1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Commit graph

19 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
6a43ec4bcf
chore: fix policies (#8449)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-09-19 10:28:58 +00:00
Dhananjay Kumar Sharma
04bc4ed7c6
Migrated scenario based tests to CLI (#8055)
* migrated scenarios to cli and resolved conflicts

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Modified Makefile

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update Makefile

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Create patchedresource.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update kyverno-test.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Delete test/cli/scenarios_to_cli/other /scenario_mutate_validate_qos directory

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update kyverno-test.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Create patchedresource.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update policy.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* Update policy.yaml

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Dhananjay Kumar Sharma <dhananjaykumarsharma3339@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-23 15:55:39 +00:00
shuting
34c6920129
Support PSa integration by controlName only (#4710)
* Remove "restrictedField" and "values" from podSecurity.exclude

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove commented code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add unit tests for restricted_runAsNonRoot

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add baseline unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add unit tests for restricted controls

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Removes PSa tests at the engine level

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - Update API docs; - Add unit tests for wildcard images

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove autogen conversion for PSa policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* copy pod with DeepCopy()

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-28 10:03:53 +00:00
ToLToL
1b9a2fca21
Extend Pod Security Admission (#4364)
* init commit for pss

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add test for Volume Type control

* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()

* remove unused code, still a JMESPATH problem with app armor ExemptProfile()

* test for Host Process / Host Namespaces controls

* test for Privileged containers controls

* test for HostPathVolume control

* test for HostPorts control

* test for HostPorts control

* test for SELinux control

* test for Proc mount type control

* Set to baseline

* test for Seccomp control

* test for Sysctl control

* test for Privilege escalation control

* test for Run as non root control

* test for Restricted Seccomp control

* Add problems to address

* add solutions to problems

* Add validate rule for PSA

* api.Version --> string. latest by default

* Exclude all values for a restrictedField

* add tests for kyverno engine

* code to be used to match kyverno rule's namespace

* Refacto pkg/pss

* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:

* EvaluatePod

* Use EvaluatePod in kyverno engine

* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add

* Check if PSSCheckResult matched at least one exclude value

* add tests for engine

* fix engine validation test

* config

* update go.mod and go.sum

* crds

* Check validate value: add PodSecurity

* exclude all restrictedFields when we only specify the controlName

* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path

* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)

* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go

* add all controls with containers in restrictedFields as comments

* add tests for capabilities and privileged containers and fix some errors

* add tests for host ports control

* add tests for proc mount control

* add tests for privilege escalation control

* add tests for capabilities control

* remove comments

* new algo

* refacto algo, working. Add test for hostProcess control

* remove unused code

* fix getPodWithNotMatchingContainers(), add tests for host namespaces control

* refacto ExemptProfile()

* get values for a specific container. add test for SELinuxOptions control

* fix allowedValues for SELinuxOptions

* add tests for seccompProfile_baseline control

* refacto checkContainers(), add test for seccomp control

* add test for running as non root control

* add some tests for runAsUser control, have to update current PSA version

* add sysctls control

* add allowed values for restrictedVolumes control

* add some tests for appArmor, volume types controls

* add tests for volume types control

* add tests for hostPath volume control

* finish merge conflicts and add tests for runAsUser

* update charts and crds

* exclude.images optional

* change volume types control exclude values

* add appAmor control

* fix: did not match any exclude value for pod-level restrictedFields

* create autogen for validate.PodSecurity

* clean code, remove logs

* fix sonatype lift errors

* fix sonatype lift errors: duplication

* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests

* beginning of autogen implement for validate.exclude

* Autogen for validation.PodSecurity

* working autogen with simple tests

* change validate.PodSecurity failure response format

* make codegen

* fix lint errors, remove debug prints

* fix tags

* fix tags

* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request

* Changes requested

* Changes requested 2

* Changes requested 3

* Changes requested 4

* Changes requested and make codegen

* fix host namespaces control

* fix lint

* fix codegen error

* update docs/crd/v1/index.html

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix path

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update crd schema

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update charts/kyverno/templates/crds.yaml

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
Tathagata Paul
b91ff5a7f2
Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229)
* fixed bug where negation of kernel version caused cpolr to fail

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* small fix in function validateString

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* Added necessary tests

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Added one more test

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* Add more tests and added a policy to the test folder

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* added policy for test cli

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-02-17 09:33:30 +05:30
Vyankatesh Kudtarkar
c2de92d8c6
Support mutation of variables in validate.deny (#2947)
* Support mutation of variables in validate.deny

* remove comment

* fix e2e test
2022-01-18 10:53:30 +00:00
Sambhav Kothari
0c11af2d9a
Fix autogen issue with cronjob generator and foreach pod generator (#2989)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
2022-01-15 12:28:28 -08:00
Jim Bugwadia
a9fef256c7
updates for foreach and mutate (#2891)
* updates for foreach and mutate

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* allow tests to pass on Windows

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add elementIndex variable

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix jsonResult usage

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add mutate validation and fix error in validate.foreach

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* do not skip validation for all array entries when one is skipped

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add foreach tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix format errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unused declarations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert namespaceWithLabelYaml

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix mutate of element list

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update CRDs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Update api/kyverno/v1/policy_types.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/validate/validate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/validate/validate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update test/cli/test/custom-functions/policy.yaml

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update test/cli/test/foreach/policies.yaml

Co-authored-by: Steven E. Harris <seh@panix.com>

* accept review comments and format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add comments to strategicMergePatch buffer

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* load context and evaluate preconditions foreach element

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add test for foreach mutate context and precondition

* precondition testcase

* address review comments

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-01-05 09:36:33 +08:00
Shuting Zhao
e985ee4031 correct misspelled words 2020-11-17 12:01:01 -08:00
Jim Bugwadia
838d02c475
Bugfix/659 support wildcards for namespaces (#871)
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces
2020-05-26 10:36:56 -07:00
Shivkumar Dudhani
8c1d79ab28
linter suggestions (#655)
* cleanup phase 1

* linter fixes phase 2
2020-01-24 12:05:53 -08:00
Shivkumar Dudhani
af824f28b0
add annotation to ns (#621) 2020-01-13 17:43:13 -08:00
Shivkumar Dudhani
dabe592d46
fix the bugs and add pre-condition checks (#606)
* fix the bugs and add pre-condition checks

* add precondition documentation
2020-01-13 11:21:14 -08:00
shivkumar dudhani
eb34437f30 add annotation to variable 2020-01-11 11:14:47 -08:00
Shivkumar Dudhani
3cf9141f4d
593 feature (#594)
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* initial commit

* fix trailing quote in patch

* remove comments

* initial condition (equal & notequal)

* initial support for conditions

* initial support fo conditions in generate

* support precondition checks

* cleanup

* re-evaluate GR on namespace update using dynamic informers

* add status for generated resources

* display loaded variable SA

* support delete cleanup of generate request main resources

* fix log

* remove namespace from SA username

* support multiple variables per statement for scalar values

* fix fail variables

* add check for userInfo

* validation checks for conditions

* update policy

* refactor logs

* code review

* add openapispec for clusterpolicy preconditions

* Update documentation

* CR fixes

* documentation

* CR fixes

* update variable

* fix logs

* update policy

* pre-defined variables (serviceAccountName & serviceAccountNamespace)

* update test
2020-01-07 15:13:57 -08:00
Shivkumar Dudhani
ffd2179b03
538 (#587)
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* cleanup

* CR fixes

* fix logs
2020-01-07 10:33:28 -08:00
Shuting Zhao
051eba058f update api in samples/ 2019-11-13 13:56:20 -08:00
shivkumar dudhani
a191bd67f4 update message string 2019-11-01 15:21:23 -07:00
shivkumar dudhani
4e5f551fa7 clean up 2019-10-14 14:10:34 -07:00