controls if a policy failure should disallow + (enforce) or allow and report (audit) the admission review request. + name: Validation Failure Action + type: string group: kyverno.io names: kind: Policy @@ -674,74 +1292,669 @@ spec: apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: - name: policyviolations.kyverno.io + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: policyreports.policy.k8s.io spec: additionalPrinterColumns: - - JSONPath: .spec.policy - description: The policy that resulted in the violation - name: Policy + - JSONPath: .scope.kind + name: Kind + priority: 1 type: string - - JSONPath: .spec.resource.kind - description: The resource kind that cause the violation - name: ResourceKind + - JSONPath: .scope.name + name: Name + priority: 1 type: string - - JSONPath: .spec.resource.name - description: The resource name that caused the violation - name: ResourceName + - JSONPath: .summary.pass + name: Pass + type: integer + - JSONPath: .summary.fail + name: Fail + type: integer + - JSONPath: .summary.warn + name: Warn + type: integer + - JSONPath: .summary.error + name: Error + type: integer + - JSONPath: .summary.skip + name: Skip + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: policy.k8s.io + names: + kind: PolicyReport + listKind: PolicyReportList + plural: policyreports + shortNames: + - polr + singular: policyreport + scope: Namespaced + subresources: {} + validation: + openAPIV3Schema: + description: PolicyReport is the Schema for the policyreports API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: + type: string + description: Data provides additional information for the policy rule + type: object + message: + description: Message is a short user friendly description of the policy + rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy results + that apply to multiple resources. For example, a policy result may + apply to all pods that match a label. Either a Resource or a ResourceSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked + by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual + struct is irrelevant. 5. We cannot easily change it. Because + this type is embedded in many locations, updates to this type will + affect numerous schemas. Don''t make new APIs embed an underspecified + API type they do not control. Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.2.5 + creationTimestamp: null + name: reportchangerequests.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .scope.kind + name: Kind + priority: 1 type: string + - JSONPath: .scope.name + name: Name + priority: 1 + type: string + - JSONPath: .summary.pass + name: Pass + type: integer + - JSONPath: .summary.fail + name: Fail + type: integer + - JSONPath: .summary.warn + name: Warn + type: integer + - JSONPath: .summary.error + name: Error + type: integer + - JSONPath: .summary.skip + name: Skip + type: integer - JSONPath: .metadata.creationTimestamp name: Age type: date group: kyverno.io names: - kind: PolicyViolation - plural: policyviolations - shortNames: - - polv - singular: policyviolation + kind: ReportChangeRequest + listKind: ReportChangeRequestList + plural: reportchangerequests + singular: reportchangerequest scope: Namespaced - subresources: - status: {} + subresources: {} validation: openAPIV3Schema: + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API properties: - spec: - properties: - policy: - type: string - resource: - properties: - kind: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + results: + description: PolicyReportResult provides result details + items: + description: PolicyReportResult provides the result for an individual + policy + properties: + category: + description: Category indicates policy category + type: string + data: + additionalProperties: type: string - name: - type: string - required: - - kind - - name - type: object - rules: - items: + description: Data provides additional information for the policy rule + type: object + message: + description: Message is a short user friendly description of the policy + rule + type: string + policy: + description: Policy is the name of the policy + type: string + resourceSelector: + description: ResourceSelector is an optional selector for policy results + that apply to multiple resources. For example, a policy result may + apply to all pods that match a label. Either a Resource or a ResourceSelector + can be specified. If neither are provided, the result is assumed + to be for the policy report scope. properties: - message: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + resources: + description: Resources is an optional reference to the resource checked + by the policy and rule + items: + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many fields + which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, which + makes it hard for users to predict what will happen. 4. The fields + are both imprecise and overly precise. Kind is not a precise + mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is + on the group,resource tuple and the version of the actual + struct is irrelevant. 5. We cannot easily change it. Because + this type is embedded in many locations, updates to this type will + affect numerous schemas. Don''t make new APIs embed an underspecified + API type they do not control. Instead of using this type, create + a locally provided and used type that is well-focused on your + reference. For example, ServiceReferences for admission registration: + https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + type: array + rule: + description: Rule is the name of the policy rule + type: string + scored: + description: Scored indicates if this policy rule is scored + type: boolean + severity: + description: Severity indicates policy severity + enum: + - high + - low + - medium + type: string + status: + description: Status indicates the result of the policy rule check + enum: + - pass + - fail + - warn + - error + - skip + type: string + required: + - policy + type: object + type: array + scope: + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + scopeSelector: + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. type: string - name: - type: string - type: + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array required: - - name - - type - - message + - key + - operator type: object type: array - required: - - policy - - resource - - rules + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + summary: + description: PolicyReportSummary provides a summary of results + properties: + error: + description: Error provides the count of policies that could not be + evaluated + type: integer + fail: + description: Fail provides the count of policies whose requirements + were not met + type: integer + pass: + description: Pass provides the count of policies whose requirements + were met + type: integer + skip: + description: Skip indicates the count of policies that were not selected + for evaluation + type: integer + warn: + description: Warn provides the count of unscored policies whose requirements + were not met + type: integer + type: object + type: object + version: v1alpha1 versions: - - name: v1 + - name: v1alpha1 served: true storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] --- apiVersion: v1 kind: ServiceAccount @@ -761,12 +1974,20 @@ rules: - policies/status - clusterpolicies - clusterpolicies/status + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status - clusterpolicyviolations - clusterpolicyviolations/status - policyviolations - policyviolations/status - generaterequests - generaterequests/status + - reportchangerequests + - reportchangerequests/status + - clusterreportchangerequests + - clusterreportchangerequests/status verbs: - create - delete @@ -775,6 +1996,12 @@ rules: - patch - update - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -897,6 +2124,39 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:admin-policyreport +rules: +- apiGroups: + - policy.k8s.io/v1alpha1 + resources: + - policyreport + - clusterpolicyreport + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: kyverno:edit-policies-policyreport +rules: +- apiGroups: + - policy.k8s.io/v1alpha1 + resources: + - policyreport + - clusterpolicyreport + - policies + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -906,7 +2166,6 @@ rules: - kyverno.io resources: - policyviolations - - policies verbs: - get - list @@ -914,6 +2173,23 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole +metadata: + name: kyverno:policyreport +rules: +- apiGroups: + - '*' + resources: + - policyreports + - clusterpolicyreports + - pods + verbs: + - get + - list + - watch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole metadata: name: kyverno:policyviolations rules: @@ -928,6 +2204,22 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:view-clusterpolicyreport +rules: +- apiGroups: + - policy.k8s.io/v1alpha1 + resources: + - clusterpolicyreport + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" @@ -959,6 +2251,22 @@ rules: - list - watch --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: kyverno:view-policyreport +rules: +- apiGroups: + - policy.k8s.io/v1alpha1 + resources: + - policyreport + verbs: + - get + - list + - watch +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -1000,6 +2308,19 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + name: kyverno:policyreport +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policyreport +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: name: kyverno:userinfo roleRef: @@ -1027,7 +2348,7 @@ subjects: apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler - resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]' kind: ConfigMap metadata: name: init-config @@ -1066,7 +2387,7 @@ spec: spec: containers: - args: - - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] + - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*] - -v=2 env: - name: INIT_CONFIG @@ -1077,7 +2398,7 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: nirmata/kyverno:v1.2.1 + image: nirmata/kyverno:v1.3.0-rc1 imagePullPolicy: Always livenessProbe: failureThreshold: 4 @@ -1120,7 +2441,7 @@ spec: runAsNonRoot: true runAsUser: 1000 initContainers: - - image: nirmata/kyvernopre:v1.2.1 + - image: nirmata/kyvernopre:v1.3.0-rc1 imagePullPolicy: Always name: kyverno-pre securityContext: diff --git a/go.sum b/go.sum index 19c51821e4..19bc9c52f4 100644 --- a/go.sum +++ b/go.sum @@ -349,7 +349,6 @@ github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSN github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -433,7 +432,6 @@ github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ= github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go index 002d0ad161..ff3e893d4b 100755 --- a/pkg/api/kyverno/v1/types.go +++ b/pkg/api/kyverno/v1/types.go @@ -148,10 +148,11 @@ type Policy struct { type Spec struct { // Rules contains the list of rules to be applied to resources Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"` - // ValidationFailureAction provides choice to enforce rules to resources during policy violations. + // ValidationFailureAction controls if a policy failure should not disallow + // an admission review request (enforce), or allow (audit) and report an error. // Default value is "audit". ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` - // Background provides choice for applying rules to existing resources. + // Background controls if rules are applied to existing resources during a background scan. // Default value is "true". Background *bool `json:"background,omitempty" yaml:"background,omitempty"` } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index d8d974192b..8fa6e8c521 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -232,7 +232,7 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k } // creating final error - var errorMessage = "rule not matched:" + var errorMessage = fmt.Sprintf("rule %s not matched:", ruleRef.Name) for i, reasonForFailure := range reasonsForFailure { if reasonForFailure != nil { errorMessage += "\n " + fmt.Sprint(i+1) + ". " + reasonForFailure.Error() diff --git a/pkg/engine/validate/common.go b/pkg/engine/validate/common.go index e9185f742c..3009fc3fb7 100644 --- a/pkg/engine/validate/common.go +++ b/pkg/engine/validate/common.go @@ -20,6 +20,8 @@ func convertNumberToString(value interface{}) (string, error) { return strconv.FormatInt(typed, 10), nil case int: return strconv.Itoa(typed), nil + case nil: + return "", fmt.Errorf("got empty string, expect %v", value) default: return "", fmt.Errorf("could not convert %v to string", typed) } diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go index 7190ebff62..47012b57c7 100644 --- a/pkg/engine/validate/pattern.go +++ b/pkg/engine/validate/pattern.go @@ -205,7 +205,7 @@ func validateString(log logr.Logger, value interface{}, pattern string, operator ok = false } if !ok { - log.Info("unexpected type : ", "type", fmt.Sprintf("%T", value), "value", value) + log.V(4).Info("unexpected type", "got", value, "expect", pattern) return false } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 58a018ffe9..7ab0a4b0f8 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -274,6 +274,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil { // validation failed + logger.V(5).Info(err.Error()) resp.Success = false resp.Message = fmt.Sprintf("Validation error: %s; Validation rule %s failed at path %s", rule.Validation.Message, rule.Name, path) diff --git a/pkg/event/controller.go b/pkg/event/controller.go index e3c0957be4..c06b8ea6ca 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -2,13 +2,13 @@ package event import ( "github.com/go-logr/logr" - "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme" kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" "github.com/kyverno/kyverno/pkg/constant" client "github.com/kyverno/kyverno/pkg/dclient" v1 "k8s.io/api/core/v1" + errors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" @@ -138,7 +138,9 @@ func (gen *Generator) handleErr(err error, key interface{}) { } gen.queue.Forget(key) - logger.Error(err, "failed to generate event", "key", key) + if !errors.IsNotFound(err) { + logger.Error(err, "failed to generate event", "key", key) + } } func (gen *Generator) processNextWorkItem() bool { @@ -184,7 +186,9 @@ func (gen *Generator) syncHandler(key Info) error { default: robj, err = gen.client.GetResource("", key.Kind, key.Namespace, key.Name) if err != nil { - logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace) + if !errors.IsNotFound(err) { + logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace) + } return err } } diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go index 5217a122cf..91f6d0fda5 100644 --- a/pkg/kyverno/apply/command.go +++ b/pkg/kyverno/apply/command.go @@ -10,12 +10,12 @@ import ( "reflect" "strings" "time" - "github.com/kyverno/kyverno/pkg/engine/response" - yaml1 "sigs.k8s.io/yaml" + v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1" client "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/kyverno/common" "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError" "github.com/kyverno/kyverno/pkg/openapi" @@ -27,6 +27,7 @@ import ( "k8s.io/apimachinery/pkg/util/yaml" "k8s.io/cli-runtime/pkg/genericclioptions" log "sigs.k8s.io/controller-runtime/pkg/log" + yaml1 "sigs.k8s.io/yaml" ) type resultCounts struct { @@ -129,6 +130,15 @@ func Command() *cobra.Command { resources, err := getResourceAccordingToResourcePath(resourcePaths, cluster, policies, dClient, namespace) if err != nil { if !sanitizedError.IsErrorSanitized(err) { + yamlBytes := []byte(resourceStr) + resources, err = common.GetResource(yamlBytes) + if err != nil { + return sanitizedError.NewWithError("failed to extract the resources", err) + } + } + } else { + resources, err = common.GetResources(policies, resourcePaths, dClient) + if err != nil { return sanitizedError.NewWithError("failed to load resources", err) } return err diff --git a/pkg/kyverno/apply/report.go b/pkg/kyverno/apply/report.go index a0e3d1e4bf..c0b24012c7 100644 --- a/pkg/kyverno/apply/report.go +++ b/pkg/kyverno/apply/report.go @@ -155,7 +155,7 @@ func calculateSummary(results []*report.PolicyReportResult) (summary report.Poli for _, res := range results { switch string(res.Status) { case report.StatusPass: - summary.Pass ++ + summary.Pass++ case report.StatusFail: summary.Fail++ case "warn": diff --git a/pkg/kyverno/common/fetch.go b/pkg/kyverno/common/fetch.go index 0877777017..d593b87730 100644 --- a/pkg/kyverno/common/fetch.go +++ b/pkg/kyverno/common/fetch.go @@ -186,6 +186,5 @@ func convertResourceToUnstructured(resourceYaml []byte) (*unstructured.Unstructu if resource.GetNamespace() == "" { resource.SetNamespace("default") } - return resource, nil } diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index cfdb259e97..6510af37d9 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -93,7 +93,8 @@ func (wrc *WebhookRegistrationClient) RemoveWebhookConfigurations(cleanUp chan<- // used to forward request to kyverno webhooks to apply policeis // Mutationg webhook is be used for Mutating purpose func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error { - logger := wrc.log + logger := wrc.log.WithValues("kind", MutatingWebhookConfigurationKind) + var caData []byte var config *admregapi.MutatingWebhookConfiguration @@ -121,6 +122,8 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name) return err } + + logger.V(2).Info("created mutating webhook", "name", config.Name) return nil } @@ -152,6 +155,8 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati logger.Error(err, "failed to create resource") return err } + + logger.V(2).Info("created validating webhook", "name", config.Name) return nil } diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go index d8e93feb71..217792c1c2 100644 --- a/pkg/webhookconfig/rwebhookregister.go +++ b/pkg/webhookconfig/rwebhookregister.go @@ -78,8 +78,6 @@ func (rww *ResourceWebhookRegister) createMutatingWebhook() { rww.RegisterResourceWebhook() return } - - rww.log.V(2).Info("created mutating webhook", "name", mutatingConfigName) } } @@ -103,8 +101,6 @@ func (rww *ResourceWebhookRegister) createValidateWebhook() { rww.RegisterResourceWebhook() return } - - rww.log.V(2).Info("created validating webhook", "name", validatingConfigName) } }