Pratik Shah
caab013a86
Fixed issue-4530: Added separate attestor type for secrets and KMS ( #4733 )
...
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
2022-10-14 09:40:46 +00:00
Charles-Edouard Brétéché
064980bd9a
fix: admission reports printer ( #4950 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-14 08:22:00 +00:00
Pratik Shah
8a0083105d
Added support to specify key signature algorithm in verifyImages ( #4855 )
...
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Pratik Shah <pratik@infracloud.io>
2022-10-14 05:39:57 +00:00
Charles-Edouard Brétéché
4aed9359cb
refactor: manage webhooks with webhook controller ( #4846 )
...
* refactor: add config support to webhook controller
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* refactor: add client config to webhook controller
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* migrate verify webhook
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* v1
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* refactor: move policy webhooks management in webhook controller
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* policy validating webhook config
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* watch policies
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* refactor: migrate resource webhook management in webhook controller
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* mutating webhook
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* auto update
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* cleanup
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* auto update and wildcard policies
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* policy readiness
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix: can't use v1 admission
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* reduce reconcile
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* watchdog
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* cleanup
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* health check
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* runtime utils
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* runtime utils
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* cleanup
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* watchdog check
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* remove delete from mutating webhook
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* cleanup
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-10-12 06:52:42 +00:00
shuting
4d90b7b561
Update PSa images dsecription ( #4840 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-10-07 08:09:31 +00:00
ShutingZhao
614c30788e
Fix PSa the control name validation
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-10-06 03:50:39 +08:00
Charles-Edouard Brétéché
51b07b7bf3
fix: validationFailureAction default value ( #4822 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-05 18:09:21 +00:00
yinka
688b4fb8e3
add package logger in files ( #4766 )
...
* add package logger in files
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
* add package logger to initContainer and other files
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
* helm docs
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* helm default values
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* release notes
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-02 19:45:03 +00:00
shuting
1d83e86c12
Add PSa policy validations ( #4735 )
...
* Validate PSa control names
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add validation checks for the PSa rule
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-29 12:03:13 +08:00
Prateek Pandey
38c252952d
feat: add matchlabel selector support with multiple clone ( #4713 )
...
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-28 17:44:38 +02:00
Charles-Edouard Brétéché
e0ab72bb9a
feat: reports v2 implementation ( #4608 )
...
This PR refactors the reports generation code.
It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds.
The new reports system is based on 4 controllers:
Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation
Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes
Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace)
Resources controller is responsible for watching reports that need background scan reports
I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong.
I also added a flag to split reports in chunks to avoid creating too large resources.
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-28 17:15:16 +05:30
shuting
34c6920129
Support PSa integration by controlName only ( #4710 )
...
* Remove "restrictedField" and "values" from podSecurity.exclude
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Remove commented code
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add unit tests for restricted_runAsNonRoot
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add baseline unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add unit tests for restricted controls
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Removes PSa tests at the engine level
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - Update API docs; - Add unit tests for wildcard images
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Remove autogen conversion for PSa policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* copy pod with DeepCopy()
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-28 10:03:53 +00:00
Pradeep Lakshmi Narasimha
e305aea95c
fix: namespaced policy targets namespace validation and scoping them to the policy's namespace ( #4671 )
...
Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-09-26 14:54:13 +00:00
Charles-Edouard Brétéché
fe8c5bbdf2
refactor: split policyreport api files ( #4641 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-19 10:28:51 +00:00
Charles-Edouard Brétéché
47b3704848
fix: missing elements in v2beta1 api ( #4654 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-19 09:55:04 +00:00
Charles-Edouard Brétéché
42a2df56c1
refactor: add a couple of constants in api ( #4640 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-19 09:11:12 +00:00
Charles-Edouard Brétéché
634dff5639
feat: introduce RCR interface ( #4642 )
...
* feat: introduce RCR interface
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix codegen
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-19 08:42:11 +00:00
Charles-Edouard Brétéché
530a584f76
fix: background printer column ( #4617 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-14 06:54:56 +00:00
Charles-Edouard Brétéché
dfb566a458
fix: typo ( #4582 )
...
* fix: typo
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix: typo
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-10 16:11:38 +00:00
Vyankatesh Kudtarkar
aa6abd99f2
Support V2beta1 Version ( #4514 )
...
introduce new version V2beta1 which remove deprecated CRD
types from version v1.
Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
2022-09-08 11:19:16 +00:00
Prateek Pandey
1cacd0173d
feat: allow cloning multiple resource from a namespace ( #4384 )
2022-09-08 04:47:09 +00:00
Abhishek Kumar
5681a2a2dc
Improve printer column name for validationFailureAction ( #4488 )
...
Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com>
Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-02 05:33:33 +00:00
shuting
c1b1cbb7da
Add PodSecurity description ( #4475 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-09-01 09:03:41 +00:00
Charles-Edouard Brétéché
599a68e896
feat: enable autogen from makefile ( #4467 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-01 14:14:56 +08:00
ToLToL
1b9a2fca21
Extend Pod Security Admission ( #4364 )
...
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
Riko Kudo
5f5cda9fee
Yaml signing and verification ( #4235 )
...
* enable YAML verification using k8s-manifest-sigstore
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
comment out role and rolebinding for dryrun
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix log message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
change default value of dryrun option
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
support gpg signature
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* upgrade manifest sigstore version and support multi sigs
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix validate.manifest rule
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd and add small fix
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
set cosign experimental env when keyless verification
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* improve default ignoreFields
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* add unit-test for k8smanifest
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update install yaml
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version and support one or more signatures
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
add unit-test for k8smanifest multi-signature
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix manifest verify policy and move dryrun rbac to dryrun dir
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version and resolve conflict
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
enable YAML verification using k8s-manifest-sigstore
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
comment out role and rolebinding for dryrun
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
upgrade manifest sigstore version and support multi sigs
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix validate.manifest rule
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd and add small fix
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version and support one or more signatures
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy and move dryrun rbac to dryrun dir
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
add small fix
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* remove generic name
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix sonatype-lift issue and unit-test error
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix gofumpt error
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* update manifest rule to use attestor
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* remove unused value
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* resolve conflict
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix install.yaml
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix to set COSIGN_EXPERIMENTAL env variable when keyless verification
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix misspell
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* enable kyverno cli in validate.manifests rule (#3 )
* enable kyverno cli in validate.manifests rule
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version and improve error handling for better result output
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update crds and deepcopy
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update unit test
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* change to use spec.rules.exclude.subjects instead of skipUsers (#4 )
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix yaml signing sigstore (#5 )
* update k8s-manifest-sigstore version
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* add a comment for dryrun option field
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* enable to include ClusterPolicy/Policy in match resource
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix log style and env variable settings
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* simplify manifest verify func
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix func name
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix sonatype warning
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix default ignoreFields
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix yaml signing sigstore rbac (#6 )
* fix dryrun rbac to have minimal permissions
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix lint error
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix unit-test error
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix gofumpt error
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix log style
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* updated CRD documentation
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* resolve go.mod conflicts
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* updated helm stuff
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché
fc1a4601a7
refactor: introduce wildcard utils package ( #4406 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-08-25 05:23:01 +00:00
Charles-Edouard Brétéché
91373e1329
fix: goimports check not working in ci job ( #4387 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-08-24 13:38:49 +00:00
Charles-Edouard Brétéché
144985ee5a
chore: fix golangcilint timeout ( #4388 )
...
* chore: fix golangcilint timeout
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix commit sha
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* add .gitattributes
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-08-24 21:08:24 +08:00
George
648511383c
Update wgpolicyk8s.io CRDs ( #4355 )
...
* Update policyreport api
Signed-off-by: George Sedky <george@devopzilla.com>
* Run codegen to generate CRDs
Signed-off-by: George Sedky <george@devopzilla.com>
Signed-off-by: George Sedky <george@devopzilla.com>
Co-authored-by: George Sedky <george@devopzilla.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-08-22 07:18:33 +00:00
Jim Bugwadia
943c3a1929
use failurePolicy to block or allow requests, on policy errors ( #4183 )
...
* use failurePolicy to block or allow requests, on policy errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add warnings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add unit tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle network errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix title conversion
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix path in generated file
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix fake metrics
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add check for klog flag initialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* check for flag reinitialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* check for flag reinitialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix spelling
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix flag init
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-08-02 20:24:02 +05:30
Jim Bugwadia
4aa0767728
add applyRules to control whether one or all rules are applied ( #4196 )
...
* add ruleSelector
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix selector logic for skipped rules
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* change names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generated paths
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add image variable to context when rule processing starts
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix messages
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update generate rules
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-07-29 15:02:26 +08:00
Anutosh Bhat
dafa27e928
Corrected description for UpdateRequest struct ( #4215 )
...
* Corrected description for UpdateRequest struct
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
* Added changes for docs
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
* Added diff shown in verify generate tests
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-07-19 12:16:50 +00:00
Charles-Edouard Brétéché
210a709bb3
feat: policy status for autogen rules ( #4173 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-07-03 15:09:18 -07:00
Jim Bugwadia
bc1b051b90
fix imageVerify validation checks and conversion logic ( #4038 )
...
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-06-15 17:13:36 -07:00
Charles-Edouard Brétéché
1786cb8bc8
fix: bool fields in image verification types ( #4053 )
...
* refactor: add policy event listener in ur controller (#4012 )
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
(cherry picked from commit cd1fa030ee
2022-06-02 12:05:23 -07:00
Charles-Edouard Brétéché
dae3dad027
refactor: used typed admission request in ur ( #4022 )
...
* refactor: add policy event listener in ur controller (#4012 )
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
(cherry picked from commit cd1fa030ee
2022-05-29 07:27:14 +00:00
Charles-Edouard Brétéché
1712dfa947
refactor: move label helper utils from policy package to background package ( #3996 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-24 13:11:12 +05:30
Charles-Edouard Brétéché
5aaf2d8770
chore: make kyverno api import aliases consistent ( #3939 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
Charles-Edouard Brétéché
0099ef54ad
chore: enable gofmt and gofumpt linters ( #3931 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 06:19:03 +00:00
Charles-Edouard Brétéché
70954b9995
refactor: policy cache ( #3919 )
...
* refactor: simplify policy cache
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: policy cache
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* remove update and add policies map
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix: review comments
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-05-16 07:56:16 +00:00
Prateek Pandey
4d4f805d68
fix: undo length validation check for generate rule resource name ( #3865 )
...
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-05-11 05:08:27 +00:00
Prateek Pandey
8b6d3d1f6a
feat: trigger generate on existing matched resource ( #3819 )
...
* feat: trigger generate on existing matched resource
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* refactor the triggers and fix review comments
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* add trigger for other matching kinds
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* implement match exclude using dynamic client
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* refactor generate trigger
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* increase sleep timeout
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* optimize unstructured list
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* fix review comments
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* log refactor and clean debug comments
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-05-09 07:13:11 +00:00
shuting
b4f2b63f53
Load mutate.targets via dclient ( #3797 )
...
* Load mutate.targets via dclient
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Do not fail on namespace cleanup for e2e generate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Fix wildcard name listing for a certain namespace
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Rename onPolicyUpdate to mutateExistingOnPolicyUpdate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Enable "mutateExistingOnPolicyUpdate" on policy events
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-05-06 05:46:36 +00:00
Jim Bugwadia
db3502656d
Cert attestor ( #3809 )
...
* add certificates attestor
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle duplicate images; use container name as key
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* use OldObject for modify requests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* use unique image names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* merge main
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* create a single annotation patch across rules and images
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt and change annotation key name
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* split certs from keys
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add Rekor and fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-05-05 21:57:20 -07:00
Charles-Edouard Brétéché
5d2e2faf72
fix: autogen rules in status ( #3728 )
...
* refactor: autogen package logger
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix: add rules to status only when necessary
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-05-05 15:11:26 +00:00
Vyankatesh Kudtarkar
13d8a96f92
Policy Validation check for onPolicyUpdate flag ( #3814 )
...
* policy validation check for OnPolicyUpdate flag
* add validation check for onupdatepolicy flag
2022-05-05 21:04:49 +08:00
shuting
8a9a98d8b5
Add handler to UR.status ( #3791 )
...
* - Add "handler" to "ur.status"
- Mark / Unmark handler upon UR reconciliation
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add field onPolicyUpdate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Update API docs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add delay in generate e2e tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Remove duplicate logic for cleaning up the cloned resource
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-05-05 16:26:27 +05:30
Charles-Edouard Brétéché
f70ef051dc
refactor: move ImageExtractorConfigs in api package ( #3781 )
2022-05-03 08:45:08 +00:00
shuting
a4815f77c4
Convert GenerateRequest to UpdateRequest for backward compatibility ( #3730 )
...
- Remove GenerateRequest Informer
- Rename GenerateRequest to UpdateRequest in logs and vars
- Fix initContainer leader election
- Convert GenerateRequest to UpdateRequest in initContainer
- Remove unused methods
- Add printer column ruleType to UR
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-04-29 16:35:49 +05:30
Charles-Edouard Brétéché
24ed931f42
refactor: remove some api unnecessary pointers (4) ( #3713 )
...
* refactor: remove some api unnecessary pointers
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: remove some api unnecessary pointers (2)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: remove some api unnecessary pointers (3)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: remove some api unnecessary pointers (4)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-04-29 09:12:01 +02:00
shuting
e248308cb3
Create UR for both mutate and generate policies ( #3717 )
...
* remove mutateExisting field
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update policy controller to create UR for generate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove debug log
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - Update api docs
- Ignore e2e tests cleanup failure
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add back index to helm template
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-04-29 11:01:02 +05:30
Charles-Edouard Brétéché
7fca026678
fix: remove supported from autogen status ( #3714 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-28 16:14:48 -07:00
Charles-Edouard Brétéché
d0ada5529c
fix: generated api reference docs ( #3711 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-28 12:51:44 +00:00
Charles-Edouard Brétéché
b7f42a0d1f
refactor: remove some api unnecessary pointers (3) ( #3707 )
...
* refactor: remove some api unnecessary pointers
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: remove some api unnecessary pointers (2)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: remove some api unnecessary pointers (3)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-28 12:30:23 +00:00
shuting
d3eec03a79
Optimize UR listing on policy events ( #3712 )
...
* Optimize UR listing on policy events
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix new UR creation for multiple policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-04-28 10:29:48 +00:00
Charles-Edouard Brétéché
68c35b2f2e
refactor: remove some api unnecessary pointers (2) ( #3705 )
...
* refactor: remove some api unnecessary pointers
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: remove some api unnecessary pointers (2)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-28 17:11:14 +08:00
Charles-Edouard Brétéché
75e300799a
fix: remove unused type TargetMutation ( #3706 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-04-28 06:05:13 +00:00
Charles-Edouard Brétéché
cf86887d55
refactor: remove some api unnecessary pointers ( #3704 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-28 12:41:10 +08:00
Jim Bugwadia
ab5171cee5
Verify digest ( #3679 )
...
* add verifyDigest to check all tags are converted to digests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add required to check for image verification annotation
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* generate CRD
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* adding imageverify true/false patch
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* patch addition logic
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* image verify CLI tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixes and unit tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix digest mutate
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix policy cache
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: anushkamittal20 <anumittal4641@gmail.com>
2022-04-27 15:09:52 +00:00
Charles-Edouard Brétéché
b689f1f15c
fix: kind wash in mutate policy helper ( #3698 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-27 19:38:31 +05:30
Charles-Edouard Brétéché
f34a542587
refactor: client gen code ( #3695 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-27 12:30:43 +00:00
shuting
d5f6167e56
Fix flaky e2e tests for generate policies ( #3681 )
...
* fix flaky generate e2e tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* enable validate, verifyimage e2e tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set policy names different within a single test
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* do not delete cloned resource when sync generate policy is deleted
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* replace grLister by urLister
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* re-queue pending URs only to fix clone policy deletion
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove duplicate import
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-26 19:18:24 +00:00
shuting
2a656f6de0
feat: mutate existing resources ( #3669 )
...
* feat: mutate existing, replace GR by UR in webhook server (#3601 )
* add attributes for post mutation
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add UR informer to webhook server
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* replace gr by ur across entire packages
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add YAMLs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update api docs & fix unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add UR deletion handler
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add api docs for v1beta1
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix clientset method
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix v1beta1 client registration
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* feat: mutate existing - generates UR for admission requests (#3623 )
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* replace with UR in policy controller generate rules (#3635 )
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* - enable mutate engine to process mutateExisting rules; - add unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* implemented ur background reconciliation for mutateExisting policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix webhook update error
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* temporary comment out new unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* feat: mutate existing, replace GR by UR in webhook server (#3601 )
* add attributes for post mutation
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add UR informer to webhook server
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* replace gr by ur across entire packages
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix missing policy.kyverno.io/policy-name label (#3599 )
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* refactor cli code from pkg to cmd (#3591 )
* refactor cli code from pkg to cmd
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* fixes in imports
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* fixes tests
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* fixed conflicts
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* moved non-commands to utils
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* add YAMLs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update api docs & fix unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add UR deletion handler
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add api docs for v1beta1
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix clientset method
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add-kms-libraries for cosign (#3603 )
* add-kms-libraries
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* Shifted providers to cosign package
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add support for custom image extractors (#3596 )
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Update vulnerable dependencies (#3577 )
Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix v1beta1 client registration
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* feat: mutate existing - generates UR for admission requests (#3623 )
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* updating version in Chart.yaml (#3618 )
* updatimg version in Chart.yaml
Signed-off-by: Prateeknandle <prateeknandle@gmail.com>
* changes from, make gen-helm
Signed-off-by: Prateeknandle <prateeknandle@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Allow kyverno-policies to have preconditions defined (#3606 )
* Allow kyverno-policies to have preconditions defined
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix docs
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* replace with UR in policy controller generate rules (#3635 )
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - enable mutate engine to process mutateExisting rules; - add unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* implemented ur background reconciliation for mutateExisting policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix webhook update error
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* temporary comment out new unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Image verify attestors (#3614 )
* fix logs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix logs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* support multiple attestors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* rm CLI tests (not currently supported)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* apply attestor repo
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix entryError assignment
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add intermediary certs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Allow defining imagePullSecrets (#3633 )
* Allow defining imagePullSecrets
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use dict for imagePullSecrets
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Simplify how imagePullSecrets is defined
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Fix race condition in pCache (#3632 )
* fix race condition in pCache
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* refact: remove unused Run function from generate (#3638 )
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* Remove helm mode setting (#3628 )
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* refactor: image utils (#3630 )
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* -resolve lift comments; -fix informer sync issue
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* refact the update request cleanup controller
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
* - fix delete request for mutateExisting; - fix context variable substitution; - improve logging
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - enable events; - add last applied annotation
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* enable mutate existing on policy creation
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update autogen code
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* merge main
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address list comments
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update api docs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix "Implicit memory aliasing in for loop"
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove unused definitions
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update api docs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-25 12:20:40 +00:00
Sambhav Kothari
44b5bf0b57
Allow definition of inline variables in context ( #3658 )
...
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
2022-04-25 19:06:07 +08:00
Prateek Pandey
c2107a2946
fix: add char length validation for generate rule resource name ( #3640 )
...
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-04-25 17:23:16 +08:00
Naman Lakhwani
9f3fc941ef
[imageVerify]: adding digestMutate to simplify tag-to-digest mutation ( #3531 )
...
* added digestMutate
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* rebase
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* setting always to true
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* small nit
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* make codegen
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* crds & failing rule if mutation fails
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* adding new func to fetch digest and changing naming to mutateDigest
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* small nits
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* generating crds
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* minor nit
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* correcting error format
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-04-22 01:08:49 -07:00
Jim Bugwadia
9fde4fd6a1
Multiple keys ( #3636 )
...
* fix autogen check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* allow multiple keys and fix root/intermediate certs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make issuer/subject optional
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* enable CTLog options
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix split
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* rename CTLog -> Rekor
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* api/kyverno/v1/image_verification_test.go
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-04-22 07:10:02 +00:00
Charles-Edouard Brétéché
2e1a87d149
refactor: image utils ( #3630 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-20 15:01:02 +00:00
Jim Bugwadia
3b1a1acd9a
Image verify attestors ( #3614 )
...
* fix logs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix logs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* support multiple attestors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* rm CLI tests (not currently supported)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* apply attestor repo
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix entryError assignment
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add intermediary certs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-04-19 08:35:12 -07:00
Sambhav Kothari
ec4e4ba452
Add support for custom image extractors ( #3596 )
...
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
2022-04-14 09:08:30 -07:00
shuting
2b432490b5
Feat - add the new CR UpdateRequest for post mutation ( #3592 )
...
* add new CR UpdateRequest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add clienset for updaterequests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-04-12 22:37:28 +05:30
Jim Bugwadia
f11cec73a8
fix imageVerify rule conversion ( #3583 )
2022-04-12 10:03:34 +08:00
Jim Bugwadia
0f186afb3e
update imageVerify schema ( #3574 )
...
* update imageVerify schema
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add optional
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* change nested/recursive types to apiextv1.JSON
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-04-11 16:47:27 +01:00
Charles-Edouard Brétéché
06c2b2bb79
refactor: switch to admission v1 ( #3526 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-04-06 20:43:07 +00:00
Charles-Edouard Brétéché
98598e33cf
refactor: metrics package ( #3549 )
...
* refactor: use BackgroundProcessingEnabled method
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: webhooks metrics reporting
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: metrics package
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-07 02:14:13 +08:00
Charles-Edouard Brétéché
594a04db01
refactor: simplify autogen package ( #3532 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-04-05 15:12:22 +00:00
Charles-Edouard Brétéché
2f81c77850
refactor: use GetFailurePolicy method ( #3545 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-05 04:49:30 +08:00
Charles-Edouard Brétéché
a93ac45586
refactor: move some helpers in utils package ( #3539 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-04-04 18:58:22 +00:00
Charles-Edouard Brétéché
cb6f55cdcd
refactor: use GetValidationFailureAction method ( #3546 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-04-04 16:33:12 +00:00
Charles-Edouard Brétéché
1cee8894e0
fix: disallow all in autogen annotation ( #3537 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-04-04 16:10:57 +00:00
Charles-Edouard Brétéché
04740c52fa
refactor: use more policy interface ( #3510 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-31 12:14:00 +05:30
Charles-Edouard Brétéché
c59affb248
refactor: factorize policy interface ( #3496 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-03-29 15:52:45 +00:00
Charles-Edouard Brétéché
69dcd9ee4c
chore: simplify validation with named return ( #3493 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-29 09:53:10 +00:00
Charles-Edouard Brétéché
20069c13c3
feat: stop mutating rules ( #3410 )
...
* feat: stop adding autogen annotation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* feat: stop mutating rules
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* feat: stop mutating rules
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix: use toggle
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix: review comments
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-03-28 22:01:27 +08:00
Charles-Edouard Brétéché
4efcabffb5
refactor: use abstract policy interface in webhookconfig ( #3466 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-03-25 14:43:47 +00:00
shuting
d1bf3d4742
clean up dependencies ( #3469 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-03-25 08:40:25 +00:00
Charles-Edouard Brétéché
3cf83bc77f
refactor: match and exclude conflict validation ( #3454 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-23 17:04:17 +05:30
Charles-Edouard Brétéché
f34d3c342d
refactor: add ValidationFailureAction to the api ( #3451 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-03-23 08:59:41 +00:00
Charles-Edouard Brétéché
06fc472f52
refactor: add IsNamespaced() method to API policy types ( #3450 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-23 13:03:15 +05:30
Abhi Kapoor
1b10f18086
Drop v1alpha1 PolicyReport CRD ( #3437 )
...
* Drop v1alpha1 PolicyReport CRD
Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>
* Drop v1alpha1 kyverno package
Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>
* Update Makefile to remove references for v1alpha1
Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>
* Update helm manifests
Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>
2022-03-22 17:08:25 +00:00
Charles-Edouard Brétéché
d129b7a4c7
refactor: ExcludeResources validation ( #3445 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-03-22 15:21:44 +00:00
Charles-Edouard Brétéché
11bbb4f83e
refactor: replace ExcludeResources by MatchResources ( #3444 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-22 14:24:40 +00:00
Charles-Edouard Brétéché
51254b2d5a
refactor: ResourceDescription validation ( #3446 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-22 21:17:51 +08:00
Charles-Edouard Brétéché
c8c631d4a7
refactor: MatchResources validation ( #3422 )
...
* refactor: ValidationFailureActionOverrides validation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: MatchResources validation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-03-21 19:51:12 +08:00
Charles-Edouard Brétéché
bdcecf9882
refactor: ValidationFailureActionOverrides validation ( #3421 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-21 16:53:12 +08:00
Charles-Edouard Brétéché
0c8e8c1212
feat: move GetRules() at the policy level ( #3420 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-03-18 15:18:32 +00:00
Charles-Edouard Brétéché
30261b5235
feat: add conditions support ( #3378 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-03-18 22:00:01 +08:00
Charles-Edouard Brétéché
4ce5c972ee
refactor: Policy name validation ( #3409 )
...
* refactor: UserInfo validation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: Rule type validation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: Rule names validation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: Policy name validation
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-18 01:02:35 +08:00
Christian Kotzbauer
860253d6aa
[ImageVerify] Verify additional certificate-extensions ( #3404 )
...
* feat: add additionalExtensions to keyless imageVerify
Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
* feat: regenerate code
Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
2022-03-17 08:42:12 +00:00
