mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 09:56:55 +00:00
Code Activity
3794 commits 18 branches 550 tags 293 MiB
Commit graph

133 commits

Author SHA1 Message Date
Jose Armesto
831a9826d1
Restructure project to follow standards (#2632) 
Signed-off-by: Jose Armesto <github@armesto.net>
 2021-10-29 18:13:20 +02:00
Marcus Noble
1966c82c6d
Fix various go lint issues (#2639) 
* Fix various go lint issues

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Fix if mistake

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Simplified returns

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
 2021-10-29 17:06:03 +02:00
Marcus Noble
a923dce631
Cleanup imports (#2635) 
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
 2021-10-29 12:24:26 +02:00
Bricktop
ab8822963b
Add exclusions to make gosec happy (#2540) 
* Add exclusions to make gosec happy

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Add forgotten file

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-10-13 15:05:13 -07:00
Sachin
a42e944c22
fix Potential file inclusion via variable (#2523) 
Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>
 2021-10-13 10:48:45 -07:00
Jim Bugwadia
fa1816d605 fix tests 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-06 21:50:26 -07:00
shuting
b10947b975
Dynamic webhooks (#2425) 
* support k8s 1.22, update admissionregistration.k8s.io/v1beta1  to admissionregistration.k8s.io/v1

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - add failurePolicy to policy spec; - fix typo

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - add schema validation for failurePolicy; - add a printer column

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* set default failure policy to fail if not defined

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* resolve conflicts

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix missing type for printerColumn

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* refactor policy controller

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add webhook config manager

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - build webhook objects per policy update; - add fail webhook to default webhook configurations

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix panic on policy update

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - set default webhook configs rule to empty; - handle policy deletion

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* reset webhook config if policies with a specific failurePolicy are cleaned up

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* handle wildcard pocliy

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* update default webhook timeout to 10s

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* cleanups

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* added webhook informer to re-create it immediately if missing

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* update tag webhookTimeoutSeconds description

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix e2e tests

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix linter issue

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* correct metric endpoint

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add pol.generate.kind to webhooks

Signed-off-by: ShutingZhao <shutting06@gmail.com>
 2021-10-05 00:15:09 -07:00
Jim Bugwadia
5b5a85c16a change RuleStatus values to lowercase 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-30 00:04:13 -07:00
Jim Bugwadia
3957a1400e fix deny check and fmt 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-27 23:40:05 -07:00
Jim Bugwadia
67660647d9 update tests 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-26 18:30:53 -07:00
Jim Bugwadia
39061d91c4 implement validate.foreach 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-26 02:12:31 -07:00
Valentin Velkov
63f4c9a884
Configurable success events on policies & resources. Generating failure events on policies by default. (#1939) 
* Remove unused event.Reason const

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate failure events on policies

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate success events on policy

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Introduce 'generateSuccessEvents' flag

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Unit tests & chart fix

Signed-off-by: Velkov <valentin.velkov@sap.com>
 2021-06-29 14:43:11 -07:00
Vyankatesh Kudtarkar
04dc3ddfe3
Remove sample Dir and Remove testcases from test_runner (#1686) 
* remove sample Dir and remove testcases form test_runner

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* change git URL for test

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix fmt issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* remove unused policy and test yamls

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix yaml path issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-03-16 14:35:32 -07:00
shuting
2f2d6c2e38
Upgrade client libraries to 0.20.2 (#1547) 
* upgrade clients to 0.20.2

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove debug log

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix unit tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix e2e test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-07 20:26:56 -08:00
Jim Bugwadia
0be7903c47 fix tests 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-02-02 00:20:03 -08:00
Jim Bugwadia
e8e3b93a5f
api server lookups (#1514) 
* initial commit for api server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initial commit for API server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert cli image name (#1507)

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Refactor resourceCache; Reduce throttling requests (background controller) (#1500)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix merge issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add nil check for API client

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2021-02-01 12:59:13 -08:00
Jim Bugwadia
e2f10c6f83 update validation logic 2020-12-23 15:10:07 -08:00
Jim Bugwadia
c77944ddef
filter resources excluded in config (#1404) 2020-12-16 12:29:16 -08:00
Shuting Zhao
2152d354a9 migrate repo 2020-10-07 15:09:52 -07:00
Shuting Zhao
cdc5190c56 update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00
shuting
d6062fdd47
Add go fmt (#1055) 
* remove empty flag

* format code

* revert change in install.yaml
 2020-08-14 12:21:06 -07:00
Yuvraj
73840e3c5f
configrable rules added (#1017) 
* configrable rules added

* fix exclude group logic from code

* flag added in yaml

* exclude username added

* exclude username added

* config interface implimented

* configure exclude username

* get role ref

* test case fixed

* panic fix

* move from interface to slice

* exclude added in mutate

* trim strings

* configmap changes added

* kustomize changes for configmap

* k8s resources added
 2020-08-07 17:09:24 -07:00
Mohan B E
a14828246d
Feature/api version 852 (#1028) 
* apiVersion support for generate

* added apiVersion to crds
 2020-08-07 09:47:33 +05:30
Yuvraj
bad0dab175
ci migrated (#1015) 
* ci migrated

* remove travis ci

* typo fix

* delete size labeler

* fix test issues

* test ci added

* rename build workflow
 2020-08-05 09:02:45 -07:00
shuting
87fa77fbcc
965 add validate audit handler (#967) 
* store policy names cache to reduce lookup time

* add validate audit handler

* fix #958, remove auto-gen annotation on Pod

* formatting code

* update processTime to readable format

* #586, add back unit test

* update logging info

* remove unused interface

* handle generate policy in a single thread in weboook

* resolve pr comments
 2020-07-09 11:48:34 -07:00
Jim Bugwadia
838d02c475
Bugfix/659 support wildcards for namespaces (#871) 
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces
 2020-05-26 10:36:56 -07:00
Yuvraj
4fa5a056f3 Fix conflict 
Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
 2020-03-27 14:10:21 +05:30
Yuvraj
801c7513cb golanfci-lint changes 
Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
 2020-03-24 00:35:05 +05:30
shivkumar dudhani
d327309d72 refactor logging 2020-03-17 16:25:34 -07:00
Shivkumar Dudhani
8c1d79ab28
linter suggestions (#655) 
* cleanup phase 1

* linter fixes phase 2
 2020-01-24 12:05:53 -08:00
Shivkumar Dudhani
1171ac691b
cleanup phase 1 (#653) 2020-01-24 09:37:12 -08:00
Shivkumar Dudhani
ffd2179b03
538 (#587) 
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* cleanup

* CR fixes

* fix logs
 2020-01-07 10:33:28 -08:00
Shivkumar Dudhani
5b8ab3842b
Support variable substitution (#549) 
* initial commit

* variable substitution

* update tests

* update test

* refactor engine packages for validate & generate

* update vendor

* update toml

* support variable substitution in overlay mutation

* missing update

* fix indentation in logs

* store context values as single JSON document using merge patches.

* remove duplicate functions

* fix message string

* Handle processing of policies in background (#569)

* remove condition check while generating mutation patch as conditions are verified in the first iteration

* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* fix order to correct policy registration

* update comment

Co-authored-by: shuting <shutting06@gmail.com>

* refactor

Co-authored-by: shuting <shutting06@gmail.com>
 2019-12-30 17:08:50 -08:00
shivkumar dudhani
10fc1b47ba Merge branch 'master' into v1.1.0 2019-12-12 16:54:42 -08:00
Shivkumar Dudhani
ffe3bdb677
remove newline from engine response strings (#537) 
* remove newline from engine response strings

* add scenario file updates

* cr: remove . in trailing msg string
 2019-12-04 18:04:42 -08:00
Shuting Zhao
261560eafb mutate rule: do not ignore empty key in resource if overlay has nested anchor 2019-11-27 16:07:15 -08:00
shivkumar dudhani
f97406698d remove namespace from resource spec 2019-11-15 12:03:58 -08:00
Shivkumar Dudhani
3ab0790342
use PolicyContext with engine.Generate (#483) 2019-11-13 15:46:43 -08:00
shuting
ded0183aa2
Merge pull request #478 from nirmata/472_update_apiversion 
472 update apiversion
 2019-11-13 15:19:27 -08:00
Shuting Zhao
b67577994a update apiversion to v1 in code 2019-11-13 13:41:08 -08:00
Shivkumar Dudhani
7a12e12cb5
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00
Shuting Zhao
45dc0bd358 Merge commit 'da5c03f89df3007088b27fc84b08827170e16eda' into 345_support_usergroup_info 
# Conflicts:
#	test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
 2019-11-13 00:31:07 -08:00
Shuting Zhao
5a3ed62b13 Merge branch 'master' into 345_support_usergroup_info 
# Conflicts:
#	pkg/engine/validation_test.go
#	pkg/webhooks/annotations.go
#	pkg/webhooks/annotations_test.go
#	pkg/webhooks/mutation.go
#	pkg/webhooks/server.go
#	pkg/webhooks/validation.go
 2019-11-11 19:19:08 -08:00
Jim Bugwadia
8348c5761c fix tests 2019-11-11 18:51:21 -08:00
Jim Bugwadia
87be5ca4b8 update policies and test cases 2019-11-11 17:55:54 -08:00
Jim Bugwadia
3ffb0cfa39 add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00
Jim Bugwadia
05503e4fd1 update other policies 2019-11-11 14:09:07 -08:00
Jim Bugwadia
dd4d091c23 update restrict_automount_sa_token 2019-11-10 21:57:20 -08:00
Jim Bugwadia
5e8b6c4183 update add_networkPolicy 2019-11-10 21:27:50 -08:00
Jim Bugwadia
244909ebb3 update require_probes 2019-11-10 21:18:17 -08:00