mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
3227 commits 16 branches 550 tags 288 MiB
Commit graph

363 commits

Author SHA1 Message Date
Yashvardhan Kukreja
6b0334f776
fix: consider policy's namespace as well while report rule results to policyreports (#1897) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-07 16:28:32 -07:00
Vyankatesh Kudtarkar
299547f376
Matched list to configure the matched resources (#1844) 
* Fix Dev setup

* initial commit

* add testcases for matchlist

* fix e2e issue

* fix comment

* fix issue

* fix lock issue

* revert changes

* fix cache issue

* Fix cache test

* fix policy object

* fix comments

* fix public methos issue

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-05-06 12:02:06 -07:00
Thoro
e80d18e692
Add function label_match, to use matchLabel in JMESPath, usage: label_match(labels_from_network_policy, labels_from pod) bool, Remove validation for JMESPath (#1862) 
Signed-off-by: Thomas Rosenstein <thomas@thoro.at>
 2021-05-04 09:28:30 -07:00
Vyankatesh Kudtarkar
f921bf47d2
Bug fix -1855 : Errors updating cluster policy (#1863) 
* Fix Dev setup

* Bug fix -1855 : Errors updating cluster policy

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-05-03 14:58:57 -07:00
shuting
618a69961e
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847) 
* disable auto-gen when a rule has mixed of kinds: pod & pod controllers

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* Bugfix :  Make match.resources.kinds required (#1843)

* Fix Dev setup

* make kind required in MatchResources

* add test cases

Co-authored-by: vyankatesh <vyankatesh@neualto.com>

* address PR comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update background canAutoGen unit tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-29 14:59:37 -07:00
Vyankatesh Kudtarkar
34af7a930c
Bugfix : Make match.resources.kinds required (#1852) 
* Fix Dev setup

* Bugfix : Make match.resources.kinds required

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-29 11:14:55 -07:00
Vyankatesh Kudtarkar
caa6a90b27
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) 
* Fix Dev setup

* Mutate policy defaults (1799)

* fix look for exclude ResourceDescription

* fix condition

* reuse code

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-29 09:51:23 -07:00
Shuting Zhao
e9c2d899c9 fix the unit test 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-28 14:52:26 -07:00
Shuting Zhao
85dde7e960 Enable image substitution in the background mode 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-28 14:21:11 -07:00
Max Goncharenko
8050c4e77b
moved variable substitution to higher level to avoid unhandled cases (#1785) 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-04-13 11:44:43 -07:00
shuting
f3ca1d78f1
Fix log message (#1779) 
* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update printer column - validation failure action

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-08 12:10:30 -07:00
Vyankatesh Kudtarkar
e2cd04c91f
Fix #1446 :Failed to mutate policy (#1767) 
* Fix failed to mutate policy

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix autogen rule issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* addPolicy and AddNsPolicy changes

* fix code indentation

* change kind -> policy

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix kind for policy

* fix comments

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-07 16:34:45 -07:00
Max Goncharenko
01004e1db0
Fix #1754 Invalid variable validation (#1770) 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-04-06 10:56:06 -07:00
Jim Bugwadia
fb368ba24b
Merge pull request #1755 from realshuting/1749_fix_concurrent_read_write 
Fix concurrent read/write when loading configmap data
 2021-04-01 13:39:27 -07:00
shuting
72fd921cb6
fix exclude logic (#1756) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-31 22:02:36 -07:00
Shuting Zhao
b0cee60100 change the order for variable validation: add allowed vars first 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-31 14:29:46 -07:00
Jim Bugwadia
8d03f8c59e merge main 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-03-25 18:00:02 -07:00
Jim Bugwadia
6dff9e0ab9 merge and resolve conflicts 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-03-25 16:43:12 -07:00
shuting
fd9acf21a7
Auto-recover policy report (#1730) 
* auto-recover policy report

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add flag background-scan to tune this interval

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup webhook configurations when Kyverno deployment is deleted

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reconcile policy reports if Kyverno Configmap changes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-25 12:28:03 -07:00
Jim Bugwadia
4d70013e22
Merge pull request #1724 from MarcelMue/fix-apipath-validation 
Make validateAPICall work with special characters in variables
 2021-03-24 22:28:09 -07:00
Marcel Mueller
c10a994045 Rename variable to kyvernoapicallvariable 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-03-23 18:24:17 +01:00
Pooja Singh
4128410207
Enhancement/existence anchor - should loop all the items in the array (#1719) 
* updated validating policy code

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* changed existance logic to loop all the items in array

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* updated comments and error messages

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-03-19 15:18:26 -07:00
Marcel Mueller
4f96232e62 Make validateAPICall work with special characters in variables 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-03-19 20:29:55 +01:00
Max Goncharenko
24c4f06ecd Fix #1506; Resolve path reference in entire rule instead of just pattern/overlay 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-03-16 13:45:40 +02:00
Vyankatesh Kudtarkar
9e831ec959
Bug Fix: Extends match / exclude to use apiGroup and apiVersion (#1218) (#1656) 
* Extends match / exclude to use apiGroup and apiVersion

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix gvk issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-03-04 16:45:52 -08:00
Yashvardhan Kukreja
10c714d5ba
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-03-01 20:31:06 -08:00
Pooja Singh
070f13783f
added namespace label in context (#1644) 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-25 20:52:53 -08:00
Jim Bugwadia
0d1f0b5897
Merge pull request #1636 from realshuting/1621_fix_configmap_variables 
Substitute variables in context.configMap
 2021-02-25 19:53:11 -08:00
Shuting Zhao
c4ebef7b0d - support AllowMissingPathOnRemove and EnsurePathExistsOnAdd in patchesJSON6902 
- upgrade to evanphx/json-patch/v5

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-25 15:25:07 -08:00
Shuting Zhao
edc89c7b50 fix unit test 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 17:22:34 -08:00
Shuting Zhao
d770d6680b add request.namespace in the background process 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 17:22:23 -08:00
Shuting Zhao
17c72c1578 substitute variables in context.configMap 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 16:27:20 -08:00
shuting
267be0815f
Bug fixes - policy validation, auto-generated rules, apiCall support in mutate and generate (#1629) 
* Fix invalid policy reports generated for blocked resource

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1464 - copy context and preconditions to auto-gen rules

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1628 - add policy validations

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1593 - support apiCall in mutate and generate

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 12:08:26 -08:00
shuting
6fc349716c
Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes #1480

* store resource name and kind in (c)rcr's annotation
 2021-02-19 09:09:41 -08:00
Yashvardhan Kukreja
478f32b8b4
fix: allowed templatised values to be exempted from validation checks (#1599) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-02-16 13:06:07 -08:00
Pooja Singh
32522e7827
namespace selector (#1532) 
* updated crd with namespace selector

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for validate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added condition in utils for namespace labels

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added function for extracting namespace label using lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added lister in generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* commented generate controller changes

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in apply.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in generation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in mutation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label for validation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* using dynaminc informer

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-03 13:09:42 -08:00
Yashvardhan Kukreja
03c77e4145
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-02-01 13:27:16 -08:00
Jim Bugwadia
e8e3b93a5f
api server lookups (#1514) 
* initial commit for api server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initial commit for API server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert cli image name (#1507)

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Refactor resourceCache; Reduce throttling requests (background controller) (#1500)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix merge issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add nil check for API client

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2021-02-01 12:59:13 -08:00
shuting
c692263177
Refactor resourceCache; Reduce throttling requests (background controller) (#1500) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-29 17:38:23 -08:00
shuting
e54776ee7e
Bug fix - namespace is not returned properly (#1491) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-22 17:56:41 -08:00
shuting
62a4a3a7da
Reduce throttling - skip sending API request for filtered resources (#1489) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-21 18:58:53 -08:00
lengrongfu
fab777cdd5
add logging for policy creation and deletion events (#1445) 
* add logging for policy creation and deletion events

* update log message

* update log message kind type

Co-authored-by: lengrongfu <lengrongfu@baidu.com>
 2021-01-06 20:34:01 -08:00
shuting
52d091c5a3
Improve / clean up code (#1444) 
* Remove lock embedded in CRD controller, use concurrent map to store shcemas

* delete rcr info from data store

* skip policy validation on status update

* - remove status check in policy mutation; - fix test

* Remove fqdncn flag

* add flag profiling port

* skip policy mutation & validation on status update

* sync policy status every minute

* update log messages
 2021-01-06 16:32:02 -08:00
NoSkillGirl
b4f473ec23 added crypto package 2021-01-04 19:10:36 +05:30
NoSkillGirl
e67747260b generate refactorings 2021-01-04 15:19:06 +05:30
NoSkillGirl
887fa10049 added source label logic to validate policy 2020-12-30 12:10:41 +05:30
NoSkillGirl
c66e2a7058 adding label to clone source 2020-12-29 18:04:20 +05:30
NoSkillGirl
c98240d5dc making sure older labels are not removed 2020-12-29 16:36:43 +05:30
Jim Bugwadia
58feb4f0ae
Merge pull request #1417 from kyverno/1337_match_old_resource 
update validation logic
 2020-12-23 19:01:15 -08:00
shuting
2fc3b3b998
Fixes 1410 strategic merge patch (#1414) 
* fixes #1410

* fix unit test

* re-initialize worker immediately on failure
 2020-12-23 17:48:00 -08:00