914 commits

Author	SHA1	Message	Date
Pratik Shah	caab013a86	Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733) ... Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>	2022-10-14 09:40:46 +00:00
Pratik Shah	8a0083105d	Added support to specify key signature algorithm in verifyImages (#4855) ... Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io>	2022-10-14 05:39:57 +00:00
Charles-Edouard Brétéché	56d90888e0	fix: consider generateName when matching resources (#4945) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-13 16:02:01 +00:00
Charles-Edouard Brétéché	9e933e8d21	fix: set operation in context when necessary (#4940) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-13 19:33:49 +05:30
Charles-Edouard Brétéché	ed88e9f8d2	fix: panic when bad variable substitution (#4928) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-10-13 10:16:47 +00:00
Jim Bugwadia	106880c8d0	fix extension checks (#4836) ... * fix extension checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-06 13:08:34 -07:00
Vishal Choudhary	44763cf61b	Fix: Typo in x509_decode JMESPath function's note (#4773) ... * changed 'json' to 'an object' * changed 'json' to 'an object' sign: Vishal Choudhary <contactvishaltech@gmail.com> * changed 'json' to 'an object' * changed 'json' to 'an object' sign: Vishal Choudhary <contactvishaltech@gmail.com> Signed-off-by: Vishal Choudhary <contactvishaltech@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-10-03 08:26:19 +00:00
yinka	688b4fb8e3	add package logger in files (#4766) ... * add package logger in files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add package logger to initContainer and other files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helm default values Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-02 19:45:03 +00:00
Abhinav Sinha	a1182859ad	Added x509_decode JMESPath function (#4664) ... * Added `x509_decode` JMESPath function Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Use `crypto/x509` stdlib Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Return result as `map[string]interface{}` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Made minor fixes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Fixed error with unmarshalling decoded certificate Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Added e2e test for decoding X.509 certs Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Reverted to using `smallstep/zcrypto` for X.509 Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Minor fix Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Addressed reviews Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Removed redundant dependency on `pkg/errors` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-09-28 18:15:39 +00:00
shuting	34c6920129	Support PSa integration by controlName only (#4710) ... * Remove "restrictedField" and "values" from podSecurity.exclude Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove commented code Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add unit tests for restricted_runAsNonRoot Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add baseline unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add unit tests for restricted controls Signed-off-by: ShutingZhao <shuting@nirmata.com> * Removes PSa tests at the engine level Signed-off-by: ShutingZhao <shuting@nirmata.com> * - Update API docs; - Add unit tests for wildcard images Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove autogen conversion for PSa policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * copy pod with DeepCopy() Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-28 10:03:53 +00:00
Charles-Edouard Brétéché	073ff38cc9	fix: change key used in test (#4718) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-27 17:18:14 +00:00
Pradeep Lakshmi Narasimha	e305aea95c	fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) ... Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-26 14:54:13 +00:00
Charles-Edouard Brétéché	6a8085522a	fix: jmespath random error handling (#4697) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-26 13:33:52 +00:00
Charles-Edouard Brétéché	4d7e1281de	fix: namespaced policy not validated in engine (#4653) ... * fix: namespaced policy not validated in engine Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-26 12:47:37 +08:00
Anurag	cadf577e4b	enhance jmespath random-filter (#4591) ... Signed-off-by: Anurag <contact.anurag7@gmail.com> Signed-off-by: Anurag <contact.anurag7@gmail.com>	2022-09-14 06:27:32 +00:00
Jim Bugwadia	c2b4a9434b	allow PSa validation with no exceptions (#4558) ... Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-10 16:58:10 +00:00
Anurag	560cec329e	add random filter (#4527) ... * add random filter Signed-off-by: Anurag <contact.anurag7@gmail.com> * update go.mod file Signed-off-by: Anurag <contact.anurag7@gmail.com> * update go.sum Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fix Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Anurag <contact.anurag7@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-09-07 16:22:30 +00:00
Charles-Edouard Brétéché	429fe175bf	chore: add unit tests for pkg/utils/wildcard (#4510) ... * chore: add unit tests for pkg/utils/wildcard Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * testify Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-06 08:02:41 +00:00
Charles-Edouard Brétéché	1e25bfd16f	feat: remove context api call constraints (#4389) ... * feat: add raw api call support Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: remove context api call constraints Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-01 08:30:04 +00:00
ToLToL	1b9a2fca21	Extend Pod Security Admission (#4364) ... * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add * Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-08-31 09:16:31 +00:00
shuting	3bf3dcc1af	Add the metric "kyverno_client_queries_total" (#4359) ... * Add metric "kyverno_kube_client_queries_total" Signed-off-by: ShutingZhao <shuting@nirmata.com> * publish metric for missing queries Signed-off-by: ShutingZhao <shuting@nirmata.com> * Refactor the way Kyverno registers QPS metric Signed-off-by: ShutingZhao <shuting@nirmata.com> * Move clientsets to a dedicated folder Signed-off-by: ShutingZhao <shuting@nirmata.com> * Wrap Kyverno client and policyreport client to register client query metric Signed-off-by: ShutingZhao <shuting@nirmata.com> * address linter comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * address linter comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * Switch to use wrapper clients Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-08-31 11:33:47 +05:30
shuting	423afb57d8	skip validate rules if conditional anchor key doesn't exist in the resource (#4451) ... Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-08-31 05:09:53 +00:00
Riko Kudo	5f5cda9fee	Yaml signing and verification (#4235) ... * enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché	fc1a4601a7	refactor: introduce wildcard utils package (#4406) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-25 05:23:01 +00:00
Charles-Edouard Brétéché	144985ee5a	chore: fix golangcilint timeout (#4388) ... * chore: fix golangcilint timeout Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix commit sha Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add .gitattributes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-24 21:08:24 +08:00
Charles-Edouard Brétéché	5cc97993dc	feat: add raw api call support (#3820) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-08-23 18:52:54 +02:00
Anutosh Bhat	d92e16526f	Added appropriate logging levels to log.Info() calls wherever necessary (#4341) ... * Added appropriate logging levels to log.Info() calls wherever necessary Signed-off-by: anutosh491 <andersonbhat491@gmail.com> * Changed logging levels to 2 Signed-off-by: anutosh491 <andersonbhat491@gmail.com> Signed-off-by: anutosh491 <andersonbhat491@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-08-18 13:24:59 +00:00
vivek kumar sahu	17052436cb	Treat normal and precondition variable equally (#4217) ... * When the value of the variables not present will assigned as nil Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added cli test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * fixed failing test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * remove extra line Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-08-18 04:34:36 +00:00
Charles-Edouard Brétéché	186dde5589	fix: image verify logs (#4348) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-17 19:32:19 -07:00
Jim Bugwadia	22eb79a7f0	Fix PEM delimiter parse (#4331) ... * update log levels Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not generate policy reports for blocked images Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix PEM delimiter parsing and add test case Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-08-12 10:06:14 +00:00
vivek kumar sahu	c95bb74992	Context vars substitution in CLI (#4290) ... * context variables substitution will be independent of sequence Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-08-09 05:48:57 +00:00
Jim Bugwadia	943c3a1929	use failurePolicy to block or allow requests, on policy errors (#4183) ... * use failurePolicy to block or allow requests, on policy errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add warnings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add unit tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle network errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix title conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix path in generated file Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fake metrics Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add check for klog flag initialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for flag reinitialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for flag reinitialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix spelling Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix flag init Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-08-02 20:24:02 +05:30
Jim Bugwadia	6fa8a97583	update log levels (#4286) ... Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-08-02 10:57:25 +05:30
Jim Bugwadia	4aa0767728	add applyRules to control whether one or all rules are applied (#4196) ... * add ruleSelector Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix selector logic for skipped rules Signed-off-by: Jim Bugwadia <jim@nirmata.com> * change names Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix generated paths Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add image variable to context when rule processing starts Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix messages Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update generate rules Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-07-29 15:02:26 +08:00
vivek kumar sahu	03cec01fb5	feature: added new type of event, PolicySkipped (#4251) ... * feature: added new type of event, PolicySkipped Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * fix html docs Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-07-28 14:01:50 +08:00
vivek kumar sahu	f6c131cfcc	precondition failure will skip rule independent of audit or enforce mode (#4163) ... * precondition fails will skip rule independent of audit or enforce mode Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added cli-test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * small fix Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-07-14 09:35:27 +05:30
Andrew Bulford	11942560c3	fix: Stop incorrect any block condition logging (#4107) ... Previously the "no condition passed for 'any' block" would be logged for all `any` blocks because the log line always occurs, even if conditions are found. Co-authored-by: Samuel Torres <samuel.torres@form3.tech> Signed-off-by: Andrew Bulford <andrew.bulford@form3.tech> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-06-15 15:39:24 +00:00
Shubham Nazare	165c5d9fc3	feat: Extend CLI to cover generate policies (#3456) ... - Change in namespace for test-generate example - Change cloneResource to cloneSourceResource - Add support for namespaced Policy and fix log messages - Add test-generate in Makefile and an example of namespaced Policy - Fix namespaced policy issue and add comments - Refactor according to new generate controller - Add json tag to GeneratedResource field of RuleResponse struct Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-25 14:26:22 +00:00
Anton Popovichenko	afc9a56d33	Feature: Add support for allowing insecure registries. (#3983) ... Now you can work with self signed registries by updating your deployment with adding `--allowInsecureRegistry` to the `args` field. Signed-off-by: Anton Popovichenko <anton.popovichenko@mendix.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-25 11:03:36 +02:00
shuting	85b486eb27	Support @ for mutate targets (#3998) ... Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-05-24 17:49:36 +05:30
Jim Bugwadia	8fe9163f4e	fix attestation checks (#3999) ... * fix attestation checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * dos2unix Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-05-24 14:57:01 +08:00
Charles-Edouard Brétéché	1afda6a137	refactor: make registry client variables private (#3975) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-23 18:45:25 +05:30
Charles-Edouard Brétéché	840307fc69	chore: enable ifshort linter (#3945) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 18:55:13 +00:00
Charles-Edouard Brétéché	5243763674	chore: make dclient import aliases consistent (#3951) ... * chore: make kyverno api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore: make apimachinery api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore: make dclient api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 14:40:51 +00:00
Charles-Edouard Brétéché	5aaf2d8770	chore: make kyverno api import aliases consistent (#3939) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 13:12:43 +02:00
Charles-Edouard Brétéché	0099ef54ad	chore: enable gofmt and gofumpt linters (#3931) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 06:19:03 +00:00
Charles-Edouard Brétéché	c12f94d6d4	chore: enble gci linter (#3930) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-05-17 07:56:48 +02:00
Anurag	e8b1e1275a	fix: return type changed to bool in jpfCompare fn (#3924) ... * return type changed to bool in jpfCompare fn Signed-off-by: Anurag <contact.anurag7@gmail.com> * update functions.go Signed-off-by: Anurag <contact.anurag7@gmail.com> * updated the commit Signed-off-by: Anurag <contact.anurag7@gmail.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>	2022-05-16 21:11:43 +00:00
Charles-Edouard Brétéché	52cc493e57	chore: enable misspell linter (#3932) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-16 19:08:57 +05:30
Charles-Edouard Brétéché	d7a3ba596d	chore: enable errname linter (#3926) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-16 18:51:31 +08:00