* fix validation check on UPDATE
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* prevent policy bypass using preconditions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* separate replace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add error handling
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixed bug where negation of kernel version caused cpolr to fail
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* small fix in function validateString
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Added necessary tests
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Added one more test
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Add more tests and added a policy to the test folder
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* added policy for test cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* allow root cert for keyless attestations checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add logs and improve var names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle err in sig loading
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Adds e2e test for JSON patch mutate policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies the config to use the optimal version of that policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* Fixes the lint issuue
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies test to pass
Signed-off-by: afzal442 <afzal442@gmail.com>
* adds changes to resources
Signed-off-by: afzal442 <afzal442@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Update kyverno-policies chart with latest pod-security policies
Fixes#3063Fixes#2277
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README to have better example
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use chart testing during e2e to test against ci values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix e2e tests for Helm chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix Kyverno chart testing to actually test values, and fix networkpolicy template
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README for exclusion
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Allow adding 'other' policies via Helm
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update Chart.yaml for kyverno-policies
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump minimum Kubernetes version in charts
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update kyverno-policies chart readme
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases (part 2)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use same logic to get git tag by using Makefile target for updating Helm values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* - update dev images tag; - update chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update to use dev tag when setting up e2e tests infra
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* default chart test image tag for busybox to latest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set image tag to latest for chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* correct tag
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test tag in e2e.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add Sam as a maintainer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update maintainers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* address comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixed link
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
As part of tighten and clarify Kyverno roles and
permissions, PR #2799 we missed to update the charts
templates events clusterroles.
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Fix variable substitution when inline jmespath objects are defined
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add additional test cases which use brackets
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Removes the need to specify an image pull secret to make use of cloud
provider credentials. As I understand it, this should be fine outside of
cloud provider contexts.
As part of this, I've switched to using authn/kubernetes, which I believe
is preferable to k8schain.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* add nodeAffinity for kyverno helm chart
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* quite better and more open solution for affinity in helm chart. it assist all kinds of other affinitys
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix typo in parameter
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* make affinity selection easier - return to antiAffinity for less change
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* return to antiAffinity to make change easier
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* add documentation for new values and helm functions
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* simplified again the use of new affinities. Dont need to extra enable if
you insert affinities
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix "if" of the affinity block
Co-authored-by: treydock <treydock@gmail.com>
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* Now finaly renamed values to avoid braking change; adjust readme for the
parameter names
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* alphabetic order readme
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
Co-authored-by: Kevin Welter <kevin.welter@digital-nx.com>
Co-authored-by: treydock <treydock@gmail.com>
* update cosign to 1.5.0 and add checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix subject and issuer checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Enable cloud provider registry keychains
It's desirable that Kyverno supports using workload identity and other
cloud provider metadata services for registry credentials.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Always initialize registry keychain
This supports using docker configuration on disk and credentials from
cloud providers without having to specify image pull secrets.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Get pull secrets from kyverno service account
It was previously using 'default'. I think it makes more sense to use
the service account that Kyverno actually runs with.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't split empty pull secrets list
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Add KYVERNO_SVC_ACCOUNT to config manifests
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't retrieve secrets from service account
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Reduce scope of keychain changes
Just enable cloud provider keychains.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
