mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00
Code Activity

added job trigger if needed

Browse source
This commit is contained in:
evalsocket 2020-09-10 10:19:36 -07:00
parent 37f96c5722
commit b008ec0aaa
11 changed files with 508 additions and 168 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

184
charts/kyverno/crds/crds.yaml
View file

@ -316,20 +316,26 @@ spec:
subresources: {} subresources: {}
validation: validation:
openAPIV3Schema: openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports API description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
results: results:
description: PolicyReportResult provides result details description: PolicyReportResult provides result details
items: items:
description: PolicyReportResult provides the result for an individual policy or rule description: PolicyReportResult provides the result for an individual
policy or rule
properties: properties:
data: data:
additionalProperties: additionalProperties:
@ -337,19 +343,31 @@ spec:
description: Data provides additional information for the policy rule description: Data provides additional information for the policy rule
type: object type: object
message: message:
description: Message is a short user friendly description of the policy rule description: Message is a short user friendly description of the policy
rule
type: string type: string
policy: policy:
description: Policy is the name of the policy description: Policy is the name of the policy
type: string type: string
resource: resource:
description: Resource is an optional reference to the resource check bu the policy rule description: Resource is an optional reference to the resource check
bu the policy rule
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -361,28 +379,41 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
resourceSelector: resourceSelector:
description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies
to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items: items:
type: string type: string
type: array type: array
@ -394,7 +425,11 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object type: object
type: object type: object
rule: rule:
@ -417,13 +452,23 @@ spec:
type: object type: object
type: array type: array
scope: scope:
description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -435,28 +480,37 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items: items:
type: string type: string
type: array type: array
@ -468,7 +522,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
summary: summary:
@ -947,17 +1004,22 @@ spec:
description: PolicyReport is the Schema for the policyreports API description: PolicyReport is the Schema for the policyreports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
results: results:
description: PolicyReportResult provides result details description: PolicyReportResult provides result details
items: items:
description: PolicyReportResult provides the result for an individual policy or rule description: PolicyReportResult provides the result for an individual
policy or rule
properties: properties:
data: data:
additionalProperties: additionalProperties:
@ -965,19 +1027,31 @@ spec:
description: Data provides additional information for the policy rule description: Data provides additional information for the policy rule
type: object type: object
message: message:
description: Message is a short user friendly description of the policy rule description: Message is a short user friendly description of the policy
rule
type: string type: string
policy: policy:
description: Policy is the name of the policy description: Policy is the name of the policy
type: string type: string
resource: resource:
description: Resource is an optional reference to the resource check bu the policy rule description: Resource is an optional reference to the resource check
bu the policy rule
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -989,28 +1063,41 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
resourceSelector: resourceSelector:
description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies
to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items: items:
type: string type: string
type: array type: array
@ -1022,7 +1109,11 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object type: object
type: object type: object
rule: rule:
@ -1045,13 +1136,23 @@ spec:
type: object type: object
type: array type: array
scope: scope:
description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -1063,7 +1164,8 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'

2
cmd/kyverno/main.go
View file

@ -353,7 +353,7 @@ func main() {
go statusSync.Run(1, stopCh) go statusSync.Run(1, stopCh)
go pCacheController.Run(1, stopCh) go pCacheController.Run(1, stopCh)
go auditHandler.Run(10, stopCh) go auditHandler.Run(10, stopCh)
go jobController.Run(1, stopCh) go jobController.Run(3, stopCh)
openAPISync.Run(1, stopCh) openAPISync.Run(1, stopCh)
// verifies if the admission control is enabled and active // verifies if the admission control is enabled and active

184
definitions/install.yaml
View file

@ -321,20 +321,26 @@ spec:
subresources: {} subresources: {}
validation: validation:
openAPIV3Schema: openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports API description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
results: results:
description: PolicyReportResult provides result details description: PolicyReportResult provides result details
items: items:
description: PolicyReportResult provides the result for an individual policy or rule description: PolicyReportResult provides the result for an individual
policy or rule
properties: properties:
data: data:
additionalProperties: additionalProperties:
@ -342,19 +348,31 @@ spec:
description: Data provides additional information for the policy rule description: Data provides additional information for the policy rule
type: object type: object
message: message:
description: Message is a short user friendly description of the policy rule description: Message is a short user friendly description of the policy
rule
type: string type: string
policy: policy:
description: Policy is the name of the policy description: Policy is the name of the policy
type: string type: string
resource: resource:
description: Resource is an optional reference to the resource check bu the policy rule description: Resource is an optional reference to the resource check
bu the policy rule
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -366,28 +384,41 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
resourceSelector: resourceSelector:
description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies
to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items: items:
type: string type: string
type: array type: array
@ -399,7 +430,11 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object type: object
type: object type: object
rule: rule:
@ -422,13 +457,23 @@ spec:
type: object type: object
type: array type: array
scope: scope:
description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -440,28 +485,37 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items: items:
type: string type: string
type: array type: array
@ -473,7 +527,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
summary: summary:
@ -952,17 +1009,22 @@ spec:
description: PolicyReport is the Schema for the policyreports API description: PolicyReport is the Schema for the policyreports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
results: results:
description: PolicyReportResult provides result details description: PolicyReportResult provides result details
items: items:
description: PolicyReportResult provides the result for an individual policy or rule description: PolicyReportResult provides the result for an individual
policy or rule
properties: properties:
data: data:
additionalProperties: additionalProperties:
@ -970,19 +1032,31 @@ spec:
description: Data provides additional information for the policy rule description: Data provides additional information for the policy rule
type: object type: object
message: message:
description: Message is a short user friendly description of the policy rule description: Message is a short user friendly description of the policy
rule
type: string type: string
policy: policy:
description: Policy is the name of the policy description: Policy is the name of the policy
type: string type: string
resource: resource:
description: Resource is an optional reference to the resource check bu the policy rule description: Resource is an optional reference to the resource check
bu the policy rule
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -994,28 +1068,41 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
resourceSelector: resourceSelector:
description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies
to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items: items:
type: string type: string
type: array type: array
@ -1027,7 +1114,11 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object type: object
type: object type: object
rule: rule:
@ -1050,13 +1141,23 @@ spec:
type: object type: object
type: array type: array
scope: scope:
description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -1068,7 +1169,8 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'

184
definitions/install_debug.yaml
View file

@ -321,20 +321,26 @@ spec:
subresources: {} subresources: {}
validation: validation:
openAPIV3Schema: openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports API description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
results: results:
description: PolicyReportResult provides result details description: PolicyReportResult provides result details
items: items:
description: PolicyReportResult provides the result for an individual policy or rule description: PolicyReportResult provides the result for an individual
policy or rule
properties: properties:
data: data:
additionalProperties: additionalProperties:
@ -342,19 +348,31 @@ spec:
description: Data provides additional information for the policy rule description: Data provides additional information for the policy rule
type: object type: object
message: message:
description: Message is a short user friendly description of the policy rule description: Message is a short user friendly description of the policy
rule
type: string type: string
policy: policy:
description: Policy is the name of the policy description: Policy is the name of the policy
type: string type: string
resource: resource:
description: Resource is an optional reference to the resource check bu the policy rule description: Resource is an optional reference to the resource check
bu the policy rule
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -366,28 +384,41 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
resourceSelector: resourceSelector:
description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies
to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items: items:
type: string type: string
type: array type: array
@ -399,7 +430,11 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object type: object
type: object type: object
rule: rule:
@ -422,13 +457,23 @@ spec:
type: object type: object
type: array type: array
scope: scope:
description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -440,28 +485,37 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
scopeSelector: scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items: items:
type: string type: string
type: array type: array
@ -473,7 +527,10 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object type: object
type: object type: object
summary: summary:
@ -952,17 +1009,22 @@ spec:
description: PolicyReport is the Schema for the policyreports API description: PolicyReport is the Schema for the policyreports API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string type: string
kind: kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string type: string
metadata: metadata:
type: object type: object
results: results:
description: PolicyReportResult provides result details description: PolicyReportResult provides result details
items: items:
description: PolicyReportResult provides the result for an individual policy or rule description: PolicyReportResult provides the result for an individual
policy or rule
properties: properties:
data: data:
additionalProperties: additionalProperties:
@ -970,19 +1032,31 @@ spec:
description: Data provides additional information for the policy rule description: Data provides additional information for the policy rule
type: object type: object
message: message:
description: Message is a short user friendly description of the policy rule description: Message is a short user friendly description of the policy
rule
type: string type: string
policy: policy:
description: Policy is the name of the policy description: Policy is the name of the policy
type: string type: string
resource: resource:
description: Resource is an optional reference to the resource check bu the policy rule description: Resource is an optional reference to the resource check
bu the policy rule
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -994,28 +1068,41 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string type: string
type: object type: object
resourceSelector: resourceSelector:
description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified. description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
properties: properties:
matchExpressions: matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed. description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items: items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties: properties:
key: key:
description: key is the label key that the selector applies to. description: key is the label key that the selector applies
to.
type: string type: string
operator: operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string type: string
values: values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items: items:
type: string type: string
type: array type: array
@ -1027,7 +1114,11 @@ spec:
matchLabels: matchLabels:
additionalProperties: additionalProperties:
type: string type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object type: object
type: object type: object
rule: rule:
@ -1050,13 +1141,23 @@ spec:
type: object type: object
type: array type: array
scope: scope:
description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties: properties:
apiVersion: apiVersion:
description: API version of the referent. description: API version of the referent.
type: string type: string
fieldPath: fieldPath:
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string type: string
kind: kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
@ -1068,7 +1169,8 @@ spec:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string type: string
resourceVersion: resourceVersion:
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string type: string
uid: uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'

25
go.mod
View file

@ -3,13 +3,22 @@ module github.com/nirmata/kyverno
go 1.13 go 1.13
require ( require (
cloud.google.com/go v0.52.0 // indirect
github.com/Azure/azure-sdk-for-go v38.2.0+incompatible // indirect
github.com/Azure/go-autorest/autorest v0.9.4 // indirect
github.com/Azure/go-autorest/autorest/adal v0.8.1 // indirect
github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
github.com/aws/aws-sdk-go v1.28.9 // indirect
github.com/cenkalti/backoff v2.2.1+incompatible github.com/cenkalti/backoff v2.2.1+incompatible
github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b // indirect github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b // indirect
github.com/docker/distribution v2.7.1+incompatible // indirect github.com/docker/distribution v2.7.1+incompatible // indirect
github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0 github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0
github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-connections v0.4.0 // indirect
github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-metrics v0.0.1 // indirect
github.com/evanphx/json-patch v4.5.0+incompatible
github.com/evanphx/json-patch/v5 v5.0.0 // indirect github.com/evanphx/json-patch/v5 v5.0.0 // indirect
github.com/fatih/color v1.9.0 // indirect
github.com/fatih/structtag v1.2.0 // indirect
github.com/gardener/controller-manager-library v0.2.0 github.com/gardener/controller-manager-library v0.2.0
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
github.com/go-logr/logr v0.1.0 github.com/go-logr/logr v0.1.0
@ -17,28 +26,36 @@ require (
github.com/go-openapi/strfmt v0.19.5 github.com/go-openapi/strfmt v0.19.5
github.com/go-openapi/validate v0.19.8 github.com/go-openapi/validate v0.19.8
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
github.com/googleapis/gnostic v0.3.1 github.com/googleapis/gnostic v0.3.1
github.com/hashicorp/golang-lru v0.5.3 // indirect github.com/graymeta/stow v0.2.4 // indirect
github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/imdario/mergo v0.3.8 // indirect github.com/imdario/mergo v0.3.8 // indirect
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
github.com/json-iterator/go v1.1.9 // indirect github.com/json-iterator/go v1.1.9 // indirect
github.com/julienschmidt/httprouter v1.3.0 github.com/julienschmidt/httprouter v1.3.0
github.com/lyft/flytestdlib v0.2.31
github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a
github.com/mattn/go-isatty v0.0.12 // indirect
github.com/minio/minio v0.0.0-20200114012931-30922148fbb5 github.com/minio/minio v0.0.0-20200114012931-30922148fbb5
github.com/morikuni/aec v1.0.0 // indirect github.com/morikuni/aec v1.0.0 // indirect
github.com/onsi/ginkgo v1.11.0 github.com/onsi/ginkgo v1.11.0
github.com/onsi/gomega v1.8.1 github.com/onsi/gomega v1.8.1
github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.0.1 // indirect github.com/opencontainers/image-spec v1.0.1 // indirect
github.com/pelletier/go-toml v1.6.0 // indirect
github.com/pkg/errors v0.9.1 github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.3.0 // indirect
github.com/prometheus/common v0.9.1 // indirect
github.com/spf13/cast v1.3.1 // indirect
github.com/spf13/cobra v1.0.0 github.com/spf13/cobra v1.0.0
github.com/spf13/viper v1.6.2 // indirect
github.com/stretchr/testify v1.4.0 github.com/stretchr/testify v1.4.0
github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5 github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
golang.org/x/tools v0.0.0-20200823205832-c024452afbcd // indirect golang.org/x/tools v0.0.0-20200823205832-c024452afbcd // indirect
google.golang.org/appengine v1.6.5 // indirect google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150 // indirect
gopkg.in/ini.v1 v1.51.1 // indirect
gopkg.in/yaml.v2 v2.3.0 gopkg.in/yaml.v2 v2.3.0
gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71 gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71
gotest.tools v2.2.0+incompatible gotest.tools v2.2.0+incompatible

2
pkg/config/config.go
View file

@ -59,7 +59,7 @@ var (
// KubePolicyDeploymentName define the default deployment namespace // KubePolicyDeploymentName define the default deployment namespace
KubePolicyDeploymentName = "kyverno" KubePolicyDeploymentName = "kyverno"
// Kyverno CLI Image // Kyverno CLI Image
KyvernoCliImage = "evalsocket/kyverno-cli:latest" KyvernoCliImage = "nirmata/kyverno-cli:latest"
//WebhookServiceName default kyverno webhook service name //WebhookServiceName default kyverno webhook service name
WebhookServiceName = getWebhookServiceName() WebhookServiceName = getWebhookServiceName()

29
pkg/jobs/controller.go
View file

@ -2,6 +2,7 @@ package jobs
import ( import (
"fmt" "fmt"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"strings" "strings"
"sync" "sync"
"time" "time"
@ -205,27 +206,27 @@ func (j *Job) syncHandler(info JobInfo) error {
defer func() { defer func() {
j.mux.Unlock() j.mux.Unlock()
}() }()
j.log.V(2).Info("Configmap sync at ", "policy", info)
j.mux.Lock() j.mux.Lock()
var wg sync.WaitGroup
if info.JobType == "POLICYSYNC" { if info.JobType == "POLICYSYNC" {
var wg sync.WaitGroup
wg.Add(3) wg.Add(3)
go j.syncKyverno(&wg, "Helm", "SYNC",info.JobData) go j.syncKyverno(&wg, "Helm", "SYNC",info.JobData)
go j.syncKyverno(&wg, "Namespace", "SYNC",info.JobData) go j.syncKyverno(&wg, "Namespace", "SYNC",info.JobData)
go j.syncKyverno(&wg, "Cluster", "SYNC",info.JobData) go j.syncKyverno(&wg, "Cluster", "SYNC",info.JobData)
wg.Wait() }else if info.JobType == "CONFIGMAP" {
return nil if info.JobData != "" {
str := strings.Split(info.JobData,",")
wg.Add(len(str))
for _,scope := range str {
go j.syncKyverno(&wg, scope, "CONFIGMAP","")
}
}
} }
var wg sync.WaitGroup
wg.Add(3)
go j.syncKyverno(&wg, "Helm", "CONFIGMAP","")
go j.syncKyverno(&wg, "Namespace", "CONFIGMAP","")
go j.syncKyverno(&wg, "Cluster", "CONFIGMAP","")
wg.Wait()
return nil return nil
} }
func (j *Job) syncKyverno(wg *sync.WaitGroup, jobType, scope,data string) { func (j *Job) syncKyverno(wg *sync.WaitGroup, jobType, scope,data string) {
var args []string var args []string
var mode string var mode string
if scope == "SYNC" || scope == "POLICYSYNC" { if scope == "SYNC" || scope == "POLICYSYNC" {
@ -262,6 +263,7 @@ func (j *Job) syncKyverno(wg *sync.WaitGroup, jobType, scope,data string) {
args = append(args,fmt.Sprintf("-p=%s", data)) args = append(args,fmt.Sprintf("-p=%s", data))
} }
go j.CreateJob(args, jobType, scope, wg) go j.CreateJob(args, jobType, scope, wg)
wg.Wait()
} }
// CreateJob will create Job template for background scan // CreateJob will create Job template for background scan
@ -298,16 +300,23 @@ func (j *Job) CreateJob(args []string, jobType, scope string, wg *sync.WaitGroup
} }
deadline := time.Now().Add(30 * time.Second) deadline := time.Now().Add(30 * time.Second)
for { for {
time.Sleep(20*time.Second)
resource, err := j.dclient.GetResource("", "Job", config.KubePolicyNamespace, job.GetName()) resource, err := j.dclient.GetResource("", "Job", config.KubePolicyNamespace, job.GetName())
if err != nil { if err != nil {
if apierrors.IsNotFound(err) {
j.log.Error(err,"job is already deleted","job_name",job.GetName())
break
}
continue continue
} }
job := v1.Job{} job := v1.Job{}
if err := runtime.DefaultUnstructuredConverter.FromUnstructured(resource.UnstructuredContent(), &job); err != nil { if err := runtime.DefaultUnstructuredConverter.FromUnstructured(resource.UnstructuredContent(), &job); err != nil {
j.log.Error(err,"Error in converting job Default Unstructured Converter","job_name",job.GetName())
continue continue
} }
if time.Now().After(deadline) { if time.Now().After(deadline) {
if err := j.dclient.DeleteResource("", "Job", config.KubePolicyNamespace, job.GetName(), false); err != nil { if err := j.dclient.DeleteResource("", "Job", config.KubePolicyNamespace, job.GetName(), false); err != nil {
j.log.Error(err,"Error in deleting jobs","job_name",job.GetName())
continue continue
} }
break break

11
pkg/kyverno/report/common.go
View file

@ -100,19 +100,18 @@ func backgroundScan(n, scope,policychange string, wg *sync.WaitGroup, restConfig
log.Log.WithName("ConfigData"), log.Log.WithName("ConfigData"),
) )
var cpolicies []*kyvernov1.ClusterPolicy var cpolicies []*kyvernov1.ClusterPolicy
var removePolicy []string removePolicy := []string{}
policySelector := strings.Split(policychange,",") policySelector := strings.Split(policychange,",")
if len(policySelector) > 0 { if len(policySelector) > 0 && policychange != "" {
for _,v := range policySelector { for _,v := range policySelector {
cpolicy, err := cpi.Lister().Get(v); cpolicy, err := cpi.Lister().Get(v);
if err != nil { if err != nil {
if apierrors.IsNotFound(err){ if apierrors.IsNotFound(err){
removePolicy = append(removePolicy,cpolicy.GetName()) removePolicy = append(removePolicy,v)
} }
}else{ }else{
cpolicies = append(cpolicies, cpolicy) cpolicies = append(cpolicies, cpolicy)
} }
for _,v := range policySelector { for _,v := range policySelector {
policies, err := pi.Lister().List(labels.Everything()) policies, err := pi.Lister().List(labels.Everything())
if err == nil { if err == nil {
@ -144,7 +143,6 @@ func backgroundScan(n, scope,policychange string, wg *sync.WaitGroup, restConfig
} }
// key uid // key uid
resourceMap := map[string]unstructured.Unstructured{} resourceMap := map[string]unstructured.Unstructured{}
var engineResponses []response.EngineResponse var engineResponses []response.EngineResponse
@ -299,7 +297,7 @@ func backgroundScan(n, scope,policychange string, wg *sync.WaitGroup, restConfig
} }
} }
os.Exit(0)
// Create Policy Report // Create Policy Report
} }
@ -441,6 +439,7 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config)
} }
} }
os.Exit(0)
} }
func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1alpha1.PolicyReportResult,removePolicy []string) (*policyreportv1alpha1.PolicyReport, string) { func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1alpha1.PolicyReportResult,removePolicy []string) (*policyreportv1alpha1.PolicyReport, string) {

7
pkg/kyverno/report/namespace.go
View file

@ -58,24 +58,21 @@ func NamespaceCommand() *cobra.Command {
log.Log.Error(err, "Failed to create kubernetes client") log.Log.Error(err, "Failed to create kubernetes client")
os.Exit(1) os.Exit(1)
} }
var wg sync.WaitGroup
if mode == "cli" { if mode == "cli" {
ns, err := nLister.List(labels.Everything()) ns, err := nLister.List(labels.Everything())
if err != nil { if err != nil {
os.Exit(1) os.Exit(1)
} }
var wg sync.WaitGroup
wg.Add(len(ns)) wg.Add(len(ns))
for _, n := range ns { for _, n := range ns {
go backgroundScan(n.GetName(), "Namespace",policy, &wg, restConfig) go backgroundScan(n.GetName(), "Namespace",policy, &wg, restConfig)
} }
wg.Wait()
} else { } else {
var wg sync.WaitGroup
wg.Add(1) wg.Add(1)
go configmapScan("", "Namespace", &wg, restConfig) go configmapScan("", "Namespace", &wg, restConfig)
wg.Wait()
return nil
} }
wg.Wait()
<-stopCh <-stopCh
return nil return nil
}, },

46
pkg/policyreport/generator.go
View file

@ -146,18 +146,7 @@ func NewPRGenerator(client *policyreportclient.Clientset,
}, },
job: job, job: job,
} }
go func() {
for k := range time.Tick(60 * time.Second) {
gen.log.V(2).Info("Configmap sync at ", "time", k.String())
err := gen.createConfigmap()
gen.job.Add(jobs.JobInfo{
JobType: "CONFIGMAP",
})
if err != nil {
gen.log.Error(err, "configmap error")
}
}
}()
return &gen return &gen
} }
@ -192,6 +181,34 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
for i := 0; i < workers; i++ { for i := 0; i < workers; i++ {
go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh) go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh)
} }
go func() {
for k := range time.Tick(60 * time.Second) {
gen.log.V(2).Info("Configmap sync at ", "time", k.String())
err := gen.createConfigmap()
scops := []string{}
if len(gen.inMemoryConfigMap.Namespace) > 0 {
scops = append(scops,"Namespace")
}
if len(gen.inMemoryConfigMap.Helm) > 0 {
scops = append(scops,"Helm")
}
if len(gen.inMemoryConfigMap.Cluster["cluster"]) > 0 {
scops = append(scops,"Cluster")
}
gen.job.Add(jobs.JobInfo{
JobType: "CONFIGMAP",
JobData: strings.Join(scops,","),
})
if err != nil {
gen.log.Error(err, "configmap error")
}
gen.inMemoryConfigMap = &PVEvent{
Helm: make(map[string][]Info),
Namespace: make(map[string][]Info),
Cluster: make(map[string][]Info),
}
}
}()
<-stopCh <-stopCh
} }
@ -286,11 +303,6 @@ func (gen *Generator) createConfigmap() error {
if err != nil { if err != nil {
return err return err
} }
gen.inMemoryConfigMap = &PVEvent{
Helm: make(map[string][]Info),
Namespace: make(map[string][]Info),
Cluster: make(map[string][]Info),
}
return nil return nil
} }

2
pkg/policyviolation/generator.go
View file

@ -144,7 +144,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset,
log, log,
stopChna, stopChna,
) )
go gen.prgen.Run(4, stopChna) go gen.prgen.Run(3, stopChna)
} }
return &gen return &gen