From b008ec0aaa6a6ba956819596d6d6ae76f0aa9f0e Mon Sep 17 00:00:00 2001 From: evalsocket Date: Thu, 10 Sep 2020 10:19:36 -0700 Subject: [PATCH] added job trigger if needed --- charts/kyverno/crds/crds.yaml | 184 ++++++++++++++++++++++++------- cmd/kyverno/main.go | 2 +- definitions/install.yaml | 184 ++++++++++++++++++++++++------- definitions/install_debug.yaml | 184 ++++++++++++++++++++++++------- go.mod | 25 ++++- pkg/config/config.go | 2 +- pkg/jobs/controller.go | 29 +++-- pkg/kyverno/report/common.go | 11 +- pkg/kyverno/report/namespace.go | 7 +- pkg/policyreport/generator.go | 46 +++++--- pkg/policyviolation/generator.go | 2 +- 11 files changed, 508 insertions(+), 168 deletions(-) diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index 12ef242ea4..2982531acd 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -316,20 +316,26 @@ spec: subresources: {} validation: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy or rule + description: PolicyReportResult provides the result for an individual + policy or rule properties: data: additionalProperties: @@ -337,19 +343,31 @@ spec: description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the policy + rule type: string policy: description: Policy is the name of the policy type: string resource: - description: Resource is an optional reference to the resource check bu the policy rule + description: Resource is an optional reference to the resource check + bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -361,28 +379,41 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object resourceSelector: - description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. + description: ResourceSelector is an optional selector for multiple + resources (e.g. Pods). Either one of, or none of, but not both of, + Resource or ResourceSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -394,7 +425,11 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object rule: @@ -417,13 +452,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -435,28 +480,37 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string type: array @@ -468,7 +522,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: @@ -947,17 +1004,22 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy or rule + description: PolicyReportResult provides the result for an individual + policy or rule properties: data: additionalProperties: @@ -965,19 +1027,31 @@ spec: description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the policy + rule type: string policy: description: Policy is the name of the policy type: string resource: - description: Resource is an optional reference to the resource check bu the policy rule + description: Resource is an optional reference to the resource check + bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -989,28 +1063,41 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object resourceSelector: - description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. + description: ResourceSelector is an optional selector for multiple + resources (e.g. Pods). Either one of, or none of, but not both of, + Resource or ResourceSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1022,7 +1109,11 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object rule: @@ -1045,13 +1136,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1063,7 +1164,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index d8f7e7168f..0e44c5cbc6 100755 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -353,7 +353,7 @@ func main() { go statusSync.Run(1, stopCh) go pCacheController.Run(1, stopCh) go auditHandler.Run(10, stopCh) - go jobController.Run(1, stopCh) + go jobController.Run(3, stopCh) openAPISync.Run(1, stopCh) // verifies if the admission control is enabled and active diff --git a/definitions/install.yaml b/definitions/install.yaml index c487d50864..9234deddaa 100755 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -321,20 +321,26 @@ spec: subresources: {} validation: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy or rule + description: PolicyReportResult provides the result for an individual + policy or rule properties: data: additionalProperties: @@ -342,19 +348,31 @@ spec: description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the policy + rule type: string policy: description: Policy is the name of the policy type: string resource: - description: Resource is an optional reference to the resource check bu the policy rule + description: Resource is an optional reference to the resource check + bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -366,28 +384,41 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object resourceSelector: - description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. + description: ResourceSelector is an optional selector for multiple + resources (e.g. Pods). Either one of, or none of, but not both of, + Resource or ResourceSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -399,7 +430,11 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object rule: @@ -422,13 +457,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -440,28 +485,37 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string type: array @@ -473,7 +527,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: @@ -952,17 +1009,22 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy or rule + description: PolicyReportResult provides the result for an individual + policy or rule properties: data: additionalProperties: @@ -970,19 +1032,31 @@ spec: description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the policy + rule type: string policy: description: Policy is the name of the policy type: string resource: - description: Resource is an optional reference to the resource check bu the policy rule + description: Resource is an optional reference to the resource check + bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -994,28 +1068,41 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object resourceSelector: - description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. + description: ResourceSelector is an optional selector for multiple + resources (e.g. Pods). Either one of, or none of, but not both of, + Resource or ResourceSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1027,7 +1114,11 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object rule: @@ -1050,13 +1141,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1068,7 +1169,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 29865ba38b..869c6383fb 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -321,20 +321,26 @@ spec: subresources: {} validation: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy or rule + description: PolicyReportResult provides the result for an individual + policy or rule properties: data: additionalProperties: @@ -342,19 +348,31 @@ spec: description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the policy + rule type: string policy: description: Policy is the name of the policy type: string resource: - description: Resource is an optional reference to the resource check bu the policy rule + description: Resource is an optional reference to the resource check + bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -366,28 +384,41 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object resourceSelector: - description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. + description: ResourceSelector is an optional selector for multiple + resources (e.g. Pods). Either one of, or none of, but not both of, + Resource or ResourceSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -399,7 +430,11 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object rule: @@ -422,13 +457,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -440,28 +485,37 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. + Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the operator + is Exists or DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. items: type: string type: array @@ -473,7 +527,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: @@ -952,17 +1009,22 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy or rule + description: PolicyReportResult provides the result for an individual + policy or rule properties: data: additionalProperties: @@ -970,19 +1032,31 @@ spec: description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the policy + rule type: string policy: description: Policy is the name of the policy type: string resource: - description: Resource is an optional reference to the resource check bu the policy rule + description: Resource is an optional reference to the resource check + bu the policy rule properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -994,28 +1068,41 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object resourceSelector: - description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. + description: ResourceSelector is an optional selector for multiple + resources (e.g. Pods). Either one of, or none of, but not both of, + Resource or ResourceSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1027,7 +1114,11 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object rule: @@ -1050,13 +1141,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a + Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access statement, + such as desiredState.manifest.containers[2]. For example, if the object + reference is to a container within a pod, this would take on a value + like: "spec.containers{name}" (where "name" refers to the name of + the container that triggered the event) or if no container name is + specified "spec.containers[2]" (container with index 2 in this pod). + This syntax is chosen only to have some well-defined way of referencing + a part of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1068,7 +1169,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, + if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' diff --git a/go.mod b/go.mod index b60cb98935..8ec79bd519 100644 --- a/go.mod +++ b/go.mod @@ -3,13 +3,22 @@ module github.com/nirmata/kyverno go 1.13 require ( + cloud.google.com/go v0.52.0 // indirect + github.com/Azure/azure-sdk-for-go v38.2.0+incompatible // indirect + github.com/Azure/go-autorest/autorest v0.9.4 // indirect + github.com/Azure/go-autorest/autorest/adal v0.8.1 // indirect + github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect + github.com/aws/aws-sdk-go v1.28.9 // indirect github.com/cenkalti/backoff v2.2.1+incompatible github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b // indirect github.com/docker/distribution v2.7.1+incompatible // indirect github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0 github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect + github.com/evanphx/json-patch v4.5.0+incompatible github.com/evanphx/json-patch/v5 v5.0.0 // indirect + github.com/fatih/color v1.9.0 // indirect + github.com/fatih/structtag v1.2.0 // indirect github.com/gardener/controller-manager-library v0.2.0 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 github.com/go-logr/logr v0.1.0 @@ -17,28 +26,36 @@ require ( github.com/go-openapi/strfmt v0.19.5 github.com/go-openapi/validate v0.19.8 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b - github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect + github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect github.com/googleapis/gnostic v0.3.1 - github.com/hashicorp/golang-lru v0.5.3 // indirect + github.com/graymeta/stow v0.2.4 // indirect + github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/imdario/mergo v0.3.8 // indirect github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af github.com/json-iterator/go v1.1.9 // indirect github.com/julienschmidt/httprouter v1.3.0 + github.com/lyft/flytestdlib v0.2.31 github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a + github.com/mattn/go-isatty v0.0.12 // indirect github.com/minio/minio v0.0.0-20200114012931-30922148fbb5 github.com/morikuni/aec v1.0.0 // indirect github.com/onsi/ginkgo v1.11.0 github.com/onsi/gomega v1.8.1 github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.1 // indirect + github.com/pelletier/go-toml v1.6.0 // indirect github.com/pkg/errors v0.9.1 + github.com/prometheus/client_golang v1.3.0 // indirect + github.com/prometheus/common v0.9.1 // indirect + github.com/spf13/cast v1.3.1 // indirect github.com/spf13/cobra v1.0.0 + github.com/spf13/viper v1.6.2 // indirect github.com/stretchr/testify v1.4.0 github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5 - golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect golang.org/x/tools v0.0.0-20200823205832-c024452afbcd // indirect - google.golang.org/appengine v1.6.5 // indirect + google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150 // indirect + gopkg.in/ini.v1 v1.51.1 // indirect gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71 gotest.tools v2.2.0+incompatible diff --git a/pkg/config/config.go b/pkg/config/config.go index f1a23e0a2b..53b3ca72c3 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -59,7 +59,7 @@ var ( // KubePolicyDeploymentName define the default deployment namespace KubePolicyDeploymentName = "kyverno" // Kyverno CLI Image - KyvernoCliImage = "evalsocket/kyverno-cli:latest" + KyvernoCliImage = "nirmata/kyverno-cli:latest" //WebhookServiceName default kyverno webhook service name WebhookServiceName = getWebhookServiceName() diff --git a/pkg/jobs/controller.go b/pkg/jobs/controller.go index dfa05c134d..1d21f1b9fc 100644 --- a/pkg/jobs/controller.go +++ b/pkg/jobs/controller.go @@ -2,6 +2,7 @@ package jobs import ( "fmt" + apierrors "k8s.io/apimachinery/pkg/api/errors" "strings" "sync" "time" @@ -205,27 +206,27 @@ func (j *Job) syncHandler(info JobInfo) error { defer func() { j.mux.Unlock() }() + j.log.V(2).Info("Configmap sync at ", "policy", info) j.mux.Lock() + var wg sync.WaitGroup if info.JobType == "POLICYSYNC" { - var wg sync.WaitGroup wg.Add(3) go j.syncKyverno(&wg, "Helm", "SYNC",info.JobData) go j.syncKyverno(&wg, "Namespace", "SYNC",info.JobData) go j.syncKyverno(&wg, "Cluster", "SYNC",info.JobData) - wg.Wait() - return nil + }else if info.JobType == "CONFIGMAP" { + if info.JobData != "" { + str := strings.Split(info.JobData,",") + wg.Add(len(str)) + for _,scope := range str { + go j.syncKyverno(&wg, scope, "CONFIGMAP","") + } + } } - var wg sync.WaitGroup - wg.Add(3) - go j.syncKyverno(&wg, "Helm", "CONFIGMAP","") - go j.syncKyverno(&wg, "Namespace", "CONFIGMAP","") - go j.syncKyverno(&wg, "Cluster", "CONFIGMAP","") - wg.Wait() return nil } func (j *Job) syncKyverno(wg *sync.WaitGroup, jobType, scope,data string) { - var args []string var mode string if scope == "SYNC" || scope == "POLICYSYNC" { @@ -262,6 +263,7 @@ func (j *Job) syncKyverno(wg *sync.WaitGroup, jobType, scope,data string) { args = append(args,fmt.Sprintf("-p=%s", data)) } go j.CreateJob(args, jobType, scope, wg) + wg.Wait() } // CreateJob will create Job template for background scan @@ -298,16 +300,23 @@ func (j *Job) CreateJob(args []string, jobType, scope string, wg *sync.WaitGroup } deadline := time.Now().Add(30 * time.Second) for { + time.Sleep(20*time.Second) resource, err := j.dclient.GetResource("", "Job", config.KubePolicyNamespace, job.GetName()) if err != nil { + if apierrors.IsNotFound(err) { + j.log.Error(err,"job is already deleted","job_name",job.GetName()) + break + } continue } job := v1.Job{} if err := runtime.DefaultUnstructuredConverter.FromUnstructured(resource.UnstructuredContent(), &job); err != nil { + j.log.Error(err,"Error in converting job Default Unstructured Converter","job_name",job.GetName()) continue } if time.Now().After(deadline) { if err := j.dclient.DeleteResource("", "Job", config.KubePolicyNamespace, job.GetName(), false); err != nil { + j.log.Error(err,"Error in deleting jobs","job_name",job.GetName()) continue } break diff --git a/pkg/kyverno/report/common.go b/pkg/kyverno/report/common.go index bedadb9b4a..077ad14473 100644 --- a/pkg/kyverno/report/common.go +++ b/pkg/kyverno/report/common.go @@ -100,19 +100,18 @@ func backgroundScan(n, scope,policychange string, wg *sync.WaitGroup, restConfig log.Log.WithName("ConfigData"), ) var cpolicies []*kyvernov1.ClusterPolicy - var removePolicy []string + removePolicy := []string{} policySelector := strings.Split(policychange,",") - if len(policySelector) > 0 { + if len(policySelector) > 0 && policychange != "" { for _,v := range policySelector { cpolicy, err := cpi.Lister().Get(v); if err != nil { if apierrors.IsNotFound(err){ - removePolicy = append(removePolicy,cpolicy.GetName()) + removePolicy = append(removePolicy,v) } }else{ cpolicies = append(cpolicies, cpolicy) } - for _,v := range policySelector { policies, err := pi.Lister().List(labels.Everything()) if err == nil { @@ -144,7 +143,6 @@ func backgroundScan(n, scope,policychange string, wg *sync.WaitGroup, restConfig } - // key uid resourceMap := map[string]unstructured.Unstructured{} var engineResponses []response.EngineResponse @@ -299,7 +297,7 @@ func backgroundScan(n, scope,policychange string, wg *sync.WaitGroup, restConfig } } - + os.Exit(0) // Create Policy Report } @@ -441,6 +439,7 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config) } } + os.Exit(0) } func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1alpha1.PolicyReportResult,removePolicy []string) (*policyreportv1alpha1.PolicyReport, string) { diff --git a/pkg/kyverno/report/namespace.go b/pkg/kyverno/report/namespace.go index 8ca54924d5..8bc6be10c5 100644 --- a/pkg/kyverno/report/namespace.go +++ b/pkg/kyverno/report/namespace.go @@ -58,24 +58,21 @@ func NamespaceCommand() *cobra.Command { log.Log.Error(err, "Failed to create kubernetes client") os.Exit(1) } + var wg sync.WaitGroup if mode == "cli" { ns, err := nLister.List(labels.Everything()) if err != nil { os.Exit(1) } - var wg sync.WaitGroup wg.Add(len(ns)) for _, n := range ns { go backgroundScan(n.GetName(), "Namespace",policy, &wg, restConfig) } - wg.Wait() } else { - var wg sync.WaitGroup wg.Add(1) go configmapScan("", "Namespace", &wg, restConfig) - wg.Wait() - return nil } + wg.Wait() <-stopCh return nil }, diff --git a/pkg/policyreport/generator.go b/pkg/policyreport/generator.go index d31cf59a1b..f2c51c631f 100755 --- a/pkg/policyreport/generator.go +++ b/pkg/policyreport/generator.go @@ -146,18 +146,7 @@ func NewPRGenerator(client *policyreportclient.Clientset, }, job: job, } - go func() { - for k := range time.Tick(60 * time.Second) { - gen.log.V(2).Info("Configmap sync at ", "time", k.String()) - err := gen.createConfigmap() - gen.job.Add(jobs.JobInfo{ - JobType: "CONFIGMAP", - }) - if err != nil { - gen.log.Error(err, "configmap error") - } - } - }() + return &gen } @@ -192,6 +181,34 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) { for i := 0; i < workers; i++ { go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh) } + go func() { + for k := range time.Tick(60 * time.Second) { + gen.log.V(2).Info("Configmap sync at ", "time", k.String()) + err := gen.createConfigmap() + scops := []string{} + if len(gen.inMemoryConfigMap.Namespace) > 0 { + scops = append(scops,"Namespace") + } + if len(gen.inMemoryConfigMap.Helm) > 0 { + scops = append(scops,"Helm") + } + if len(gen.inMemoryConfigMap.Cluster["cluster"]) > 0 { + scops = append(scops,"Cluster") + } + gen.job.Add(jobs.JobInfo{ + JobType: "CONFIGMAP", + JobData: strings.Join(scops,","), + }) + if err != nil { + gen.log.Error(err, "configmap error") + } + gen.inMemoryConfigMap = &PVEvent{ + Helm: make(map[string][]Info), + Namespace: make(map[string][]Info), + Cluster: make(map[string][]Info), + } + } + }() <-stopCh } @@ -286,11 +303,6 @@ func (gen *Generator) createConfigmap() error { if err != nil { return err } - gen.inMemoryConfigMap = &PVEvent{ - Helm: make(map[string][]Info), - Namespace: make(map[string][]Info), - Cluster: make(map[string][]Info), - } return nil } diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go index 4e6e608b96..c2b360b44b 100755 --- a/pkg/policyviolation/generator.go +++ b/pkg/policyviolation/generator.go @@ -144,7 +144,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset, log, stopChna, ) - go gen.prgen.Run(4, stopChna) + go gen.prgen.Run(3, stopChna) } return &gen