mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
sibling of 4b820557fc
This commit is contained in:
dependabot[bot]
GitHub
parent
b475861663
commit
cf8be6611e
170 changed files with 1191 additions and 3440 deletions
|
|
@ -1,4 +1,4 @@
|
|||
FROM ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab
|
||||
FROM ubuntu:24.04@sha256:dfc10878be8d8fc9c61cbff33166cb1d1fe44391539243703c72766894fa834a
|
||||
|
||||
RUN apt-get update && apt-get install -y sudo git curl apt-transport-https ca-certificates gnupg-agent software-properties-common
|
||||
ARG USERNAME=root
|
||||
|
|
|
|||
23
.github/ISSUE_TEMPLATE/bug-cli.yaml
vendored
23
.github/ISSUE_TEMPLATE/bug-cli.yaml
vendored
|
|
@ -11,8 +11,28 @@ body:
|
|||
id: kyverno-version
|
||||
attributes:
|
||||
label: Kyverno CLI Version
|
||||
description: What version of Kyverno are you running? For prior unsupported versions, please add the version in the description.
|
||||
description: >-
|
||||
What version of the Kyverno CLI are you running (`kyverno version`)?
|
||||
options:
|
||||
- 1.8.0
|
||||
- 1.8.1
|
||||
- 1.8.2
|
||||
- 1.8.3
|
||||
- 1.8.4
|
||||
- 1.8.5
|
||||
- 1.9.0
|
||||
- 1.9.1
|
||||
- 1.9.2
|
||||
- 1.9.3
|
||||
- 1.9.4
|
||||
- 1.9.5
|
||||
- 1.10.0
|
||||
- 1.10.1
|
||||
- 1.10.2
|
||||
- 1.10.3
|
||||
- 1.10.4
|
||||
- 1.10.5
|
||||
- 1.10.6
|
||||
- 1.11.0
|
||||
- 1.11.1
|
||||
- 1.11.2
|
||||
|
|
@ -25,7 +45,6 @@ body:
|
|||
- 1.12.3
|
||||
- 1.12.4
|
||||
- 1.12.5
|
||||
- 1.13.0
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
|
|
|
|||
22
.github/ISSUE_TEMPLATE/bug-other.yaml
vendored
22
.github/ISSUE_TEMPLATE/bug-other.yaml
vendored
|
|
@ -11,8 +11,27 @@ body:
|
|||
id: kyverno-version
|
||||
attributes:
|
||||
label: Kyverno Version
|
||||
description: What version of Kyverno are you running? For prior unsupported versions, please add the version in the description.
|
||||
description: What version of Kyverno are you running?
|
||||
options:
|
||||
- 1.8.0
|
||||
- 1.8.1
|
||||
- 1.8.2
|
||||
- 1.8.3
|
||||
- 1.8.4
|
||||
- 1.8.5
|
||||
- 1.9.0
|
||||
- 1.9.1
|
||||
- 1.9.2
|
||||
- 1.9.3
|
||||
- 1.9.4
|
||||
- 1.9.5
|
||||
- 1.10.0
|
||||
- 1.10.1
|
||||
- 1.10.2
|
||||
- 1.10.3
|
||||
- 1.10.4
|
||||
- 1.10.5
|
||||
- 1.10.6
|
||||
- 1.11.0
|
||||
- 1.11.1
|
||||
- 1.11.2
|
||||
|
|
@ -25,7 +44,6 @@ body:
|
|||
- 1.12.3
|
||||
- 1.12.4
|
||||
- 1.12.5
|
||||
- 1.13.0
|
||||
validations:
|
||||
required: true
|
||||
- type: textarea
|
||||
|
|
|
|||
10
.github/ISSUE_TEMPLATE/bug-webhook.yaml
vendored
10
.github/ISSUE_TEMPLATE/bug-webhook.yaml
vendored
|
|
@ -11,13 +11,11 @@ body:
|
|||
id: kyverno-version
|
||||
attributes:
|
||||
label: Kyverno Version
|
||||
description: What version of Kyverno are you running? For prior unsupported versions, please add the version in the description.
|
||||
description: What version of Kyverno are you running?
|
||||
options:
|
||||
- 1.11.0
|
||||
- 1.11.1
|
||||
- 1.11.2
|
||||
- 1.11.3
|
||||
- 1.11.4
|
||||
- 1.8.5
|
||||
- 1.9.5
|
||||
- 1.10.6
|
||||
- 1.11.5
|
||||
- 1.12.0
|
||||
- 1.12.1
|
||||
|
|
|
|||
2
.github/actions/publish-image/action.yaml
vendored
2
.github/actions/publish-image/action.yaml
vendored
|
|
@ -59,7 +59,7 @@ runs:
|
|||
with:
|
||||
version: v1
|
||||
args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
|
||||
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: ${{ inputs.sbom-name }}-bom-cdx
|
||||
path: ${{ inputs.sbom-name }}-bom.cdx.json
|
||||
|
|
|
|||
138
.github/actions/run-tests/action.yaml
vendored
138
.github/actions/run-tests/action.yaml
vendored
|
|
@ -28,9 +28,6 @@ inputs:
|
|||
shard-count:
|
||||
description: Shard count
|
||||
default: '0'
|
||||
upgrade-scenario:
|
||||
description: Determines which version to upgrade from
|
||||
required: true
|
||||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
|
|
@ -39,9 +36,9 @@ runs:
|
|||
id: helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@f2b47b97dc889c12702113753d713f01ec268de5 # v0.2.12
|
||||
uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
|
||||
with:
|
||||
verify: true
|
||||
# create cluster
|
||||
|
|
@ -61,123 +58,12 @@ runs:
|
|||
run: |
|
||||
set -e
|
||||
kind load image-archive kyverno.tar --name kind
|
||||
- name: Determine Previous Version
|
||||
id: determine-prev-version
|
||||
- name: Install kyverno
|
||||
shell: bash
|
||||
run: |
|
||||
set -ex
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
|
||||
$HELM repo add kyverno https://kyverno.github.io/kyverno
|
||||
$HELM repo update
|
||||
|
||||
case "${{ inputs.upgrade-scenario }}" in
|
||||
"patch")
|
||||
export INSTALL_VERSION=$($HELM search repo kyverno/kyverno --devel --versions | awk -F' +' '{print $2}' | awk '{$1=$1};1' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+(\.[0-9]+)?)?$' | awk -F. '!seen[$1"."$2"."$3]++' | head -2 | tail -1)
|
||||
;;
|
||||
"minor")
|
||||
export INSTALL_VERSION=$($HELM search repo kyverno/kyverno --devel --versions | awk -F' +' '{print $2}' | awk '{$1=$1};1' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+(\.[0-9]+)?)?$' | awk -F. '!seen[$1"."$2]++' | head -2 | tail -1)
|
||||
;;
|
||||
"latest")
|
||||
export INSTALL_VERSION=$($HELM search repo kyverno/kyverno --devel -o json | jq -r '.[0].version')
|
||||
;;
|
||||
*)
|
||||
export INSTALL_VERSION=none
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "::set-output name=prev_version::$INSTALL_VERSION"
|
||||
- name: Checkout Previous Version
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
if: ${{ steps.determine-prev-version.outputs.prev_version != 'none' }}
|
||||
with:
|
||||
repository: kyverno/kyverno
|
||||
ref: kyverno-chart-${{ steps.determine-prev-version.outputs.prev_version }}
|
||||
path: prev-version
|
||||
- name: Install Kyverno from prev-version
|
||||
if: ${{ steps.determine-prev-version.outputs.prev_version != 'none' }}
|
||||
shell: bash
|
||||
run: |
|
||||
set -ex
|
||||
set -e
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
export USE_CONFIG=${{ inputs.kyverno-configs }}
|
||||
|
||||
cd prev-version
|
||||
|
||||
IFS=',' read -ra CONFIGS <<< "$USE_CONFIG"
|
||||
for config in "${CONFIGS[@]}"; do
|
||||
if [ ! -f ./scripts/config/$config/kyverno.yaml ]; then
|
||||
echo "Skipping installation of Kyverno from prev-version for config: $config"
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
|
||||
export INSTALL_VERSION=${{ steps.determine-prev-version.outputs.prev_version }}
|
||||
echo "Installing Kyverno using Helm with Chart version $INSTALL_VERSION"
|
||||
make -C .. kind-install-kyverno-from-repo
|
||||
- name: Determine Next Version
|
||||
id: determine-next-version
|
||||
shell: bash
|
||||
run: |
|
||||
set -ex
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
|
||||
$HELM repo add kyverno https://kyverno.github.io/kyverno
|
||||
$HELM repo update
|
||||
|
||||
case "${{ inputs.upgrade-scenario }}" in
|
||||
"patch")
|
||||
export INSTALL_VERSION=$($HELM search repo kyverno/kyverno --devel --versions | awk -F' +' '{print $2}' | awk '{$1=$1};1' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+(\.[0-9]+)?)?$' | awk -F. '!seen[$1"."$2"."$3]++' | head -1)
|
||||
;;
|
||||
"minor")
|
||||
export INSTALL_VERSION=$($HELM search repo kyverno/kyverno --devel --versions | awk -F' +' '{print $2}' | awk '{$1=$1};1' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+(\.[0-9]+)?)?$' | awk -F. '!seen[$1"."$2]++' | head -1)
|
||||
;;
|
||||
"latest")
|
||||
export INSTALL_VERSION=main
|
||||
;;
|
||||
*)
|
||||
export INSTALL_VERSION=main
|
||||
;;
|
||||
esac
|
||||
|
||||
echo "::set-output name=next_version::$INSTALL_VERSION"
|
||||
- name: Checkout Next Version
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
if: ${{ steps.determine-next-version.outputs.next_version != 'main' }}
|
||||
with:
|
||||
repository: kyverno/kyverno
|
||||
ref: kyverno-chart-${{ steps.determine-next-version.outputs.next_version }}
|
||||
path: next-version
|
||||
- name: Install Kyverno from next-version
|
||||
if: ${{ steps.determine-next-version.outputs.next_version != 'main' }}
|
||||
shell: bash
|
||||
run: |
|
||||
set -ex
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
export USE_CONFIG=${{ inputs.kyverno-configs }}
|
||||
|
||||
cd next-version
|
||||
|
||||
IFS=',' read -ra CONFIGS <<< "$USE_CONFIG"
|
||||
for config in "${CONFIGS[@]}"; do
|
||||
if [ ! -f ./scripts/config/$config/kyverno.yaml ]; then
|
||||
echo "Skipping installation of Kyverno from prev-version for config: $config"
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
|
||||
export INSTALL_VERSION=${{ steps.determine-next-version.outputs.next_version }}
|
||||
echo "Installing Kyverno using Helm with Chart version $INSTALL_VERSION"
|
||||
make -C .. kind-install-kyverno-from-repo
|
||||
- name: Install Kyverno from main
|
||||
if: ${{ steps.determine-next-version.outputs.next_version == 'main' }}
|
||||
shell: bash
|
||||
run: |
|
||||
set -ex
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
export USE_CONFIG=${{ inputs.kyverno-configs }}
|
||||
|
||||
echo "Installing Kyverno from main"
|
||||
make kind-install-kyverno
|
||||
- name: Wait for kyverno ready
|
||||
uses: ./.github/actions/kyverno-wait-ready
|
||||
|
|
@ -192,20 +78,6 @@ runs:
|
|||
echo "${GOBIN}" >> "${GITHUB_PATH}"
|
||||
# run tests
|
||||
- name: Test with Chainsaw
|
||||
if: ${{ steps.determine-next-version.outputs.next_version != 'main' }}
|
||||
shell: bash
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ inputs.token }}
|
||||
run: |
|
||||
set -e
|
||||
cd ./next-version/test/conformance/chainsaw
|
||||
chainsaw test ${{ inputs.tests-path }} \
|
||||
--config ../${{ inputs.chainsaw-config }} \
|
||||
--include-test-regex '^chainsaw$/${{ inputs.chainsaw-tests }}' \
|
||||
--shard-index ${{ inputs.shard-index }} \
|
||||
--shard-count ${{ inputs.shard-count }}
|
||||
- name: Test with Chainsaw
|
||||
if: ${{ steps.determine-next-version.outputs.next_version == 'main' }}
|
||||
shell: bash
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ inputs.token }}
|
||||
|
|
@ -220,4 +92,4 @@ runs:
|
|||
# debug
|
||||
- name: Debug failure
|
||||
if: failure()
|
||||
uses: ./.github/actions/kyverno-logs
|
||||
uses: ./.github/actions/kyverno-logs
|
||||
2
.github/actions/setup-build-env/action.yaml
vendored
2
.github/actions/setup-build-env/action.yaml
vendored
|
|
@ -27,7 +27,7 @@ runs:
|
|||
if: ${{ inputs.unshallow == 'true' }}
|
||||
run: |
|
||||
git fetch --prune --unshallow
|
||||
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
|
||||
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
|
||||
with:
|
||||
go-version: ~1.23.1
|
||||
- shell: bash
|
||||
|
|
|
|||
6
.github/actions/setup-caches/action.yaml
vendored
6
.github/actions/setup-caches/action.yaml
vendored
|
|
@ -9,15 +9,15 @@ inputs:
|
|||
runs:
|
||||
using: composite
|
||||
steps:
|
||||
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
|
||||
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
|
||||
with:
|
||||
path: ~/go/pkg/mod
|
||||
key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
||||
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
|
||||
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
|
||||
with:
|
||||
path: ~/.cache/kyverno/tools
|
||||
key: ${{ runner.os }}-cache-kyverno-tools-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
||||
- uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
|
||||
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
|
||||
if: ${{ inputs.build-cache-key }}
|
||||
with:
|
||||
path: ~/.cache/go-build
|
||||
|
|
|
|||
4
.github/workflows/check-actions.yaml
vendored
4
.github/workflows/check-actions.yaml
vendored
|
|
@ -15,9 +15,9 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Ensure SHA pinned actions
|
||||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@5d6ac37a4cef8b8df67f482a8e384987766f0213 # v3.0.17
|
||||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@0901cf7b71c7ea6261ec69a3dc2bd3f9264f893e # v3.0.12
|
||||
with:
|
||||
# slsa-github-generator requires using a semver tag for reusable workflows.
|
||||
# See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
|
||||
|
|
|
|||
2
.github/workflows/clean-stale-branches.yaml
vendored
2
.github/workflows/clean-stale-branches.yaml
vendored
|
|
@ -10,7 +10,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Cleanup Stale Branches
|
||||
uses: cbrgm/cleanup-stale-branches-action@7e6763a2d1cc33eaf2df502f5c44a91950d22478 # v1.1.24
|
||||
uses: cbrgm/cleanup-stale-branches-action@07d311426eed2eff32c70ca5f8b47297ce7469e9 # v1.1.21
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
repository: ${{ github.repository }}
|
||||
|
|
|
|||
4
.github/workflows/cli.yaml
vendored
4
.github/workflows/cli.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -52,7 +52,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
|
|||
8
.github/workflows/codecov.yaml
vendored
8
.github/workflows/codecov.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -34,7 +34,7 @@ jobs:
|
|||
- name: Generate Code Coverage Report
|
||||
run: make code-cov-report
|
||||
- name: Upload coverage
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: coverage.out
|
||||
path: coverage.out
|
||||
|
|
@ -47,13 +47,13 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Download coverage
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
with:
|
||||
name: coverage.out
|
||||
- name: Upload Report to Codecov
|
||||
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
|
||||
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
|
||||
with:
|
||||
files: ./coverage.out
|
||||
fail_ci_if_error: true
|
||||
|
|
|
|||
211
.github/workflows/conformance.yaml
vendored
211
.github/workflows/conformance.yaml
vendored
|
|
@ -9,34 +9,17 @@ on:
|
|||
branches:
|
||||
- "main"
|
||||
- "release*"
|
||||
schedule:
|
||||
- cron: "43 0 * * 0"
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
define-matrix:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
upgrades: ${{ steps.upgrades.outputs.upgrades }}
|
||||
steps:
|
||||
- name: Set Upgarde Scenarios
|
||||
id: upgrades
|
||||
run: |
|
||||
set -e
|
||||
if [[ ${{ github.event_name }} == 'schedule' ]]; then
|
||||
echo 'upgrades=["latest","minor","patch"]' >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo 'upgrades=["none"]' >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
prepare-images:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -54,7 +37,7 @@ jobs:
|
|||
set -e
|
||||
VERSION=${{ github.ref_name }} make docker-save-image-all
|
||||
- name: upload images archive
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: kyverno.tar
|
||||
path: kyverno.tar
|
||||
|
|
@ -65,7 +48,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -76,14 +59,14 @@ jobs:
|
|||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 10
|
||||
with:
|
||||
free-disk-space: false
|
||||
free-disk-space: true
|
||||
- name: Build CLI
|
||||
shell: bash
|
||||
run: |
|
||||
set -e
|
||||
VERSION=${{ github.ref_name }} make build-cli
|
||||
- name: upload images archive
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: kubectl-kyverno
|
||||
path: cmd/cli/kubectl-kyverno/kubectl-kyverno
|
||||
|
|
@ -98,17 +81,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: assert
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
autogen:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -118,17 +99,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: autogen
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
background-only:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -138,17 +117,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: background-only
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
cleanup:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -158,17 +135,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: cleanup
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
deferred:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -178,17 +153,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: deferred
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
events:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -198,17 +171,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: events
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
exceptions:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -218,11 +189,10 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
shard-index: [0,1]
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -231,7 +201,6 @@ jobs:
|
|||
tests-path: exceptions
|
||||
shard-index: ${{ matrix.shard-index }}
|
||||
shard-count: 2
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
filter:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -241,17 +210,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: filter
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
force-failure-policy-ignore:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -261,17 +228,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard,force-failure-policy-ignore
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: force-failure-policy-ignore
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
generate:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -281,11 +246,10 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
shard-index: [0,1,2,3,4,5,6,7]
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -294,7 +258,6 @@ jobs:
|
|||
tests-path: generate
|
||||
shard-index: ${{ matrix.shard-index }}
|
||||
shard-count: 8
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
generate-validating-admission-policy:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -304,10 +267,9 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -315,7 +277,6 @@ jobs:
|
|||
kyverno-configs: standard,generate-validating-admission-policy
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: generate-validating-admission-policy
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
globalcontext:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -325,17 +286,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: globalcontext
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
lease:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -345,17 +304,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: lease
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
mutate:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -365,11 +322,10 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
shard-index: [0,1,2]
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -378,7 +334,6 @@ jobs:
|
|||
tests-path: mutate
|
||||
shard-index: ${{ matrix.shard-index }}
|
||||
shard-count: 3
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
policy-validation:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -388,17 +343,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: policy-validation
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
rangeoperators:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -408,17 +361,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: rangeoperators
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
rbac:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -429,17 +380,15 @@ jobs:
|
|||
matrix:
|
||||
kyverno-configs: [ standard, default, 'standard,force-failure-policy-ignore' ]
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: ${{ matrix.kyverno-configs }}
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: rbac
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
reports:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -449,11 +398,10 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
shard-index: [0,1]
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -462,7 +410,6 @@ jobs:
|
|||
tests-path: reports
|
||||
shard-index: ${{ matrix.shard-index }}
|
||||
shard-count: 2
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
ttl:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -472,17 +419,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard,ttl
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: ttl
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
validate:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -492,11 +437,10 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
shard-index: [0,1,2,3,4,5]
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -505,7 +449,6 @@ jobs:
|
|||
tests-path: validate
|
||||
shard-index: ${{ matrix.shard-index }}
|
||||
shard-count: 6
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
validating-admission-policy-reports:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -515,10 +458,9 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -526,7 +468,6 @@ jobs:
|
|||
kyverno-configs: standard,validating-admission-policy-reports
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: validating-admission-policy-reports
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
verify-manifests:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -536,17 +477,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: verify-manifests
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
verifyImages:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -556,11 +495,10 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
shard-index: [0,1]
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -569,7 +507,6 @@ jobs:
|
|||
tests-path: verifyImages
|
||||
shard-index: ${{ matrix.shard-index }}
|
||||
shard-count: 2
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
webhook-configurations:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -579,10 +516,9 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -590,7 +526,6 @@ jobs:
|
|||
kyverno-configs: standard,generate-validating-admission-policy
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: webhook-configurations
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
webhooks:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -600,17 +535,15 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
kyverno-configs: standard
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: webhooks
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
sigstore-custom-tuf:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -620,10 +553,9 @@ jobs:
|
|||
fail-fast: false
|
||||
matrix:
|
||||
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
|
||||
upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }}
|
||||
needs: [ define-matrix, prepare-images ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- uses: ./.github/actions/run-tests
|
||||
with:
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -631,7 +563,6 @@ jobs:
|
|||
kyverno-configs: standard,sigstore-custom-tuf
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
tests-path: sigstore-custom-tuf
|
||||
upgrade-scenario: ${{ matrix.upgrade }}
|
||||
|
||||
custom-sigstore:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -649,7 +580,7 @@ jobs:
|
|||
needs: prepare-images
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
# install tools
|
||||
- name: Install helm
|
||||
id: helm
|
||||
|
|
@ -657,14 +588,14 @@ jobs:
|
|||
- name: Install crane
|
||||
uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@f2b47b97dc889c12702113753d713f01ec268de5 # v0.2.12
|
||||
uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
|
||||
with:
|
||||
verify: true
|
||||
# create cluster
|
||||
- name: Create kind cluster and setup Sigstore Scaffolding
|
||||
uses: sigstore/scaffolding/actions/setup@0fb6c1e4d34c1d40f58a00da8380b7d5fa65a04c # v0.7.17
|
||||
uses: sigstore/scaffolding/actions/setup@3c79cb2714d1c724551ae859bcbde1a3204ff8ac # v0.7.11
|
||||
with:
|
||||
version: main
|
||||
k8s-version: ${{ matrix.k8s-version }}
|
||||
|
|
@ -733,9 +664,9 @@ jobs:
|
|||
- prepare-cli
|
||||
steps:
|
||||
- name: Checkout kyverno/kyverno
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Checkout kyverno/policies
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
with:
|
||||
repository: kyverno/policies
|
||||
path: policies
|
||||
|
|
@ -744,9 +675,9 @@ jobs:
|
|||
id: helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@f2b47b97dc889c12702113753d713f01ec268de5 # v0.2.12
|
||||
uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
|
||||
with:
|
||||
verify: true
|
||||
- name: Download kyverno CLI archive
|
||||
|
|
@ -812,7 +743,7 @@ jobs:
|
|||
needs: prepare-images
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -869,16 +800,16 @@ jobs:
|
|||
- prepare-cli
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
# install tools
|
||||
- name: Download kyverno CLI archive
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
with:
|
||||
name: kubectl-kyverno
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@f2b47b97dc889c12702113753d713f01ec268de5 # v0.2.12
|
||||
uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11
|
||||
with:
|
||||
verify: true
|
||||
# create cluster
|
||||
|
|
@ -928,7 +859,7 @@ jobs:
|
|||
name: ${{ matrix.k8s-version.name }} - kyverno uninstall
|
||||
steps:
|
||||
- name: Checkout kyverno/kyverno
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Install helm
|
||||
id: helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
|
|
@ -995,7 +926,7 @@ jobs:
|
|||
kyverno-version: [ '3.2' ]
|
||||
needs: [ prepare-images ]
|
||||
steps:
|
||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Install helm
|
||||
id: helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
|
|
|
|||
4
.github/workflows/devcontainer-build.yaml
vendored
4
.github/workflows/devcontainer-build.yaml
vendored
|
|
@ -19,11 +19,11 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Build devcontainer image
|
||||
run: docker build .devcontainer
|
||||
- name: Trivy Scan Image
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
|
|
|
|||
2
.github/workflows/fossa.yml
vendored
2
.github/workflows/fossa.yml
vendored
|
|
@ -18,7 +18,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/is-defined
|
||||
|
|
|
|||
10
.github/workflows/helm-release.yaml
vendored
10
.github/workflows/helm-release.yaml
vendored
|
|
@ -17,7 +17,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -25,7 +25,7 @@ jobs:
|
|||
- name: Setup build env
|
||||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 10
|
||||
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
|
||||
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
|
||||
with:
|
||||
python-version: 3.7
|
||||
- name: Set up chart-testing
|
||||
|
|
@ -40,7 +40,7 @@ jobs:
|
|||
options: --user root
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Run ah lint
|
||||
working-directory: ./charts/
|
||||
run: ah lint
|
||||
|
|
@ -55,7 +55,7 @@ jobs:
|
|||
pages: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -70,7 +70,7 @@ jobs:
|
|||
version: v3.10.3
|
||||
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
|
||||
- name: Set version
|
||||
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
|
||||
|
|
|
|||
8
.github/workflows/helm-test.yaml
vendored
8
.github/workflows/helm-test.yaml
vendored
|
|
@ -22,7 +22,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -33,9 +33,9 @@ jobs:
|
|||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 10
|
||||
- name: Setup python
|
||||
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
|
||||
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
|
||||
with:
|
||||
python-version: 3.8.13
|
||||
python-version: 3.7
|
||||
- name: Set up chart-testing
|
||||
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
|
||||
- name: Run chart-testing (lint)
|
||||
|
|
@ -59,7 +59,7 @@ jobs:
|
|||
options: --user root
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Run ah lint
|
||||
working-directory: ./charts/
|
||||
run: ah lint
|
||||
|
|
|
|||
4
.github/workflows/images-build.yaml
vendored
4
.github/workflows/images-build.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -32,7 +32,7 @@ jobs:
|
|||
- name: ko build
|
||||
run: VERSION=${{ github.ref_name }} make ko-build-all
|
||||
- name: Trivy Scan Image
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
|
|
|
|||
6
.github/workflows/images-publish.yaml
vendored
6
.github/workflows/images-publish.yaml
vendored
|
|
@ -29,7 +29,7 @@ jobs:
|
|||
reports-controller-digest: ${{ steps.publish-reports-controller.outputs.digest }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -40,7 +40,7 @@ jobs:
|
|||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 30
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
|
|
@ -52,7 +52,7 @@ jobs:
|
|||
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
|
||||
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Publish kyverno
|
||||
id: publish-kyverno
|
||||
uses: ./.github/actions/publish-image
|
||||
|
|
|
|||
4
.github/workflows/lint.yaml
vendored
4
.github/workflows/lint.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -30,7 +30,7 @@ jobs:
|
|||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 10
|
||||
- name: golangci-lint
|
||||
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
|
||||
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
|
||||
with:
|
||||
version: v1.60
|
||||
skip-cache: true
|
||||
|
|
|
|||
22
.github/workflows/load-testing.yml
vendored
22
.github/workflows/load-testing.yml
vendored
|
|
@ -23,7 +23,7 @@ jobs:
|
|||
tests: ${{ steps.set-tests.outputs.tests }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||
- name: Set Tests
|
||||
id: set-tests
|
||||
run: echo "tests=$(jq -c . < ./test/load/k6/${{ github.event_name }}-matrix.json)" >> $GITHUB_OUTPUT
|
||||
|
|
@ -32,7 +32,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -50,7 +50,7 @@ jobs:
|
|||
set -e
|
||||
VERSION=${{ github.ref_name }} make docker-save-image-all
|
||||
- name: upload images archive
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: kyverno.tar
|
||||
path: kyverno.tar
|
||||
|
|
@ -72,9 +72,9 @@ jobs:
|
|||
k8s-version: [v1.31.0]
|
||||
steps:
|
||||
- name: Checkout kyverno/kyverno
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Checkout kyverno/load-testing
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
with:
|
||||
repository: kyverno/load-testing
|
||||
path: load-testing
|
||||
|
|
@ -153,9 +153,9 @@ jobs:
|
|||
k8s-version: [v1.31.0]
|
||||
steps:
|
||||
- name: Checkout kyverno/kyverno
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||
- name: Checkout kyverno/load-testing
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||
with:
|
||||
repository: kyverno/load-testing
|
||||
path: load-testing
|
||||
|
|
@ -219,7 +219,7 @@ jobs:
|
|||
exit 1
|
||||
fi
|
||||
- name: Archive Report
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: load-test-report.html
|
||||
path: report
|
||||
|
|
@ -242,9 +242,9 @@ jobs:
|
|||
test: ${{ fromJson(needs.define-matrix.outputs.tests) }}
|
||||
steps:
|
||||
- name: Checkout kyverno/kyverno
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||
- name: Checkout kyverno/load-testing
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
|
||||
with:
|
||||
repository: kyverno/load-testing
|
||||
path: load-testing
|
||||
|
|
@ -317,7 +317,7 @@ jobs:
|
|||
sleep 60
|
||||
./test/load/k6/reports-size-in-etcd.sh > report/reports-size-in-etcd.txt
|
||||
- name: Archive Report
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: report-${{ matrix.k8s-version }}-${{ matrix.test.name }}-${{ matrix.test.scenario }}-${{ matrix.test.replicas }}-${{ matrix.test.cpu_request }}-${{ matrix.test.memory_request }}-${{ matrix.test.memory_limit }}-${{ matrix.test.concurrent_connections }}
|
||||
path: report
|
||||
|
|
|
|||
6
.github/workflows/nancy.yaml
vendored
6
.github/workflows/nancy.yaml
vendored
|
|
@ -18,7 +18,7 @@ jobs:
|
|||
name: nancy-scan
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -44,7 +44,7 @@ jobs:
|
|||
echo "results=nothing" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
- name: Upload vulnerability scan report
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
if: steps.parse-results.outputs.results == 'found'
|
||||
with:
|
||||
name: nancy-results.json
|
||||
|
|
@ -59,7 +59,7 @@ jobs:
|
|||
issues: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Download scan results
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
with:
|
||||
|
|
|
|||
2
.github/workflows/pr-update.yaml
vendored
2
.github/workflows/pr-update.yaml
vendored
|
|
@ -15,7 +15,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/is-defined
|
||||
|
|
|
|||
22
.github/workflows/release.yaml
vendored
22
.github/workflows/release.yaml
vendored
|
|
@ -24,7 +24,7 @@ jobs:
|
|||
reports-controller-digest: ${{ steps.release-reports-controller.outputs.digest }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -35,7 +35,7 @@ jobs:
|
|||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 30
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
|
|
@ -47,7 +47,7 @@ jobs:
|
|||
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
|
||||
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Publish kyverno
|
||||
id: release-kyverno
|
||||
uses: ./.github/actions/publish-image
|
||||
|
|
@ -237,7 +237,7 @@ jobs:
|
|||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -247,7 +247,7 @@ jobs:
|
|||
timeout-minutes: 30
|
||||
- uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Make Release
|
||||
env:
|
||||
VERSION: ${{ github.ref_name }}
|
||||
|
|
@ -257,7 +257,7 @@ jobs:
|
|||
make release-notes > release/release-notes.out
|
||||
cat release/release-notes.out
|
||||
- name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
|
||||
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
|
||||
with:
|
||||
distribution: goreleaser
|
||||
version: latest
|
||||
|
|
@ -274,7 +274,7 @@ jobs:
|
|||
packages: write # needed for ghcr access
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -283,11 +283,11 @@ jobs:
|
|||
uses: ./.github/actions/setup-build-env
|
||||
timeout-minutes: 10
|
||||
- name: Setup Flux CLI
|
||||
uses: fluxcd/flux2/action@5350425cdcd5fa015337e09fa502153c0275bd4b # v2.4.0
|
||||
uses: fluxcd/flux2/action@896e0fa46d5107a05e953dd0a5261d78a145ec8c # v2.3.0
|
||||
with:
|
||||
version: 0.35.0
|
||||
- name: Install Cosign
|
||||
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
|
||||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
|
||||
- name: Build yaml manifest
|
||||
run: VERSION=${{ github.ref_name }} make codegen-manifest-release
|
||||
- name: Upload install manifest
|
||||
|
|
@ -331,7 +331,7 @@ jobs:
|
|||
needs: create-release
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
@ -347,4 +347,4 @@ jobs:
|
|||
fi
|
||||
- name: Update new version in krew-index
|
||||
if: steps.check-tag.outputs.match == 'true'
|
||||
uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
|
||||
uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
|
||||
|
|
|
|||
10
.github/workflows/report-on-vulnerabilities.yaml
vendored
10
.github/workflows/report-on-vulnerabilities.yaml
vendored
|
|
@ -30,7 +30,7 @@ jobs:
|
|||
echo "releasebranch2=$releasebranch2" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Scan for vulnerabilities in latest image
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
|
||||
format: json
|
||||
|
|
@ -42,7 +42,7 @@ jobs:
|
|||
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
|
||||
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
|
||||
- name: Scan for vulnerabilities in latest-1 image
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch1 }}
|
||||
format: json
|
||||
|
|
@ -54,7 +54,7 @@ jobs:
|
|||
# See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
|
||||
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
|
||||
- name: Scan for vulnerabilities in latest-2 image
|
||||
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
|
||||
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
|
||||
with:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch2 }}
|
||||
format: json
|
||||
|
|
@ -86,7 +86,7 @@ jobs:
|
|||
fi
|
||||
|
||||
- name: Upload vulnerability scan report
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
if: steps.parse-results.outputs.results == 'found'
|
||||
with:
|
||||
name: scan.json
|
||||
|
|
@ -101,7 +101,7 @@ jobs:
|
|||
issues: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Download scan
|
||||
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
|
||||
with:
|
||||
|
|
|
|||
6
.github/workflows/scorecard.yaml
vendored
6
.github/workflows/scorecard.yaml
vendored
|
|
@ -23,7 +23,7 @@ jobs:
|
|||
id-token: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: Run analysis
|
||||
|
|
@ -34,12 +34,12 @@ jobs:
|
|||
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
||||
publish_results: true
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
- name: Upload to code-scanning
|
||||
uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
|
||||
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
|
|
|||
4
.github/workflows/sonarcloud.yaml
vendored
4
.github/workflows/sonarcloud.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Check secret
|
||||
id: checksecret
|
||||
uses: ./.github/actions/is-defined
|
||||
|
|
@ -37,7 +37,7 @@ jobs:
|
|||
free-disk-space: false
|
||||
- name: SonarCloud Scan
|
||||
if: steps.checksecret.outputs.result == 'true'
|
||||
uses: sonarsource/sonarcloud-github-action@02ef91109b2d589e757aefcfb2854c2783fd7b19 # v4.0.0
|
||||
uses: sonarsource/sonarcloud-github-action@eb211723266fe8e83102bac7361f0a05c3ac1d1b # v3.0.0
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||
|
|
|
|||
2
.github/workflows/tests.yaml
vendored
2
.github/workflows/tests.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
|
|||
2
.github/workflows/verify-codegen.yaml
vendored
2
.github/workflows/verify-codegen.yaml
vendored
|
|
@ -19,7 +19,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
- name: Setup caches
|
||||
uses: ./.github/actions/setup-caches
|
||||
timeout-minutes: 5
|
||||
|
|
|
|||
|
|
@ -44,8 +44,6 @@ The list of organizations that have publicly shared the usage of Kyverno:
|
|||
| [Coinone](https://coinone.co.kr) | Use Kyverno to enforce security hardening and best practices, and mutate pod specs related to graceful shutdown handling, such as tGPS<sup>terminationGracePeriodSeconds</sup> and custom preStop script. |
|
||||
| [Davidson consulting](https://www.davidson.group) | We are using Kyverno mutation policies in our pre-production environment to add default NetworkPolicy and to add labels to OKD resources. |
|
||||
| [InfraCloud Technologies](https://www.infracloud.io/) | We have successfully implemented Kyverno as a crucial component of our SOC2 compliance, alongside other essential security hardening measures & best practices. Kyverno's policies offer a significantly streamlined implementation process, far exceeding the complexities associated with cloud services. |
|
||||
| [North IT](https://www.northit.co.uk/) | North IT use Kyverno to help deploy Kubernetes for our pen-testing and SOC platform. |
|
||||
| [Corestream](https://corp.corestream.com/) | At our organization, we've leveraged Kyverno to significantly enhance our Kubernetes-based DevOps practices. We use Kyverno's policy-as-code approach to automate and enforce best practices across our clusters. Our policies cover a wide range of scenarios, from managing Azure Key Vault integrations and secret protections to enforcing image registry restrictions and implementing multi-region deployment strategies. Kyverno allows us to automatically inject configuration, create role-based access controls, and ensure consistent labeling across our resources. This automation not only improves our security posture by preventing misconfigurations and unauthorized changes but also streamlines our deployment processes. By using Kyverno, we've been able to standardize our environments, reduce manual errors, and maintain compliance with our organization's policies. |
|
||||
<!-- append the line below to the table
|
||||
| [name](URL) | brief description of how you are using Kyverno |
|
||||
-->
|
||||
|
|
|
|||
|
|
@ -1,3 +1,18 @@
|
|||
## Contributors
|
||||
|
||||
The list of contributors for [Kyverno and its sub-projects](https://github.com/kyverno#projects) is managed at: https://github.com/kyverno/community/blob/main/CONTRIBUTORS.md.
|
||||
Contributors are those who have made enough contributions to the project as defined in the [Contributing guide](https://kyverno.io/community/#contributing). In order to add yourself as a contributor, open a PR with your information added to the table.
|
||||
|
||||
| Maintainer | GitHub ID |
|
||||
|--------------------------|--------------------------------------------------------|
|
||||
| Ved Ratan | [@VedRatan](https://github.com/VedRatan) |
|
||||
| Chandan DK | [@Chandan-DK](https://github.com/Chandan-DK) |
|
||||
| Swastik Gour | [@swastik959](https://github.com/swastik959) |
|
||||
| Amit Kumar | [@hackeramitkumar](https://github.com/hackeramitkumar) |
|
||||
| Khaled Emara | [@KhaledEmaraDev](https://github.com/KhaledEmaraDev) |
|
||||
| Anushka Mittal | [@anushkamittal2001](https://github.com/anushkamittal2001)|
|
||||
| Sanskar Gurdasani | [@Sanskarzz](https://github.com/Sanskarzz) |
|
||||
| D N Siva Sathyaseelan | [@sivasathyaseeelan](https://github.com/sivasathyaseeelan)|
|
||||
| Mohamed Asif S | [@mohamedasifs123](https://github.com/mohamedasifs123)|
|
||||
| Suruchi Kumari | [@coder12git](https://github.com/coder12git)|
|
||||
| Shubham Singh | [@1shubham7](https://github.com/1shubham7) |
|
||||
| Pradeep Narasimha | [@praddy26](https://github.com/praddy26) |
|
||||
|
|
|
|||
|
|
@ -1,4 +1,24 @@
|
|||
## Maintainers
|
||||
|
||||
The list of maintainers for [Kyverno and its sub-projects](https://github.com/kyverno#projects) is managed at: https://github.com/kyverno/community/blob/main/MAINTAINERS.md.
|
||||
Maintainers are approvers who have shown good technical judgement in guiding feature design & development, have displayed overall knowledge of the project and features in the project, and are nurturing and receptive to everyone in the community.
|
||||
|
||||
| Maintainer | GitHub ID | Affiliation |
|
||||
|--------------------------|--------------------------------------------------------|---------------------------|
|
||||
| Jim Bugwadia | [@JimBugwadia](https://github.com/JimBugwadia) | Nirmata |
|
||||
| Shuting Zhao | [@realshuting](https://github.com/realshuting) | Nirmata |
|
||||
| Charles-Edouard Brétéché | [@eddycharly](https://github.com/eddycharly) | Nirmata |
|
||||
| Vishal Choudhary | [@vishal-chdhry](https://github.com/vishal-chdhry) | Nirmata |
|
||||
| Mariam Fahmy | [@MariamFahmy98](https://github.com/MariamFahmy98) | Nirmata |
|
||||
|
||||
**Note**: Please refer to the [Project Governance](https://kyverno.io/community/#project-governance) for more information on the responsibilities and privileges of a maintainer in Kyverno.
|
||||
|
||||
## Maintainers Emeritus
|
||||
|
||||
| Maintainer | GitHub ID | Affiliation |
|
||||
|--------------------------|--------------------------------------------------------|---------------------------|
|
||||
| Vyankatesh Kudtarkar | [@vyankyGH](https://github.com/vyankyGH) | |
|
||||
| Prateek Pandey | [@prateekpandey14](https://github.com/prateekpandey14) | |
|
||||
| Sambhav Kothari | [@samj1912](https://github.com/samj1912) | Bloomberg |
|
||||
| Trey Dockendorf | [@treydock](https://github.com/treydock) | Ohio Supercomputer Center |
|
||||
| Marcel Müller | [@MarcelMue](https://github.com/MarcelMue) | Giant Swarm GmbH |
|
||||
| Chip Zoller | [@chipzoller](https://github.com/chipzoller) | Stackwatch (Kubecost) |
|
||||
|
|
|
|||
|
|
@ -9,12 +9,11 @@ const (
|
|||
LabelCleanupTtl = "cleanup.kyverno.io/ttl"
|
||||
LabelWebhookManagedBy = "webhook.kyverno.io/managed-by"
|
||||
// Well known annotations
|
||||
AnnotationAutogenControllers = "pod-policies.kyverno.io/autogen-controllers"
|
||||
AnnotationImageVerify = "kyverno.io/verify-images"
|
||||
AnnotationPolicyCategory = "policies.kyverno.io/category"
|
||||
AnnotationPolicyScored = "policies.kyverno.io/scored"
|
||||
AnnotationPolicySeverity = "policies.kyverno.io/severity"
|
||||
AnnotationCleanupPropagationPolicy = "cleanup.kyverno.io/propagation-policy"
|
||||
AnnotationAutogenControllers = "pod-policies.kyverno.io/autogen-controllers"
|
||||
AnnotationImageVerify = "kyverno.io/verify-images"
|
||||
AnnotationPolicyCategory = "policies.kyverno.io/category"
|
||||
AnnotationPolicyScored = "policies.kyverno.io/scored"
|
||||
AnnotationPolicySeverity = "policies.kyverno.io/severity"
|
||||
// Well known values
|
||||
ValueKyvernoApp = "kyverno"
|
||||
ValueTtlDateTimeLayout = "2006-01-02T150405Z"
|
||||
|
|
|
|||
|
|
@ -389,12 +389,12 @@ type Mutation struct {
|
|||
|
||||
// PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
// and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
// +optional
|
||||
RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty"`
|
||||
|
||||
// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
// +optional
|
||||
PatchesJSON6902 string `json:"patchesJson6902,omitempty"`
|
||||
|
||||
|
|
@ -435,14 +435,14 @@ type ForEachMutation struct {
|
|||
|
||||
// PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
// and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
// +optional
|
||||
// +kubebuilder:validation:Schemaless
|
||||
// +kubebuilder:pruning:PreserveUnknownFields
|
||||
RawPatchStrategicMerge *kyverno.Any `json:"patchStrategicMerge,omitempty"`
|
||||
|
||||
// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
// +optional
|
||||
PatchesJSON6902 string `json:"patchesJson6902,omitempty"`
|
||||
|
||||
|
|
|
|||
|
|
@ -224,11 +224,6 @@ type CleanupPolicySpec struct {
|
|||
// Conditions defines the conditions used to select the resources which will be cleaned up.
|
||||
// +optional
|
||||
Conditions *AnyAllConditions `json:"conditions,omitempty"`
|
||||
|
||||
// DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).
|
||||
// +optional
|
||||
// +kubebuilder:validation:Enum=Foreground;Background;Orphan
|
||||
DeletionPropagationPolicy *metav1.DeletionPropagation `json:"deletionPropagationPolicy,omitempty"`
|
||||
}
|
||||
|
||||
// CleanupPolicyStatus stores the status of the policy.
|
||||
|
|
@ -293,7 +288,6 @@ func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (e
|
|||
}
|
||||
return errs
|
||||
}
|
||||
// If the ExcludeResources is empty, no need to validate further
|
||||
if datautils.DeepEqual(spec.ExcludeResources, &MatchResources{}) {
|
||||
return errs
|
||||
}
|
||||
|
|
|
|||
|
|
@ -162,11 +162,6 @@ func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
|
|||
*out = new(AnyAllConditions)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.DeletionPropagationPolicy != nil {
|
||||
in, out := &in.DeletionPropagationPolicy, &out.DeletionPropagationPolicy
|
||||
*out = new(metav1.DeletionPropagation)
|
||||
**out = **in
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -224,11 +224,6 @@ type CleanupPolicySpec struct {
|
|||
// Conditions defines the conditions used to select the resources which will be cleaned up.
|
||||
// +optional
|
||||
Conditions *AnyAllConditions `json:"conditions,omitempty"`
|
||||
|
||||
// DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).
|
||||
// +optional
|
||||
// +kubebuilder:validation:Enum=Foreground;Background;Orphan
|
||||
DeletionPropagationPolicy *metav1.DeletionPropagation `json:"deletionPropagationPolicy,omitempty"`
|
||||
}
|
||||
|
||||
// CleanupPolicyStatus stores the status of the policy.
|
||||
|
|
|
|||
|
|
@ -140,11 +140,6 @@ func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
|
|||
*out = new(AnyAllConditions)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.DeletionPropagationPolicy != nil {
|
||||
in, out := &in.DeletionPropagationPolicy, &out.DeletionPropagationPolicy
|
||||
*out = new(metav1.DeletionPropagation)
|
||||
**out = **in
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
apiVersion: v2
|
||||
type: application
|
||||
name: kyverno-policies
|
||||
version: v0.0.0
|
||||
appVersion: latest
|
||||
version: 3.3.2
|
||||
appVersion: v1.13.2
|
||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||
description: Kubernetes Pod Security Standards implemented as Kyverno policies
|
||||
keywords:
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Kubernetes Pod Security Standards implemented as Kyverno policies
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
## About
|
||||
|
||||
|
|
@ -93,7 +93,6 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| background | bool | `true` | Policies background mode |
|
||||
| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
|
||||
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
|
||||
| kubeVersionOverride | string | `nil` | Kubernetes version override Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes. |
|
||||
|
||||
## Source Code
|
||||
|
||||
|
|
|
|||
|
|
@ -14,9 +14,9 @@ metadata:
|
|||
{{- if .Values.podSecuritySeverity }}
|
||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Adding capabilities beyond those listed in the policy must be disallowed.
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ metadata:
|
|||
{{- if .Values.podSecuritySeverity }}
|
||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod,Volume
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
HostPath volumes let Pods use host directories and volumes in containers.
|
||||
Using host resources can be used to access shared data or escalate privileges
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Access to host ports allows potential snooping of network traffic and should not be
|
||||
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Windows pods offer the ability to run HostProcess containers which enables privileged
|
||||
access to the Windows node. Privileged access to the host is disallowed in the baseline
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Privileged mode disables most security mechanisms and must not be allowed. This policy
|
||||
ensures Pods do not call for privileged mode.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
The default /proc masks are set up to reduce attack surface and should be required. This policy
|
||||
ensures nothing but the default procMount can be specified. Note that in order for users
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
SELinux options can be used to escalate privileges and should not be allowed. This policy
|
||||
ensures that the `seLinuxOptions` field is undefined.
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ metadata:
|
|||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod, Annotation
|
||||
policies.kyverno.io/minversion: 1.3.0
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
|
||||
The default policy should prevent overriding or disabling the policy, or restrict
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
The seccomp profile must not be explicitly set to Unconfined. This policy,
|
||||
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Sysctls can disable security mechanisms or affect all containers on a
|
||||
host, and should be disallowed except for an allowed "safe" subset. A
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/minversion: 1.3.6
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Containers should be forbidden from running with a root primary or supplementary GID.
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
|
||||
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Containers must be required to run as non-root users. This policy ensures
|
||||
`runAsUser` is either unset or set to a number greater than zero.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
Containers must be required to run as non-root users. This policy ensures
|
||||
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
policies.kyverno.io/description: >-
|
||||
The seccomp profile in the Restricted group must not be explicitly set to Unconfined
|
||||
but additionally must also not allow an unset value. This policy,
|
||||
|
|
|
|||
|
|
@ -16,8 +16,8 @@ metadata:
|
|||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod,Volume
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
policies.kyverno.io/description: >-
|
||||
In addition to restricting HostPath volumes, the restricted pod security profile
|
||||
limits usage of non-core volume types to those defined through PersistentVolumes.
|
||||
|
|
|
|||
|
|
@ -118,7 +118,3 @@ skipBackgroundRequests: ~
|
|||
# -- Kyverno version
|
||||
# The default of "autodetect" will try to determine the currently installed version from the deployment
|
||||
kyvernoVersion: autodetect
|
||||
|
||||
# -- Kubernetes version override
|
||||
# Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes.
|
||||
kubeVersionOverride:
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
apiVersion: v2
|
||||
type: application
|
||||
name: kyverno
|
||||
version: v0.0.0
|
||||
appVersion: latest
|
||||
version: 3.3.4
|
||||
appVersion: v1.13.2
|
||||
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
|
||||
description: Kubernetes Native Policy Management
|
||||
keywords:
|
||||
|
|
@ -39,8 +39,8 @@ annotations:
|
|||
description: fixed global image registry config by introducing *.image.defaultRegistry.
|
||||
dependencies:
|
||||
- name: grafana
|
||||
version: v0.0.0
|
||||
version: 3.3.4
|
||||
condition: grafana.enabled
|
||||
- name: crds
|
||||
version: v0.0.0
|
||||
version: 3.3.4
|
||||
condition: crds.install
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Kubernetes Native Policy Management
|
||||
|
||||
  
|
||||
  
|
||||
|
||||
## About
|
||||
|
||||
|
|
@ -849,8 +849,8 @@ Kubernetes: `>=1.25.0-0`
|
|||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| | crds | v0.0.0 |
|
||||
| | grafana | v0.0.0 |
|
||||
| | crds | 3.3.4 |
|
||||
| | grafana | 3.3.4 |
|
||||
|
||||
## Maintainers
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
apiVersion: v2
|
||||
name: crds
|
||||
version: v0.0.0
|
||||
version: 3.3.4
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# crds
|
||||
|
||||
|
||||
|
||||
|
||||
## Values
|
||||
|
||||
|
|
|
|||
|
|
@ -364,14 +364,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -1657,14 +1649,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
|
|||
|
|
@ -364,14 +364,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -1657,14 +1649,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
|
|||
|
|
@ -2546,12 +2546,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -2669,12 +2669,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -7647,12 +7647,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -7773,12 +7773,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -12406,12 +12406,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -12529,12 +12529,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -17641,12 +17641,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17767,12 +17767,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
|
|||
|
|
@ -2547,12 +2547,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -2670,12 +2670,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -7649,12 +7649,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -7775,12 +7775,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -12409,12 +12409,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -12532,12 +12532,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -17644,12 +17644,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17770,12 +17770,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
apiVersion: v2
|
||||
name: grafana
|
||||
version: v0.0.0
|
||||
version: 3.3.4
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# grafana
|
||||
|
||||
|
||||
|
||||
|
||||
## Values
|
||||
|
||||
|
|
|
|||
|
|
@ -213,7 +213,7 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul
|
|||
if !c.Stdin && !c.PolicyReport && !c.GenerateExceptions {
|
||||
var policyRulesCount int
|
||||
for _, policy := range policies {
|
||||
policyRulesCount += len(autogen.Default.ComputeRules(policy, ""))
|
||||
policyRulesCount += len(autogen.ComputeRules(policy, ""))
|
||||
}
|
||||
policyRulesCount += len(vaps)
|
||||
if len(exceptions) > 0 {
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ import (
|
|||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/exception"
|
||||
metricsconfig "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/metrics-config"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/role"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/test"
|
||||
userinfo "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/user-info"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/values"
|
||||
|
|
@ -29,7 +28,6 @@ func Command() *cobra.Command {
|
|||
test.Command(),
|
||||
userinfo.Command(),
|
||||
values.Command(),
|
||||
role.Command(),
|
||||
)
|
||||
return cmd
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,102 +0,0 @@
|
|||
package role
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"text/template"
|
||||
|
||||
"github.com/Masterminds/sprig/v3"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/commands/create/templates"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
type options struct {
|
||||
Verbs []string
|
||||
Controllers []string
|
||||
ApiGroup string
|
||||
ResourceTypes []string
|
||||
Name string
|
||||
}
|
||||
|
||||
func Command() *cobra.Command {
|
||||
var verbs []string
|
||||
var path string
|
||||
var opts options
|
||||
|
||||
cmd := &cobra.Command{
|
||||
Use: "cluster-role [name] ",
|
||||
Short: "Create an aggregated role for given resource types",
|
||||
Long: `This command generates a Kubernetes ClusterRole for specified resource types.
|
||||
The output is printed to stdout by default or saved to a specified file.
|
||||
Required flags include 'api-groups', 'verbs', and 'resources'.`,
|
||||
Args: cobra.ExactArgs(1),
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
// Validate input arguments
|
||||
if args[0] == "" {
|
||||
return fmt.Errorf("name argument is required")
|
||||
}
|
||||
opts.Name = args[0]
|
||||
|
||||
if opts.ApiGroup == "" {
|
||||
return fmt.Errorf("required flag(s) \"api-groups\" not set")
|
||||
}
|
||||
if len(opts.ResourceTypes) == 0 {
|
||||
return fmt.Errorf("required flag(s) \"resources\" not set")
|
||||
}
|
||||
if len(verbs) == 0 {
|
||||
return fmt.Errorf("required flag(s) \"verbs\" not set")
|
||||
}
|
||||
|
||||
if len(opts.Controllers) == 0 || (len(opts.Controllers) == 1 && opts.Controllers[0] == "") {
|
||||
return fmt.Errorf("invalid controller provided")
|
||||
}
|
||||
|
||||
// Handle 'all' verb
|
||||
if verbs[0] == "all" {
|
||||
verbs = []string{"create", "get", "update", "delete", "list", "watch"}
|
||||
}
|
||||
opts.Verbs = verbs
|
||||
|
||||
// Parse the role template
|
||||
tmpl, err := template.New("aggregatedRole").Funcs(sprig.HermeticTxtFuncMap()).Parse(templates.AggregatedRoleTemplate)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse template: %w", err)
|
||||
}
|
||||
|
||||
// Set output: file or stdout
|
||||
output := cmd.OutOrStdout()
|
||||
if path != "" {
|
||||
file, err := os.Create(path)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create file: %w", err)
|
||||
}
|
||||
defer file.Close()
|
||||
output = file
|
||||
}
|
||||
|
||||
// Execute template with name and options
|
||||
return tmpl.Execute(output, opts)
|
||||
},
|
||||
}
|
||||
|
||||
// Define flags
|
||||
cmd.Flags().StringArrayVar(&opts.Controllers, "controllers", []string{"background-controller"}, "List of controllers for the ClusterRole (default = background-controller)")
|
||||
cmd.Flags().StringVarP(&path, "output", "o", "", "Output file path (prints to console if not set)")
|
||||
cmd.Flags().StringVarP(&opts.ApiGroup, "api-groups", "g", "", "API group for the resource (required)")
|
||||
cmd.Flags().StringArrayVar(&verbs, "verbs", nil, "A comma separated list of verbs or 'all' for all verbs")
|
||||
cmd.Flags().StringArrayVar(&opts.ResourceTypes, "resources", nil, "A comma separated list of resources (required)")
|
||||
|
||||
// Mark required flags
|
||||
if err := cmd.MarkFlagRequired("api-groups"); err != nil {
|
||||
log.Println("WARNING", err)
|
||||
}
|
||||
if err := cmd.MarkFlagRequired("verbs"); err != nil {
|
||||
log.Println("WARNING", err)
|
||||
}
|
||||
if err := cmd.MarkFlagRequired("resources"); err != nil {
|
||||
log.Println("WARNING", err)
|
||||
}
|
||||
|
||||
return cmd
|
||||
}
|
||||
|
|
@ -1,171 +0,0 @@
|
|||
package role
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestCommand(t *testing.T) {
|
||||
tempDir := t.TempDir()
|
||||
templateFile := filepath.Join(tempDir, "templates", "aggregated-role.yaml")
|
||||
|
||||
// Sample template content for testing
|
||||
templateContent := `
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno-{{.Name}}-permission
|
||||
labels:
|
||||
{{- range .Controllers }}
|
||||
rbac.kyverno.io/aggregate-to-{{ . }}: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["{{.ApiGroup}}"]
|
||||
resources: ["{{.ResourceTypes | join \",\"}}"]
|
||||
verbs: [{{range .Verbs}}"{{.}}",{{end}}]
|
||||
`
|
||||
|
||||
// Write the template file to the temporary directory
|
||||
err := os.MkdirAll(filepath.Dir(templateFile), os.ModePerm)
|
||||
assert.NoError(t, err)
|
||||
err = os.WriteFile(templateFile, []byte(templateContent), 0644)
|
||||
assert.NoError(t, err)
|
||||
|
||||
// Define test cases
|
||||
tests := []struct {
|
||||
name string
|
||||
args []string
|
||||
expectedFile string
|
||||
errorMsg string
|
||||
}{
|
||||
{
|
||||
name: "ValidCommandWithMultipleControllers",
|
||||
args: []string{"name1", "--resources=crontabs", "--api-groups=stable.example.com", "--verbs=get,list", "--controllers=controller1", "--controllers=controller2"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "ValidCommandWithDefaultController",
|
||||
args: []string{"name2", "--resources=pods", "--api-groups=core", "--verbs=get,list"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "MissingResources",
|
||||
args: []string{"name3", "--api-groups=stable.example.com", "--verbs=get,list"},
|
||||
errorMsg: "required flag(s) \"resources\" not set",
|
||||
},
|
||||
{
|
||||
name: "MissingApiGroup",
|
||||
args: []string{"name4", "--resources=crontabs", "--verbs=get,list"},
|
||||
errorMsg: "required flag(s) \"api-groups\" not set",
|
||||
},
|
||||
{
|
||||
name: "MissingVerbs",
|
||||
args: []string{"name5", "--resources=crontabs", "--api-groups=stable.example.com"},
|
||||
errorMsg: "required flag(s) \"verbs\" not set",
|
||||
},
|
||||
{
|
||||
name: "AllVerbExpands",
|
||||
args: []string{"name6", "--resources=pods", "--api-groups=core", "--verbs=all"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "OutputToFile",
|
||||
args: []string{"name7", "--resources=pods", "--api-groups=core", "--verbs=get,list", "--output=" + filepath.Join(tempDir, "test-output.yaml")},
|
||||
expectedFile: "test-output.yaml",
|
||||
},
|
||||
{
|
||||
name: "NoFlags",
|
||||
args: []string{"name10"},
|
||||
errorMsg: "required flag(s) \"api-groups\", \"resources\", \"verbs\" not set",
|
||||
},
|
||||
{
|
||||
name: "InvalidController",
|
||||
args: []string{"name8", "--resources=pods", "--api-groups=core", "--verbs=get,list", "--controllers="},
|
||||
errorMsg: "invalid controller provided",
|
||||
},
|
||||
{
|
||||
name: "MultipleResources",
|
||||
args: []string{"name11", "--resources=pods,services", "--api-groups=core", "--verbs=get,list"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "SingleVerb",
|
||||
args: []string{"name12", "--resources=pods", "--api-groups=core", "--verbs=get"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "NoApiGroup",
|
||||
args: []string{"name13", "--resources=pods", "--verbs=get"},
|
||||
errorMsg: "required flag(s) \"api-groups\" not set",
|
||||
},
|
||||
{
|
||||
name: "EmptyName",
|
||||
args: []string{"", "--resources=pods", "--api-groups=stable.example.com", "--verbs=get,list"},
|
||||
errorMsg: "name argument is required",
|
||||
},
|
||||
{
|
||||
name: "DifferentVerbCombinations",
|
||||
args: []string{"name14", "--resources=pods", "--api-groups=core", "--verbs=create,delete"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "ValidCommandWithMixedControllers",
|
||||
args: []string{"name15", "--resources=pods", "--api-groups=core", "--verbs=get,list", "--controllers=controller1,controller2"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
|
||||
{
|
||||
name: "AllFlagsWithComplexInput",
|
||||
args: []string{"nameComplex", "--resources=pods,services", "--api-groups=core", "--verbs=get,list"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
{
|
||||
name: "OutputFileCreationFailure",
|
||||
args: []string{"nameOutputFail", "--resources=pods", "--api-groups=core", "--verbs=get,list", "--output=/invalid/path/test-output.yaml"},
|
||||
errorMsg: "failed to create file: ",
|
||||
},
|
||||
{
|
||||
name: "SpecialCharacterName",
|
||||
args: []string{"name@#%", "--resources=pods", "--api-groups=core", "--verbs=get"},
|
||||
expectedFile: "stdout",
|
||||
},
|
||||
}
|
||||
|
||||
// Iterate over the test cases
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
cmd := Command()
|
||||
cmd.SetArgs(tc.args)
|
||||
|
||||
// Prepare a buffer to capture stdout
|
||||
var stdoutBuffer bytes.Buffer
|
||||
cmd.SetOut(&stdoutBuffer)
|
||||
|
||||
// Execute the command and handle errors
|
||||
err = cmd.Execute()
|
||||
if tc.errorMsg != "" {
|
||||
assert.ErrorContains(t, err, tc.errorMsg)
|
||||
return
|
||||
}
|
||||
assert.NoError(t, err)
|
||||
|
||||
// Check the output based on expected result
|
||||
if tc.expectedFile == "stdout" {
|
||||
output := stdoutBuffer.String()
|
||||
assert.Contains(t, output, fmt.Sprintf("name: kyverno-%s-permission", tc.args[0]))
|
||||
} else {
|
||||
expectedFilePath := filepath.Join(tempDir, tc.expectedFile)
|
||||
_, err := os.Stat(expectedFilePath)
|
||||
assert.NoError(t, err)
|
||||
|
||||
// Clean up the created file
|
||||
_ = os.Remove(expectedFilePath)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno-{{.Name}}-permission
|
||||
labels:
|
||||
{{- range .Controllers }}
|
||||
rbac.kyverno.io/aggregate-to-{{ . }}: "true"
|
||||
{{- end }}
|
||||
rules:
|
||||
- apiGroups: ["{{.ApiGroup}}"]
|
||||
resources: ["{{.ResourceTypes | join ","}}"]
|
||||
verbs: [{{- range $index, $verb := .Verbs}}{{if $index}}, {{end}}"{{$verb}}"{{end}}]
|
||||
|
|
@ -18,6 +18,3 @@ var ExceptionTemplate string
|
|||
|
||||
//go:embed metrics-config.yaml
|
||||
var MetricsConfigTemplate string
|
||||
|
||||
//go:embed aggregated-role.yaml
|
||||
var AggregatedRoleTemplate string
|
||||
|
|
|
|||
|
|
@ -109,7 +109,7 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool) ([]engi
|
|||
// TODO document the code below
|
||||
ruleToCloneSourceResource := map[string]string{}
|
||||
for _, policy := range results.Policies {
|
||||
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||
for _, res := range testCase.Test.Results {
|
||||
if res.IsValidatingAdmissionPolicy {
|
||||
continue
|
||||
|
|
|
|||
|
|
@ -2540,12 +2540,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -2663,12 +2663,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -7641,12 +7641,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -7767,12 +7767,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -12400,12 +12400,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -12523,12 +12523,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -17635,12 +17635,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17761,12 +17761,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
|
|||
|
|
@ -2541,12 +2541,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -2664,12 +2664,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -7643,12 +7643,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -7769,12 +7769,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -12403,12 +12403,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -12526,12 +12526,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -17638,12 +17638,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17764,12 +17764,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ func handleGeneratePolicy(out io.Writer, store *store.Store, generateResponse *e
|
|||
listKinds := map[schema.GroupVersionResource]string{}
|
||||
|
||||
// Collect items in a potential cloneList to provide list kinds to the fake dynamic client.
|
||||
for _, rule := range autogen.Default.ComputeRules(policyContext.Policy(), "") {
|
||||
for _, rule := range autogen.ComputeRules(policyContext.Policy(), "") {
|
||||
if !rule.HasGenerate() || len(rule.Generation.CloneList.Kinds) == 0 {
|
||||
continue
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ func (rc *ResultCounts) addEngineResponse(auditWarn bool, response engineapi.Eng
|
|||
}
|
||||
policy := genericPolicy.AsKyvernoPolicy()
|
||||
scored := annotations.Scored(policy.GetAnnotations())
|
||||
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||
if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
|
||||
for _, valResponseRule := range response.PolicyResponse.Rules {
|
||||
if rule.Name == valResponseRule.Name() {
|
||||
|
|
@ -69,7 +69,7 @@ func (rc *ResultCounts) addGenerateResponse(response engineapi.EngineResponse) {
|
|||
return
|
||||
}
|
||||
policy := genericPolicy.AsKyvernoPolicy()
|
||||
for _, policyRule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, policyRule := range autogen.ComputeRules(policy, "") {
|
||||
for _, ruleResponse := range response.PolicyResponse.Rules {
|
||||
if policyRule.Name == ruleResponse.Name() {
|
||||
if ruleResponse.Status() == engineapi.RuleStatusPass {
|
||||
|
|
@ -90,7 +90,7 @@ func (rc *ResultCounts) addMutateResponse(response engineapi.EngineResponse) boo
|
|||
}
|
||||
policy := genericPolicy.AsKyvernoPolicy()
|
||||
var policyHasMutate bool
|
||||
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||
if rule.HasMutate() {
|
||||
policyHasMutate = true
|
||||
}
|
||||
|
|
@ -99,7 +99,7 @@ func (rc *ResultCounts) addMutateResponse(response engineapi.EngineResponse) boo
|
|||
return false
|
||||
}
|
||||
printMutatedRes := false
|
||||
for _, policyRule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, policyRule := range autogen.ComputeRules(policy, "") {
|
||||
for _, mutateResponseRule := range response.PolicyResponse.Rules {
|
||||
if policyRule.Name == mutateResponseRule.Name() {
|
||||
if mutateResponseRule.Status() == engineapi.RuleStatusPass {
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@ func GetResourceAccordingToResourcePath(
|
|||
|
||||
func GetKindsFromPolicy(out io.Writer, policy kyvernov1.PolicyInterface, subresources []v1alpha1.Subresource, dClient dclient.Interface) sets.Set[string] {
|
||||
knownkinds := sets.New[string]()
|
||||
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||
for _, kind := range rule.MatchResources.ResourceDescription.Kinds {
|
||||
k, err := getKind(kind, subresources, dClient)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ func GetResourcesWithTest(out io.Writer, fs billy.Filesystem, policies []kyverno
|
|||
resources := make([]*unstructured.Unstructured, 0)
|
||||
resourceTypesMap := make(map[string]bool)
|
||||
for _, policy := range policies {
|
||||
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
resourceTypesMap[kind] = true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ func (r *KyvernoResources) FetchResourcesFromPolicy(out io.Writer, resourcePaths
|
|||
var subresourceMap map[schema.GroupVersionKind]v1alpha1.Subresource
|
||||
|
||||
for _, policy := range r.policies {
|
||||
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||
var resourceTypesInRule map[schema.GroupVersionKind]bool
|
||||
resourceTypesInRule, subresourceMap = GetKindsFromRule(rule, dClient)
|
||||
for resourceKind := range resourceTypesInRule {
|
||||
|
|
|
|||
|
|
@ -358,14 +358,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -1651,14 +1643,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
|
|||
|
|
@ -358,14 +358,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -1651,14 +1643,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
|
|||
|
|
@ -2540,12 +2540,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -2663,12 +2663,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -7641,12 +7641,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -7767,12 +7767,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -12400,12 +12400,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -12523,12 +12523,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -17635,12 +17635,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17761,12 +17761,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
|
|||
|
|
@ -2541,12 +2541,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -2664,12 +2664,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -7643,12 +7643,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -7769,12 +7769,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -12403,12 +12403,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -12526,12 +12526,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -17638,12 +17638,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17764,12 +17764,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
|
|||
|
|
@ -201,8 +201,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: cleanuppolicies.kyverno.io
|
||||
|
|
@ -559,14 +559,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -1852,14 +1844,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -2813,8 +2797,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: clustercleanuppolicies.kyverno.io
|
||||
|
|
@ -3171,14 +3155,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -4464,14 +4440,6 @@ spec:
|
|||
- name
|
||||
type: object
|
||||
type: array
|
||||
deletionPropagationPolicy:
|
||||
description: DeletionPropagationPolicy defines how resources will
|
||||
be deleted (Foreground, Background, Orphan).
|
||||
enum:
|
||||
- Foreground
|
||||
- Background
|
||||
- Orphan
|
||||
type: string
|
||||
exclude:
|
||||
description: |-
|
||||
ExcludeResources defines when cleanuppolicy should not be applied. The exclude
|
||||
|
|
@ -5425,8 +5393,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: clusterpolicies.kyverno.io
|
||||
|
|
@ -7965,12 +7933,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -8088,12 +8056,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -13066,12 +13034,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -13192,12 +13160,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -17825,12 +17793,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -17948,12 +17916,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -23060,12 +23028,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -23186,12 +23154,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -25718,8 +25686,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: globalcontextentries.kyverno.io
|
||||
|
|
@ -25983,8 +25951,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: policies.kyverno.io
|
||||
|
|
@ -28524,12 +28492,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -28647,12 +28615,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -33626,12 +33594,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -33752,12 +33720,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -38386,12 +38354,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -38509,12 +38477,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to be
|
||||
|
|
@ -43621,12 +43589,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
preconditions:
|
||||
description: |-
|
||||
|
|
@ -43747,12 +43715,12 @@ spec:
|
|||
description: |-
|
||||
PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: |-
|
||||
PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
targets:
|
||||
description: Targets defines the target resources to
|
||||
|
|
@ -46279,8 +46247,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: policyexceptions.kyverno.io
|
||||
|
|
@ -47587,8 +47555,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: updaterequests.kyverno.io
|
||||
|
|
@ -48420,8 +48388,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: clusterephemeralreports.reports.kyverno.io
|
||||
|
|
@ -48762,8 +48730,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: ephemeralreports.reports.kyverno.io
|
||||
|
|
@ -49104,8 +49072,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: clusterpolicyreports.wgpolicyk8s.io
|
||||
|
|
@ -49472,8 +49440,8 @@ metadata:
|
|||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/part-of: kyverno-crds
|
||||
app.kubernetes.io/version: v0.0.0
|
||||
helm.sh/chart: crds-v0.0.0
|
||||
app.kubernetes.io/version: 3.3.4
|
||||
helm.sh/chart: crds-3.3.4
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.16.1
|
||||
name: policyreports.wgpolicyk8s.io
|
||||
|
|
|
|||
|
|
@ -1364,7 +1364,7 @@ Kubernetes apiextensions/v1.JSON
|
|||
<em>(Optional)</em>
|
||||
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See <a href="https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/">https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/</a>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/</a>.</p>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -1377,7 +1377,7 @@ string
|
|||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/</a>.</p>
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
@ -2460,7 +2460,7 @@ Kubernetes apiextensions/v1.JSON
|
|||
<em>(Optional)</em>
|
||||
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See <a href="https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/">https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/</a>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/</a>.</p>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -2473,7 +2473,7 @@ string
|
|||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/</a>.</p>
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ Attributes cannot be deleted in a version. They should be marked for deprecation
|
|||
|
||||
## Modifying an attribute
|
||||
|
||||
Attributes cannot be modified in a version. The existing attribute should be marked for deprecation and a new attribute should be added following version compatibility guidelines.
|
||||
Attributes cannot be modified in a version. The existing attribute should be marked for deprecation and a new attribute should be added following version compatibity guidelines.
|
||||
|
||||
|
||||
## Stable References
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ The policy controller processes all adds, deletes, and updates to all installed
|
|||
|
||||
### Reports Controller
|
||||
|
||||
The report controller is responsible for creation of policy reports from both admission requests and background scans and requires leader election. It tracks resources that need to be processed in the background and generates background scan reports (when policy/resource change). It also aggregates these and the intermediary admission reports into the final policy report resources `PolicyReport` and `ClusterPolicyReport`.
|
||||
The report controller is responsible for creation of policy reports from both admission requests and background scans and requires leader election. It track resources that need to be processed in the background and generates background scan reports (when policy/resource change). It also aggregates these and the intermediary admission reports into the final policy report resources `PolicyReport` and `ClusterPolicyReport`.
|
||||
|
||||
#### Background Scan Controller
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ There are several ways to enable/disable features in Golang:
|
|||
2. Container arguments
|
||||
|
||||
## Feature Flags
|
||||
The `toggle` package exists in pkg/toggle can be used to define and manage a feature toggle for a new feature in Kyverno. Let's say we need to introduce a new feature toggle to enable/disable deferred loading. We can do it as follows:
|
||||
The `toggle` package exists in pkg/toggle can be used to define and manage a feature toggle for a new feature in Kyverno. Lets say we need to introduce a new feature toggle to enable/disable deferred loading. We can do it as follows:
|
||||
1. Define a flag name, description, environment variable and a default value for this new feature in the `toggle` package:
|
||||
```
|
||||
EnableDeferredLoadingFlagName = "enableDeferredLoading"
|
||||
|
|
@ -46,7 +46,7 @@ The `toggle` package exists in pkg/toggle can be used to define and manage a fea
|
|||
environment variable `FLAG_ENABLE_DEFERRED_LOADING=0`
|
||||
|
||||
## Container Arguments
|
||||
Container arguments can be used directly in the controller. Let's say we want to add a new container flag `--enable-feature`, we can do it as follows:
|
||||
Container arguments can be used directly in the controller. Lets say we want to add a new container flag `--enable-feature`, we can do it as follows:
|
||||
1. Create a variable for this new flag:
|
||||
```
|
||||
var(
|
||||
|
|
|
|||
|
|
@ -94,7 +94,7 @@ To reduce the computation power needed, especially when resources change frequen
|
|||
- When the worker gets the namespace from the queue it lists all admission reports and background scan reports for that particular namespace, aggregates them together and reconciles the existing policy reports
|
||||
|
||||
This process can have a significant impact on the number of API calls and the memory footprint, especially when we have large reports.
|
||||
To mitigate this, we use LIST api calls with pagination and reports are aggregated before loading the next page.
|
||||
To mitigate this we use LIST api calls with pagination and reports are aggregated before loading the next page.
|
||||
|
||||
|
||||
```mermaid
|
||||
|
|
@ -164,7 +164,7 @@ For policy reports it's different, the number of policy reports will depend on t
|
|||
- one report per policy for clustered resources (10 policies -> 10 reports)
|
||||
|
||||
Policy reports and cluster policy reports are usually much larger, depending on the number of resources in the cluster/namespace.
|
||||
Sometimes they are too big to be stored in etcd and we split them into multiple reports containing a configurable number of entries (`1000` by default).
|
||||
Sometimes they are too big to be stored in etcd and we split them into multiple reports containing a configurable number entries (`1000` by default).
|
||||
|
||||
### Reports deletion
|
||||
|
||||
|
|
@ -457,13 +457,13 @@ If you have 1000 pods in a cluster, it gives:
|
|||
|
||||
With autogen you have to account for `Deployment`, `StatefulSet`, `Job`, `CronJob`, `ReplicaSet` too (reports for them will be approximately the same size).
|
||||
|
||||
And of course, ephemeral admission reports consume space too, even if they should be cleaned up quickly.
|
||||
And of course ephemeral admission reports consume space too, even if they should be cleaned up quickly.
|
||||
|
||||
Finally, you need to take policy reports into account too.
|
||||
Basically, they should consume approximately the same disk space as background scan reports (approximately because if some policies don't run in the background, results will come from aggregated admission reports).
|
||||
Finally you need to take policy reports into account too.
|
||||
Basically they should consume approximately the same disk space as background scan reports (approximately because if some policies don't run in the background, results will come from aggregated admission reports).
|
||||
|
||||
The number of policy reports is usually inferior to the number of other reports, but they are bigger in size.
|
||||
The number of policy reports is usually inferior to the number of other reports but they are bigger in size.
|
||||
|
||||
In the end, to use PSS policies (with `restricted` profile) on a 1000 pods cluster, you should budget around 25MB of etcd storage, spread across ~2000 reports.
|
||||
|
||||
In comparison, an average `Pod` is around 5KB (at least for a pod with a single container). The storage for 1000 pods is around 5MB. We can see that reports has a significant storage impact. Fortunately, ETCD stores data on disk and associated cost should be negligible.
|
||||
In comparison, an average `Pod` is around 5KB (at least for a pod with a single container). The storage for 1000 pods is around 5MB. We can see that reports has a significant storage impact. Fortunately ETCD stores data on disk and associated cost should be negligible.
|
||||
|
|
@ -4,9 +4,9 @@ This document contains scripts to help troubleshooting reports issues.
|
|||
|
||||
## Getting reports detailed information
|
||||
|
||||
When querying reports, you can add `-o wide` to get a more detailed output.
|
||||
When querying reports you can add `-o wide` to get a more detailed output.
|
||||
|
||||
This will show information about the resource associated with the report.
|
||||
This will show infos about the resource associated with the report.
|
||||
|
||||
It can be useful to determine if a particular resource kind is responsible for creating too many reports.
|
||||
|
||||
|
|
@ -99,7 +99,7 @@ Listing existing reports can take a long time when there is a high number of rep
|
|||
|
||||
With `--watch-only` you only get an output for reports that are created, updated or deleted.
|
||||
|
||||
This is useful to determine if a particular resource kind is responsible for creating too many reports.
|
||||
This is useful to determine if particular resource kind is reponsible for creating too many reports.
|
||||
|
||||
```console
|
||||
# watch changing cluster admission reports
|
||||
|
|
|
|||
|
|
@ -53,7 +53,6 @@ kyverno create [flags]
|
|||
### SEE ALSO
|
||||
|
||||
* [kyverno](kyverno.md) - Kubernetes Native Policy Management.
|
||||
* [kyverno create cluster-role](kyverno_create_cluster-role.md) - Create an aggregated role for given resource types
|
||||
* [kyverno create exception](kyverno_create_exception.md) - Create a Kyverno policy exception file.
|
||||
* [kyverno create metrics-config](kyverno_create_metrics-config.md) - Create a Kyverno metrics-config file.
|
||||
* [kyverno create test](kyverno_create_test.md) - Create a Kyverno test file.
|
||||
|
|
|
|||
|
|
@ -1,47 +0,0 @@
|
|||
## kyverno create cluster-role
|
||||
|
||||
Create an aggregated role for given resource types
|
||||
|
||||
### Synopsis
|
||||
|
||||
This command generates a Kubernetes ClusterRole for specified resource types.
|
||||
The output is printed to stdout by default or saved to a specified file.
|
||||
Required flags include 'api-groups', 'verbs', and 'resources'.
|
||||
|
||||
```
|
||||
kyverno create cluster-role [name] [flags]
|
||||
```
|
||||
|
||||
### Options
|
||||
|
||||
```
|
||||
-g, --api-groups string API group for the resource (required)
|
||||
--controllers stringArray List of controllers for the ClusterRole (default = background-controller) (default [background-controller])
|
||||
-h, --help help for cluster-role
|
||||
-o, --output string Output file path (prints to console if not set)
|
||||
--resources stringArray A comma separated list of resources (required)
|
||||
--verbs stringArray A comma separated list of verbs or 'all' for all verbs
|
||||
```
|
||||
|
||||
### Options inherited from parent commands
|
||||
|
||||
```
|
||||
--add_dir_header If true, adds the file directory to the header of the log messages
|
||||
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
|
||||
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
|
||||
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
|
||||
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
|
||||
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
|
||||
--logtostderr log to standard error instead of files (default true)
|
||||
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
|
||||
--skip_headers If true, avoid header prefixes in the log messages
|
||||
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
|
||||
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
|
||||
-v, --v Level number for the log level verbosity
|
||||
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
|
||||
```
|
||||
|
||||
### SEE ALSO
|
||||
|
||||
* [kyverno create](kyverno_create.md) - Helps with the creation of various Kyverno resources.
|
||||
|
||||
|
|
@ -1870,7 +1870,7 @@ github.com/kyverno/kyverno/api/kyverno.Any
|
|||
<em>(Optional)</em>
|
||||
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See <a href="https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/">https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/</a>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/</a>.</p>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -1883,7 +1883,7 @@ string
|
|||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/</a>.</p>
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -3231,7 +3231,7 @@ Kubernetes apiextensions/v1.JSON
|
|||
<em>(Optional)</em>
|
||||
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See <a href="https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/">https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/</a>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/</a>.</p>
|
||||
and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -3244,7 +3244,7 @@ string
|
|||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/</a>.</p>
|
||||
See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rfc6902</a> and <a href="https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/">https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/</a>.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -5898,20 +5898,6 @@ AnyAllConditions
|
|||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>deletionPropagationPolicy</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#deletionpropagation-v1-meta">
|
||||
Kubernetes meta/v1.DeletionPropagation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
@ -6061,20 +6047,6 @@ AnyAllConditions
|
|||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>deletionPropagationPolicy</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#deletionpropagation-v1-meta">
|
||||
Kubernetes meta/v1.DeletionPropagation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
@ -6602,20 +6574,6 @@ AnyAllConditions
|
|||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>deletionPropagationPolicy</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#deletionpropagation-v1-meta">
|
||||
Kubernetes meta/v1.DeletionPropagation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
|
|
@ -7750,20 +7708,6 @@ AnyAllConditions
|
|||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>deletionPropagationPolicy</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#deletionpropagation-v1-meta">
|
||||
Kubernetes meta/v1.DeletionPropagation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
@ -7913,20 +7857,6 @@ AnyAllConditions
|
|||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>deletionPropagationPolicy</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#deletionpropagation-v1-meta">
|
||||
Kubernetes meta/v1.DeletionPropagation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
|
@ -8773,20 +8703,6 @@ AnyAllConditions
|
|||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>deletionPropagationPolicy</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#deletionpropagation-v1-meta">
|
||||
Kubernetes meta/v1.DeletionPropagation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
|
|
|
|||
|
|
@ -3849,7 +3849,7 @@ See: https://kyverno.io/docs/writing-policies/preconditions/</p>
|
|||
|
||||
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.</p>
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -3877,7 +3877,7 @@ and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patche
|
|||
|
||||
|
||||
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.</p>
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -6563,7 +6563,7 @@ Please specify under "any" or "all" instead.</p>
|
|||
|
||||
<p>PatchStrategicMerge is a strategic merge patch used to modify resources.
|
||||
See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesstrategicmerge/.</p>
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -6591,7 +6591,7 @@ and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patche
|
|||
|
||||
|
||||
<p>PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patchesjson6902/.</p>
|
||||
See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.</p>
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -283,33 +283,6 @@ and admission review request information like the name or role.</p>
|
|||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>deletionPropagationPolicy</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="font-family: monospace">meta/v1.DeletionPropagation</span>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
|
@ -603,33 +576,6 @@ and admission review request information like the name or role.</p>
|
|||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>deletionPropagationPolicy</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="font-family: monospace">meta/v1.DeletionPropagation</span>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
|
@ -1701,33 +1647,6 @@ and admission review request information like the name or role.</p>
|
|||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>deletionPropagationPolicy</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="font-family: monospace">meta/v1.DeletionPropagation</span>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
|
|
|||
|
|
@ -289,33 +289,6 @@ and admission review request information like the name or role.</p>
|
|||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>deletionPropagationPolicy</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="font-family: monospace">meta/v1.DeletionPropagation</span>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
|
@ -613,33 +586,6 @@ and admission review request information like the name or role.</p>
|
|||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>deletionPropagationPolicy</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="font-family: monospace">meta/v1.DeletionPropagation</span>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
|
@ -2414,33 +2360,6 @@ and admission review request information like the name or role.</p>
|
|||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>deletionPropagationPolicy</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<span style="font-family: monospace">meta/v1.DeletionPropagation</span>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue