1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Commit graph

307 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
39b72eefb9
feat: add http clients tracing (#5630)
* feat: add http clients tracing

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* check we are in a span before creating one and and context to metrics recording calls

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-12-09 09:09:11 +00:00
dependabot[bot]
a88db42743
chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635)
Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.25.4 to 0.25.5.
- [Release notes](https://github.com/kubernetes/cli-runtime/releases)
- [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.25.4...v0.25.5)

---
updated-dependencies:
- dependency-name: k8s.io/cli-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-12-09 08:56:21 +01:00
dependabot[bot]
2b2bd42c55
chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/golang/crypto/releases)
- [Commits](https://github.com/golang/crypto/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-12-08 15:45:31 +08:00
Charles-Edouard Brétéché
6cdc3f44cf
chore: bump a couple of deps (#5611)
* chore: bump a couple of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: bump a couple of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* chore: bump a couple of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-12-07 13:37:30 +00:00
Charles-Edouard Brétéché
a459aab26b
chore: bump a couple of deps (#5610)
* chore: bump a couple of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* a couple more

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-12-07 11:33:33 +00:00
Charles-Edouard Brétéché
3e44569fe2
chore: bump a couple of deps (#5593)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-12-07 06:39:27 +00:00
Charles-Edouard Brétéché
d19e870c17
refactor: update otlp packages (#5367)
* fix: panic when disable metrics is true

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: update otlp packages

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update bunch of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* target infos

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
2022-12-06 15:41:00 +00:00
dependabot[bot]
3dce3fc7c7
chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559)
Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.7.0 to 1.11.1.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.7.0...v1.11.1)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-12-05 19:23:07 +00:00
dependabot[bot]
205ef8f6a8
chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574)
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-12-05 15:57:54 +00:00
dependabot[bot]
3a8affab16
chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560)
Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.23.0...v1.24.0)

---
updated-dependencies:
- dependency-name: go.uber.org/zap
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-12-05 12:09:49 +00:00
Charles-Edouard Brétéché
6fe8d773ee
chore: bump a few deps (#5512)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-30 12:54:04 +00:00
Charles-Edouard Brétéché
c6faee2559
chore: bump a couple of deps (#5503)
* chore: bump a couple of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* sigstore

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-29 13:09:14 +00:00
Charles-Edouard Brétéché
900002fcf9
chore: bump a bunch of deps (#5440)
* chore: bump a bunch of deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-23 14:03:16 +08:00
Charles-Edouard Brétéché
4b11292835
chore: bump sigstore deps (#5376)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-11-21 21:48:34 +00:00
Nikhil Sharma
d44dc97990
feat: add cleanupPolicy validation code (#5279)
* validate the cleanupPolicy

Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>

* add validation for DELETE permission for cleanupPolicy

Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>

* add separate binary for cleanupPolicy

Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>

* fix linter issues

Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>

Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-11-14 10:43:32 +01:00
Charles-Edouard Brétéché
6091af6fba
fix: wrong logger used (#5311)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-11 12:16:27 +05:30
Batuhan Apaydın
cbbd8488c8
feat: oci pull/push support for policie(s) (#5026)
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-24 18:47:20 +00:00
shuting
5279958943
Remove old version of golang.org/x/sys (#5125)
Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-10-24 09:11:19 +00:00
Charles-Edouard Brétéché
7ceea1a08f
chore: bump a few deps (#4943)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-10-14 07:13:19 +00:00
Charles-Edouard Brétéché
cd5e0cfa74
chore: bump a couple of deps (#4925)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-13 11:04:23 +02:00
Charles-Edouard Brétéché
ecb0ad32ec
chore: bump a couple of deps (#4842)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-07 15:37:12 +05:30
Charles-Edouard Brétéché
7849fbbc8a
refactor: leader controllers management (#4832)
* refactor: leader controllers management

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* rename

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix start

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* remove dead code

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-07 07:38:38 +00:00
yinka
266f2d397f
upgrade controller-runtime dependency (#4829)
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-06 11:07:37 +00:00
ShutingZhao
d3a18d0c83 Bump k8s libraries to v0.25.2
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-10-06 03:50:39 +08:00
Charles-Edouard Brétéché
f7dde0ab96
chore: use concurrent map v2 (generics) (#4803)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-06 00:35:09 +08:00
Charles-Edouard Brétéché
83bd8bdbb5
chore: bump a couple of deps (#4802)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-04 12:21:47 +05:30
Charles-Edouard Brétéché
5fef84afd1
chore: bump a few deps (#4790)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-10-03 13:18:23 +00:00
Jim Bugwadia
081330d564
update cosign and k8s-manifest-sigstore (#4781)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-10-03 14:46:20 +08:00
yinka
bb2e193d44
feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661)
* feat: add feature flag to disable background scan (#4638)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* allow users configure JSON logging with a --logging-format=json flag

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* Clean up changes

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* added kubeconfig and context flag to kyverno apply (#4524)

Signed-off-by: Sandesh More <sandesh.more@infracloud.io>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* chore: publish sbom result to a different repositry from an image (#4665)

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* Fix issue for wildcard versions (#4670)

* Fix wildcard issue

Co-Authored-By: vyankd <51167361+vyankd@users.noreply.github.com>

* Delete res.yaml

Co-Authored-By: vyankd <51167361+vyankd@users.noreply.github.com>

Co-authored-by: vyankd <51167361+vyankd@users.noreply.github.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* chore: bump minimum go version (#4677)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: namespaced policy not validated in engine (#4653)

* fix: namespaced policy not validated in engine

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix test

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: handle auth permission for cloneList validation (#4684)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: bump net standard lib (#4685)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* small fixes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* add json logger

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix import

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix go mod

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix go mod

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* chore: simplify go mod (#4692)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: jmespath random error handling (#4697)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* refactor: replace signal package by signal.NotifyContext (#4691)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671)

Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com>

Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: shutdown controllers workers gracefully (#4681)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: split webhook handlers per failure policy (#4650)

* fix: split webhook handlers per failure policy

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix handlers

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* rolling update

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* better error message

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* refactor: use pod name as leader id (#4680)

* refactor: use pod name as leader id

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix manifests

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* makefile

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* leader client

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* fix: missing client wrapper (#4703)

* fix: missing client wrapper

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* v1beta1

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* v1alpha2

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* policy report

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* chore: refactor manifests related makefile targets (#4706)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* deps

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Co-authored-by: Sandesh More <34198712+sandeshlmore@users.noreply.github.com>
Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: vyankd <51167361+vyankd@users.noreply.github.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Pradeep Lakshmi Narasimha <pradeep.vaishnav4@gmail.com>
2022-09-29 07:49:29 +00:00
Prateek Pandey
01dbf7389d
fix: containerd dependency vulnerability (#4629)
upgrade the containerd indirect deps to
fixed version

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-09-29 05:40:55 +00:00
Charles-Edouard Brétéché
e0ab72bb9a
feat: reports v2 implementation (#4608)
This PR refactors the reports generation code.
It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds.

The new reports system is based on 4 controllers:

Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation
Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes
Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace)
Resources controller is responsible for watching reports that need background scan reports
I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong.

I also added a flag to split reports in chunks to avoid creating too large resources.

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-28 17:15:16 +05:30
Charles-Edouard Brétéché
7209445cd3
chore: simplify go mod (#4692)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-26 18:25:03 +05:30
Charles-Edouard Brétéché
9e872305a2
fix: bump net standard lib (#4685)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-09-26 08:22:29 +00:00
Prateek Pandey
1807bd9a6f
chore: bump cosign 1.12.0 to fix vulnerabilities (#4631)
bump the cosign version to fix vulnerabilities with
blob verification, CVE-2022-36056

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-16 07:48:22 -07:00
Charles-Edouard Brétéché
bc4bf5ee27
chore: switch to github.com/IGLOU-EU/go-wildcard (#4563)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-09-10 17:30:13 +00:00
Anurag
560cec329e
add random filter (#4527)
* add random filter

Signed-off-by: Anurag <contact.anurag7@gmail.com>

* update go.mod file

Signed-off-by: Anurag <contact.anurag7@gmail.com>

* update go.sum

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* linter fix

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: Anurag <contact.anurag7@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-09-07 16:22:30 +00:00
Charles-Edouard Brétéché
fffd6aa9a0
chore: upgrade golang to 1.18 (#4505)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-05 09:32:45 +05:30
ToLToL
1b9a2fca21
Extend Pod Security Admission (#4364)
* init commit for pss

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add test for Volume Type control

* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()

* remove unused code, still a JMESPATH problem with app armor ExemptProfile()

* test for Host Process / Host Namespaces controls

* test for Privileged containers controls

* test for HostPathVolume control

* test for HostPorts control

* test for HostPorts control

* test for SELinux control

* test for Proc mount type control

* Set to baseline

* test for Seccomp control

* test for Sysctl control

* test for Privilege escalation control

* test for Run as non root control

* test for Restricted Seccomp control

* Add problems to address

* add solutions to problems

* Add validate rule for PSA

* api.Version --> string. latest by default

* Exclude all values for a restrictedField

* add tests for kyverno engine

* code to be used to match kyverno rule's namespace

* Refacto pkg/pss

* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:

* EvaluatePod

* Use EvaluatePod in kyverno engine

* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add

* Check if PSSCheckResult matched at least one exclude value

* add tests for engine

* fix engine validation test

* config

* update go.mod and go.sum

* crds

* Check validate value: add PodSecurity

* exclude all restrictedFields when we only specify the controlName

* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path

* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)

* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go

* add all controls with containers in restrictedFields as comments

* add tests for capabilities and privileged containers and fix some errors

* add tests for host ports control

* add tests for proc mount control

* add tests for privilege escalation control

* add tests for capabilities control

* remove comments

* new algo

* refacto algo, working. Add test for hostProcess control

* remove unused code

* fix getPodWithNotMatchingContainers(), add tests for host namespaces control

* refacto ExemptProfile()

* get values for a specific container. add test for SELinuxOptions control

* fix allowedValues for SELinuxOptions

* add tests for seccompProfile_baseline control

* refacto checkContainers(), add test for seccomp control

* add test for running as non root control

* add some tests for runAsUser control, have to update current PSA version

* add sysctls control

* add allowed values for restrictedVolumes control

* add some tests for appArmor, volume types controls

* add tests for volume types control

* add tests for hostPath volume control

* finish merge conflicts and add tests for runAsUser

* update charts and crds

* exclude.images optional

* change volume types control exclude values

* add appAmor control

* fix: did not match any exclude value for pod-level restrictedFields

* create autogen for validate.PodSecurity

* clean code, remove logs

* fix sonatype lift errors

* fix sonatype lift errors: duplication

* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests

* beginning of autogen implement for validate.exclude

* Autogen for validation.PodSecurity

* working autogen with simple tests

* change validate.PodSecurity failure response format

* make codegen

* fix lint errors, remove debug prints

* fix tags

* fix tags

* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request

* Changes requested

* Changes requested 2

* Changes requested 3

* Changes requested 4

* Changes requested and make codegen

* fix host namespaces control

* fix lint

* fix codegen error

* update docs/crd/v1/index.html

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix path

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update crd schema

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update charts/kyverno/templates/crds.yaml

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
Riko Kudo
5f5cda9fee
Yaml signing and verification (#4235)
* enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix log message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

change default value of dryrun option

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

support gpg signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

set cosign experimental env when keyless verification

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* improve default ignoreFields

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* add unit-test for k8smanifest

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update install yaml

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add unit-test for k8smanifest multi-signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and resolve conflict

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* remove generic name

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix sonatype-lift issue and unit-test error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update manifest rule to use attestor

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* remove unused value

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve conflict

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix install.yaml

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix to set COSIGN_EXPERIMENTAL env variable when keyless verification

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix misspell

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable kyverno cli in validate.manifests rule (#3)

* enable kyverno cli in validate.manifests rule

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and improve error handling for better result output

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update crds and deepcopy

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update unit test

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* change to use spec.rules.exclude.subjects instead of skipUsers (#4)

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore (#5)

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* add a comment for dryrun option field

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable to include ClusterPolicy/Policy in match resource

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style and env variable settings

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* simplify manifest verify func

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix func name

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix sonatype warning

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix default ignoreFields

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore rbac (#6)

* fix dryrun rbac to have minimal permissions

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix lint error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix unit-test error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated CRD documentation

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve go.mod conflicts

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated helm stuff

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché
888689df54
fix: update go-wildcard to v1.5.0 (#4444)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-08-29 17:10:01 +00:00
Prateek Pandey
34fe6c9058
bump cosign deps version to 1.11.1 (#4408)
* bump cosign deps version to 1.11.1

to accommodate latest attestation verification fixes

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* bump github action go version to 1.18

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-08-25 08:24:49 +00:00
dependabot[bot]
0bb575442d
chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328)
Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-11 12:38:27 +08:00
Jim Bugwadia
943c3a1929
use failurePolicy to block or allow requests, on policy errors (#4183)
* use failurePolicy to block or allow requests, on policy errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add warnings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle network errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix title conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix path in generated file

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fake metrics

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for klog flag initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix spelling

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix flag init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-08-02 20:24:02 +05:30
Guilhem Lettron
b03e461f25
feat: auto optimize GOMAXPROCS (#4277)
Signed-off-by: Guilhem Lettron <guilhem@barpilot.io>
2022-07-29 23:59:47 +08:00
Tathagata Paul
3e2894b6fa
feat: Opentelemetry support for metrics and traces (#3910)
* integrating opentelemetry

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* fix multiple imports

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* fixed cli help statement

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* added init file for metrics

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
2022-07-11 17:49:47 +00:00
Furkan Türkal
af3da5e19a
bump cosign to 1.9.1 to fix fulcio panic (#4117)
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>

Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-06-16 16:03:22 +00:00
Vyankatesh Kudtarkar
7245c92dcf
fix vulnerable (#4027) 2022-05-26 04:19:00 +00:00
Vyankatesh Kudtarkar
bea0b794d5
add validation check to ensure the annotations quoted (#3976) 2022-05-24 12:45:23 +00:00
Prateek Pandey
c79dc82eaa
fix: cleanup old dependencies from go.sum and go.mod (#3806)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-05-05 08:56:22 +00:00
Prateek Pandey
3e2c9b25c9
Bump cosign and sigstore version (#3771)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-05-02 20:20:08 +01:00
Shubham Gupta
3cbb8db72e
Update vulnerable dependencies (#3577)
Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-04-14 20:39:55 +00:00
Anushka Mittal
1714a328b6
add-kms-libraries for cosign (#3603)
* add-kms-libraries

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* Shifted providers to cosign package

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
2022-04-14 15:24:34 +00:00
Anushka Mittal
746d8efde9
Update to cosign 1.7.1 (#3587)
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
2022-04-12 09:29:26 -07:00
shuting
d1bf3d4742
clean up dependencies (#3469)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-03-25 08:40:25 +00:00
Charles-Edouard Brétéché
9ac35f9698
chore: add more codegen target and verifications (#3393)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-03-16 15:01:35 +05:30
Christian Kotzbauer
851a81845c
Update cosign to v1.6.0 (#3341)
Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

fix ecr-helper creation

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-03-11 11:25:10 -08:00
Prateek Pandey
66969d35ea
validate and block policy based on the matched kind cache (#3283)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-02-23 22:27:18 +05:30
Jim Bugwadia
14111aaa05
update dependencies (#3221)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-02-13 11:20:24 +00:00
Rob Best
851ebe3e65
Add cloud provider keychains to DefaultKeychain (#3116)
Removes the need to specify an image pull secret to make use of cloud
provider credentials. As I understand it, this should be fine outside of
cloud provider contexts.

As part of this, I've switched to using authn/kubernetes, which I believe
is preferable to k8schain.

Signed-off-by: Rob Best <robertbest89@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-01-28 11:33:27 -08:00
Jim Bugwadia
7cf1dd2b15
update cosign to 1.5.0 and fix issuer and subject for keyless (#3089)
* update cosign to 1.5.0 and add checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix subject and issuer checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-01-27 21:13:23 -08:00
Sambhav Kothari
2eb8f5f285
Fix memory leak when updating ggcr keychain (#3088)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
2022-01-26 12:45:05 -08:00
Jim Bugwadia
bb06901119
fix mutate preprocessing for anchors (#3052)
* fix mutate preprocessing for anchors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: shuting <shutting06@gmail.com>
2022-01-23 13:54:22 +00:00
Mritunjay Kumar Sharma
cdedf11a1c
bumps k8s libraries for k8s v1.23 upgrade for kyverno (#3043)
* bumps k8s libraries for k8s v1.23 upgrade for kyverno

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes kustomize version

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* updates golang to v1.17 to test fails

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* updates logr package to 1.2.2

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* Fixed tests for `pkg/cosign` and `pkg/webhooks/generation`

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

* fix go-logr deps version issue

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>

* fix kube-openapi commit hash

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>

Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: prateekpandey14 <prateekpandey14@gmail.com>
2022-01-22 20:26:53 +08:00
Naman Lakhwani
898520b7cf
add semver_compare JMESPath function (#2846)
* add semver_compare JMESPath function

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* adding tests for semver_compare

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* enabling version compaision via regular operators

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* adding tests for version compaision via regular operators

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* removing unnecessary switch cases

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-12-21 08:12:35 -08:00
Danny Kulchinsky
f6982760fc
truncate custom jmespath function (#2836)
* [feature] custom jmespath truncate function

Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>

* formatting

Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>

* simplify naming a bit

Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>

Co-authored-by: shuting <shutting06@gmail.com>
2021-12-17 15:52:52 +08:00
Naman Lakhwani
edafffd2bd
added issuer check (#2804)
* added issuer check

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* switch to using SimpleContainerImage

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* added subject check and required test cases

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* small nits

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* correcting tests

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-12-10 19:46:22 +00:00
Kumar Mallikarjuna
a667a69812
JMESPath arithmetic function units (#2753)
* MAS arithmetic functions

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Adding Divide() and Modulo()

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added tests

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Tidy go.mod

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Fix lift issues

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Set division scale to maximum of operands

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Precision for Add()/Subtract()

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Set duration precision

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added comment for duration diff calculation

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
2021-12-07 15:44:46 +00:00
Shubham Palriwala
ea3529f2d0
Trivy now scans local images (#2744)
* fix: trivy now scans entire container

Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>

* update github.com/docker/cli package for vulnerabilities

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix go.mod vulnerabilities

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-11-22 20:57:51 +08:00
Jim Bugwadia
189c6f8cda
fix dependabot issue and remove stale entries in go.mod (#2741)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-19 16:11:38 +08:00
shuting
0f0c070072
Fix memory issue - RCR conversion (#2678) 2021-11-08 15:53:21 -08:00
Jim Bugwadia
50cb1859c3
add keyless verification (#2677)
* add keyless verification

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* run make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter warning

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* wrap error with details

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-04 23:26:22 -07:00
Batuhan Apaydın
4eab46fb7d
feat: support other key methods (#2607)
* feat: support other key methods

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>

* feat: support fetch attestations from repository

Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Signed-off-by: Furkan <furkan.turkal@trendyol.com>

* fix: parameter type

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

* fix error check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 00:45:35 -07:00
Jose Armesto
831a9826d1
Restructure project to follow standards (#2632)
Signed-off-by: Jose Armesto <github@armesto.net>
2021-10-29 18:13:20 +02:00
Jim Bugwadia
ef9e9ec9ac add variable substitutoion for imageVerify and allow PEM in ConfigMaps
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-26 10:41:27 -07:00
Jim Bugwadia
e0b1f08a28
fix check for CREATE request (#2551)
* fix check for CREATE request

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-18 09:34:07 -07:00
Jim Bugwadia
0dbe7ea675 start attestation support
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-01 11:10:36 -07:00
Shubham Palriwala
5b01dd53a7
remove minio/minio and update minio/pkg (#2440)
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
2021-09-28 12:19:26 -07:00
Bricktop
4b71a031ab
Openapi validation should not fail if patchesJson6902 appends to list (#2340)
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2021-09-16 12:40:56 -07:00
Max Goncharenko
a0ff8bbd0b
Implement global anchor (#2311)
* implement global anchor for patch strategic merge

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* fixed unit tests for mutation global anchor

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* added global anchor in validation

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* fix some global anchor issues found during testing

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* run go tidy

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fixed tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fixed some tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* finish implementing global anchor

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* WIP: lower global anchor strictness

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* Revert "WIP: lower global anchor strictness"

This reverts commit 08e176a042.

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* global anchor for mutation

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
2021-09-13 08:59:28 -07:00
Yashvardhan Kukreja
5fcd9b83d9
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288)
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-09-10 14:39:12 -07:00
Max Goncharenko
7e258bf54b
add new test; remove unnecessary anchors (#2217)
* add new test; remove unnecessary anchors

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* added several test to e2e

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* remove unused variable

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* added comment to expected result

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
2021-09-09 08:55:20 -07:00
Jim Bugwadia
511db4372b
update cosign (#2369)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-09-07 21:29:20 -07:00
Jim Bugwadia
8af814c7af
update cosign to v1.0.0 (#2221)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-08-02 13:51:36 -07:00
Jim Bugwadia
13caaed8b7
Feature/cosign (#2078)
* add image verification

* inline policy list

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* cosign version and dependencies updates

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add registry initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add build tag to exclude k8schain for cloud providers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add build tag to exclude k8schain for cloud providers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* generate deep copy and other fixtures

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix deep copy issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* mutate images to add digest

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add certificates to Kyverno container for HTTPS lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align flag syntax

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update docs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update dependencies

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update dependencies

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* patch image with digest and fix checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* hardcode image for demos

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add default registry (docker.io) before calling reference.Parse

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix definition

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* increase webhook timeout

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix args

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* run gofmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rename for clarity

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix HasImageVerify check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter error

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle API conflict and retry

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix reviewdog issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix make for unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve error message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix durations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle errors in tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* print policy name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add retries and duration to error log

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix time check in tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* round creation times in test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix retry loop

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove timing check for policy creation

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix e2e error - policy not found

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update string comparison method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test Generate_Namespace_Label_Actions

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add debug info for e2e tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix error

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix generate bug

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for update operations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* increase time for deleteing a resource

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Shuting Zhao <shutting06@gmail.com>
2021-07-09 18:01:46 -07:00
Max Goncharenko
6d0ad5598e
Jmespath notfound error (#1907)
* return err, if variable path could not be resolved

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* fixed {{@}} behavior

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* fix json merge logic

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* add e2e tests for Flux use case

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
2021-07-01 22:56:50 -07:00
Pooja Singh
cd9e596e7e
[Improvement] Kyverno should not delete downstream resources when a generate policy using the clone behavior has synchronize: true (#1880)
* debuging issue

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* issue fixed

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* remove policy name in source resource

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* fixed deletion of GR on source updation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added function in common

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* removing comments

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added generated resource list to the log

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* small improvement

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-06-30 12:00:02 -07:00
Valentin Velkov
63f4c9a884
Configurable success events on policies & resources. Generating failure events on policies by default. (#1939)
* Remove unused event.Reason const

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate failure events on policies

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate success events on policy

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Introduce 'generateSuccessEvents' flag

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Unit tests & chart fix

Signed-off-by: Velkov <valentin.velkov@sap.com>
2021-06-29 14:43:11 -07:00
NoSkillGirl
09b1592f11 added loop for namespace
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-06-15 18:14:51 +05:30
shuting
6f07ea407f
Customize namespaceSelector of Webhookconfigurations (#2003)
* customize namespaceSelector of webhook configurations from configMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update webhook configurations base on UPDATEs of Kyverno ConfigMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* register webhook configurations with the namespaceSelector from ConfigMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address golint comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* validate webhooks config format

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix NotDefined scenario

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-06-14 13:01:40 -07:00
Arsh Sharma
7e9be24d90
updating minio verison (#1956) 2021-06-09 19:16:26 -07:00
shuting
e9a972a362
feat: HA (#1931)
* Fix Dev setup

* webhook monitor - start webhook monitor in main process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leaderelection

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* - add isLeader; - update to use configmap lock

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add initialization method - add methods to get attributes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove newContext in runLeaderElection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to GenerateController

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add leader election to generate cleanup controller

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Gracefully drain request

* HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920)

* enable leader election for webhook register

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* extract certManager to its own process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* leader election for cert manager

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* certManager - init certs by the leader

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy report controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* rebuild leader election config

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start informers in leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start policy informers in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* enable leader election in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* move eventHandler to the leader election start method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add clusterrole leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixed generate flow (#1936)

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* - init separate kubeclient for leaderelection - fix webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup Kyverno managed resources on stopLeading

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* tag v1.4.0-beta1

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix cleanup process on Kyverno stops

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* bump kind to 0.11.0, k8s v1.21 (#1980)

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
Co-authored-by: vyankatesh <vyankateshkd@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
2021-06-08 12:37:19 -07:00
Yashvardhan Kukreja
bb80e1b641
added: initial prometheus client setup
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-05-16 13:06:14 +05:30
Pooja Singh
4296e69225
updating synchronize lable in generated resource (#1860)
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-05-06 13:11:10 -07:00
NoSkillGirl
4cfc21779c added policy validation according to api server
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-04-21 10:28:11 +05:30
Max Goncharenko
6a0305674a
JMESPath custom functions (#1772)
* JMESPath: Support regex expressions

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* JMESPath: Add string functions

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* Removed {{$}} variable handling logic

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* Name all functions in snake case; Update error message; Fix {{@}} behavior

Signed-off-by: Max Goncharenko <kacejot@fex.net>
2021-04-16 16:17:00 -07:00
shuting
c08843ef77
Add Images info to variables context (#1725)
* - remove supportMutateValidate; - refactor new context in the webhook

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add ImageInfo to variables context

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* revert unexpected changes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-23 10:34:03 -07:00
Raj Babu Das
08643773c3
removing go.sum from github workflow and adding unused pkg check (#1698)
Signed-off-by: rajdas98 <mail.rajdas@gmail.com>
2021-03-11 10:14:46 -08:00
Shuting Zhao
c4ebef7b0d - support AllowMissingPathOnRemove and EnsurePathExistsOnAdd in patchesJSON6902
- upgrade to evanphx/json-patch/v5

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-25 15:25:07 -08:00
shuting
2f2d6c2e38
Upgrade client libraries to 0.20.2 (#1547)
* upgrade clients to 0.20.2

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove debug log

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix unit tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix e2e test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-07 20:26:56 -08:00
shuting
bd44dbff41
Reduce RCR Throttling (#1545)
* buffer report change requests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix clusterReportChangeRequest

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* further reduce RCRs in background scan

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-07 19:46:50 -08:00
Shuting Zhao
f95771a3b8 add dependency to go.sum 2021-01-08 18:47:28 -08:00
Shuting Zhao
3adfdc24af fix release failure 2021-01-08 18:25:38 -08:00
shuting
35aa3149c8
Remove lock embedded in CRD controller, use concurrent map to store shcemas (#1441) 2021-01-04 23:17:17 -08:00
NoSkillGirl
c66e2a7058 adding label to clone source 2020-12-29 18:04:20 +05:30
shuting
2fc3b3b998
Fixes 1410 strategic merge patch (#1414)
* fixes #1410

* fix unit test

* re-initialize worker immediately on failure
2020-12-23 17:48:00 -08:00
Jim Bugwadia
6afd2e6f3a
ignore non-policy files in CLI and improve validation messages (#1362)
* improve validation message

* improve error behaviors

* fix tests

* fix tests
2020-12-07 11:26:04 -08:00
Jim Bugwadia
f3b644f624 handle anchors in keys 2020-12-04 15:59:15 -08:00
Jim Bugwadia
2aeb5aa982 validate conditiona.operator as enum 2020-11-29 00:37:36 -08:00
Jim Bugwadia
54f816c246 trim variable for context lookups 2020-11-24 17:48:54 -08:00
shuting
e868dbfeb9
Fix 1287 - failed to update annotation through mutate policy (#1289)
* fix 1287

* update mutate log
2020-11-24 10:11:05 -08:00
Shuting Zhao
168bb21093 add optional tag to gr.status 2020-11-18 15:07:12 -08:00
NoSkillGirl
9a9cd55b7b SanitizedError fix 2020-11-18 15:02:14 +05:30
NoSkillGirl
5794889752 Merge branch 'main' into policyreport_cli 2020-11-18 14:43:30 +05:30
Shuting Zhao
b9fb926ddb fixes for golint ./... 2020-11-17 13:07:30 -08:00
Shuting Zhao
e985ee4031 correct misspelled words 2020-11-17 12:01:01 -08:00
Jim Bugwadia
74b656768e
1251 fix generate panic (#1252)
* improve error message

* fix panic and add error logs

* update log levels and messages

* fix tests
2020-11-12 16:44:57 -08:00
NoSkillGirl
7fbe422ef6 corrected merge code 2020-11-10 16:31:39 +05:30
NoSkillGirl
acc34fbf0a Merge commit 2020-11-10 10:49:29 +05:30
shuting
5e07ecc5f3
Add Policy Report (#1229)
* add report in cli

* policy report crd added

* policy report added

* configmap added

* added jobs

* added jobs

* bug fixed

* added logic for cli

* common function added

* sub command added for policy report

* subcommand added for report

* common package changed

* configmap added

* added logic for kyverno cli

* added logic for jobs

* added logic for jobs

* added logic for jobs

* added logic for cli

* buf fix

* cli changes

* count bug fix

* docs added for command

* go fmt

* refactor codebase

* remove policy controller for policyreport

* policy report removed

* bug fixes

* bug fixes

* added job trigger if needed

* job deletation logic added

* build failed fix

* fixed e2e test

* remove hard coded variables

* packages adde

* improvment added in jobs sheduler

* policy report yaml added

* cronjob added

* small fixes

* remove background sync

* documentation added for report command

* remove extra log

* small improvement

* tested policy report

* revert hardcoded changes

* changes for demo

* demo changes

* resource aggrigation added

* More changes

* More changes

* - resolve PR comments; - refactor jobs controller

* set rbac for jobs

* add clean up in job controller

* add short names

* remove application scope for policyreport

* move job controller to policyreport

* add report logic in command apply

* - update policy report types;  - upgrade k8s library; - update code gen

* temporarily comment out code to pass CI build

* generate / update policyreport to cluster

* add unit test for CLI report

* add test for apply - generate policy report

* fix unit test

* - remove job controller; - remove in-memory configmap; - clean up kustomize manifest

* remove dependency

* add reportRequest / clusterReportRequest

* clean up policy report

* generate report request

* update crd clusterReportRequest

* - update json tag of report summary; - update definition manifests; -  fix dclient creation

* aggregate reportRequest into policy report

* fix unit tests

* - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report

* remove

* generate reportRequest in kyverno namespace

* update resource filter in helm chart

* - rename reportRequest to reportChangeRequest; -rename clusterReportRequest to clusterReportChangeRequest

* generate policy report in background scan

* skip generating report change request if there's entry results

* fix results entry removal when policy / rule gets deleted

* rename apiversion from policy.kubernetes.io to policy.k8s.io

* update summary.* to lower case

* move reportChangeRequest to kyverno.io/v1alpha1

* remove policy report flag

* fix report update

* clean up policy violation CRD

* remove violation CRD from manifest

* clean up policy violation code - remove pvGenerator

* change severity fields to lower case

* update import library

* set report category

Co-authored-by: Yuvraj <yuvraj.yad001@gmail.com>
Co-authored-by: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-11-09 11:26:12 -08:00
NoSkillGirl
e11efa4e7a added policy report example 2020-11-04 14:03:40 +05:30
NoSkillGirl
f2c01d7f76 fixed no-kind-pod error 2020-11-04 14:03:38 +05:30
NoSkillGirl
80aa6eb9f5 added policyreport to cli 2020-11-04 14:03:38 +05:30
Shuting Zhao
85c6c3d36f clean up policy violation CRD 2020-11-02 16:59:16 -08:00
Shuting Zhao
63a8d89c8d - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report 2020-10-27 18:28:30 -07:00
Shuting Zhao
c906baa1a7 - update policy report types; - upgrade k8s library; - update code gen 2020-10-15 17:54:58 -07:00
Shuting Zhao
6b5e935e49 Merge branch 'feature/reports-cli' of https://github.com/evalsocket/kyverno into policyreport
# Conflicts:
#	Makefile
#	cmd/kyverno/main.go
#	go.mod
#	go.sum
#	pkg/client/clientset/versioned/clientset.go
#	pkg/client/clientset/versioned/fake/clientset_generated.go
#	pkg/client/clientset/versioned/fake/register.go
#	pkg/client/clientset/versioned/scheme/register.go
#	pkg/client/informers/externalversions/factory.go
#	pkg/client/informers/externalversions/generic.go
#	pkg/client/listers/kyverno/v1/expansion_generated.go
#	pkg/policy/common.go
#	pkg/policy/controller.go
#	pkg/policy/existing.go
#	pkg/policyviolation/builder.go
#	pkg/policyviolation/generator.go
#	pkg/webhooks/server.go
#	pkg/webhooks/validate_audit.go
#	pkg/webhooks/validation.go
2020-10-12 18:30:37 -07:00
Mohan B E
51ac382c6c
Feature/configmaps var 724 (#1118)
* added configmap data substitution for foreground mutate and validate

* added configmap data substitution for foreground mutate and validate fmt

* added configmap lookup for background

* added comments to resource cache

* added configmap data lookup in preConditions

* added parse strings in In operator and configmap lookup docs

* added configmap lookup docs

* modified configmap lookup docs
2020-09-22 14:11:49 -07:00
evalsocket
573496f318 policy report yaml added 2020-09-15 08:07:01 -07:00
shuting
931d7cd47c
Set mutating webhhok reinvocationPolicy to IfNeeded (#1097)
* add watch policy to clusterrole kyverno:customresources

* fix build

* fix nil pointer

* skip json patches if the mutation is re-invoked

* set resource mutating webhook invocation policy to IfNeeded
2020-09-03 08:54:37 -07:00
Mohan B E
3690bf5fff
conditional anchor preprocessing for patch strategic merge (#1090)
* conditional anchor preprocessing for patch strategic merge

* modified sequence pre processing and added unit test

* merged master

* go fmt

* corrected mistake and added error handling to policy validate
2020-09-01 09:12:05 -07:00
Mohan B E
f60deecdce
Feature/namespaced policy 280 (#1058)
* namespaced policy crd and cache

* modified main.go

* removed kyverno

* implemented policy violation generator for namespaced policy on audit

* modified cache

* added validation for cluster resource types

* install.yaml

* install.yaml

* removed namespaces from crd and refactored code

* modified NamespacePolicy to Policy

* added ClusterRole aggregate for policies

* modified clusterrole
2020-08-19 09:07:23 -07:00
Jim Bugwadia
fc6da9c9e6 improve CLI validation reports 2020-08-18 21:03:00 -07:00
Pooja Singh
5a68653749
Supporting annotations in match/exclude (#1045)
* Supporting annotations in match/exclude filters

* updated readme

* small fix
2020-08-17 17:12:27 -07:00
Mohan B E
a14828246d
Feature/api version 852 (#1028)
* apiVersion support for generate

* added apiVersion to crds
2020-08-07 09:47:33 +05:30
shuting
39de46fe39
983 kustomize support (#1026)
* prototype - strategic merge patch

* add end to end test

* add engine strategic merge patch support

* set webhook reinvocationPolicy to IfNeeded

* refactor engine mutate code

* support JMESPath in strategic merge patch

* implement patchesJson6902

* update doc

* resolve pr comments
2020-08-05 09:11:23 -07:00
Mohan BE
3e1cef790a added field type specification to types 2020-07-21 11:33:51 +05:30
Mohan BE
9451f79ee5 added api docs generator 2020-07-20 20:05:06 +05:30
NoSkillGirl
f0fab9499e temp 2020-07-11 17:56:14 +05:30
shuting
87fa77fbcc
965 add validate audit handler (#967)
* store policy names cache to reduce lookup time

* add validate audit handler

* fix #958, remove auto-gen annotation on Pod

* formatting code

* update processTime to readable format

* #586, add back unit test

* update logging info

* remove unused interface

* handle generate policy in a single thread in weboook

* resolve pr comments
2020-07-09 11:48:34 -07:00
NoSkillGirl
2fde3146e8 added more validation for policies 2020-07-07 17:08:57 +05:30
Jim Bugwadia
65193feccb
update logging, naming, and event retry (#959)
* update logging and naming

* check per policy patch count
2020-06-30 11:53:27 -07:00
NoSkillGirl
b589169b5e Added in-notin operator 2020-06-26 12:48:45 +05:30
Yuvraj
c0326ce3f1 conflict resolve 2020-06-25 12:05:42 -07:00
Yuvraj
ab328b59d3 go mod updated 2020-06-25 12:00:35 -07:00
Shuting Zhao
a1d7816c10 fix violation updates when there's no change 2020-06-01 19:37:48 -07:00
Jim Bugwadia
838d02c475
Bugfix/659 support wildcards for namespaces (#871)
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces
2020-05-26 10:36:56 -07:00
Jim Bugwadia
304c75403e - skip resource schema validation when no mutate rules are applied
- cleanup webhook registration logic and logs
2020-05-17 14:37:05 -07:00
shravan
0932e9a147 664 tested prototype 2020-04-27 18:38:03 +05:30
shravan
793321e410 754 missing changes for prev commit 2020-03-28 16:50:56 +05:30
shravan
9ce0102db9 754 missing changes from previous commit 2020-03-28 16:47:42 +05:30
shravan
91223deae2 754 resolved merge conflicts 2020-03-28 16:43:19 +05:30
shravan
b5af456f64 Revert "754 merge conflicts"
This reverts commit 39f75db435.
2020-03-28 16:36:19 +05:30
shravan
39f75db435 754 merge conflicts 2020-03-28 16:30:18 +05:30
shravan
5cb134214b 536 importing go acc before ci/cd 2020-01-29 14:23:59 +05:30
shravan
a4e06a6ba1 536 fixing compilation issues 2020-01-26 19:42:09 +05:30
shravan
5a63b85368 536 conforming to plugin author guidelines 2020-01-26 19:21:58 +05:30
shravan
4bd678e301 added go modules and removed vendor file 2020-01-14 10:07:21 +05:30