kyverno

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00

Author	SHA1	Message	Date
Charles-Edouard Brétéché	ff728d5f2b	feat: propagate context through engine (#5639 ) * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-12-09 21:45:11 +08:00
Charles-Edouard Brétéché	7219b4f8a3	refactor: registry client (#5596 ) * refactor: registry client Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-12-07 23:08:37 +08:00
Charles-Edouard Brétéché	5b89e2e5f8	refactor: make policy context immutable and fields private (#5523 ) * refactor: make policy context immutable and fields private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: make policy context immutable and fields private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-12-02 16:14:23 +08:00
Charles-Edouard Brétéché	1ea4a0db19	refactor: use internal cmd package in kyverno (#5507 )	2022-11-30 13:37:53 +00:00
Charles-Edouard Brétéché	c3be9e36a5	feat: propagate context to dynamic client (#5495 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-11-29 13:59:40 +00:00
Charles-Edouard Brétéché	6f1bd5fff2	chore: replace utils.ContainsString with builtin slices.Contains (#5496 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-11-29 08:04:49 +00:00
Charles-Edouard Brétéché	dfded5cc60	feat: propagate context to the metrics package (#5479 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-28 10:30:14 +00:00
Prateek Pandey	42221a93e4	fix: add clone check before validating namespace policy (#5459 ) fix: add clone check before validate clone namespace - fix data policy validation - add kuttl tests to validate the behaviour Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-11-25 12:49:22 +05:30
shuting	93eaead565	fix: mutate existing policy does not get applied when background=false (#5439 ) * fix mutate existing policies when background=false Signed-off-by: ShutingZhao <shuting@nirmata.com> * add the kuttl test Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-11-23 08:16:06 +00:00
Charles-Edouard Brétéché	2178b9fe77	refactor: dynamic client use instrumented clients (#5436 ) * refactor: improve instrumented clients creation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: instrumented clients code part 3 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: dynamic client Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-22 13:37:27 +00:00
Vyankatesh Kudtarkar	dc0a07e5d8	Handle Match resources kind (#5421 ) Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-11-22 01:20:24 +00:00
Pratik Shah	dccb1f692a	Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272 ) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io>	2022-11-18 08:27:34 +00:00
Vyankatesh Kudtarkar	83a84c9d47	[Bug]: Fix wildcard any/all issue (#5387 ) * Fix wildcard for any/all match/excude kinds * remove non required test * add kuttl test * Revert "add kuttl test" This reverts commit `d2245bc248`. * add kuttl test * fix test	2022-11-17 14:07:03 +00:00
shuting	b1367fd497	fix the entry length validation for the verify image rule (#5384 ) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-11-17 17:25:02 +05:30
Prateek Pandey	c0f479add9	fix: add validation for generate namespace policy (#5346 ) * fix: add validation for generate namespace policy - generate of cluster scope resource not allowed - Only allowed to generate resource in policy namespace Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * add unit tests to validate the behaviour Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * fix error logs Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-11-17 07:43:51 +00:00
Prateek Pandey	2b4ff1ef6d	fix: synchronize source resource update to clone list resource (#5317 ) * fix: synchronize source resource update to clone list target resource Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * add kuttl test to verify the clone list synchronized behavior Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor functions parameters Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * fix the kuttl test description and behavior README Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * Use entire content to compare Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-11-11 19:30:54 +00:00
Charles-Edouard Brétéché	6091af6fba	fix: wrong logger used (#5311 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-11 12:16:27 +05:30
Charles-Edouard Brétéché	564c92d4bf	fix: add warning when using deprecated validation failure action (#5219 ) * fix: add warning when using deprecated validation failure action Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-11-07 22:16:53 +00:00
Vyankatesh Kudtarkar	a6e866fe1f	Fix Keda policy installation issue (#5239 )	2022-11-07 18:54:44 +05:30
shuting	da84b777bc	fix: too much information for the Policy Rule Execution Latency metric (#5208 ) * remove general_rule_latency_type Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove resource_request_operation Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove resource_namespace Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove resource_kind Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix linter Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-11-04 14:31:23 +08:00
Charles-Edouard Brétéché	f52da91b72	fix: early return in policy validation (#5200 ) * fix: early return in policy validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-03 09:05:23 +00:00
Charles-Edouard Brétéché	d2658a1bc8	refactor: support Audit and Enforce validation failure actions (#5152 ) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * typo Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update changelog Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-11-01 09:56:52 +00:00
Charles-Edouard Brétéché	e4bf66e756	feat: remove policy mutation for auto-gen rules (#5123 ) * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * changelog Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-10-25 23:43:46 +00:00
Charles-Edouard Brétéché	5a496ca212	refactor: simplify variables regex (#5075 ) * feat: add simple conformance tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * gh action Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * separate workflow Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix the bug Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cli test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * improvements Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * improvements Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: variables regex Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-10-21 11:51:14 +08:00
Charles-Edouard Brétéché	ad2cbd3b33	feat: add simple conformance tests (#5073 ) * feat: add simple conformance tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-10-20 12:17:33 +00:00
Shivansh Yadav	becf73227b	validate patchJSON6902 (#4469 ) * validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * test: validateJSON6902 tests Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> * test: validate patchJSON6902 Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com> Signed-off-by: Shivansh Yadav <yadavshivansh@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-10-17 15:25:03 +00:00
Charles-Edouard Brétéché	cb0410dcf1	fix: policy not denied when kinds set is empty (#5016 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-17 14:10:42 +00:00
Pratik Shah	8a0083105d	Added support to specify key signature algorithm in verifyImages (#4855 ) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io>	2022-10-14 05:39:57 +00:00
Charles-Edouard Brétéché	9e933e8d21	fix: set operation in context when necessary (#4940 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-13 19:33:49 +05:30
XDRAGON2002	03c41e7746	[Cleanup] Disable PolicySkipped events (#4913 ) * remove skip events Signed-off-by: Anant Vijay <anantvijay3@gmail.com> * update conditions Signed-off-by: Anant Vijay <anantvijay3@gmail.com> * improve conditions Signed-off-by: Anant Vijay <anantvijay3@gmail.com> * remove redundant function Signed-off-by: Anant Vijay <anantvijay3@gmail.com> Signed-off-by: Anant Vijay <anantvijay3@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-13 08:32:20 +00:00
Charles-Edouard Brétéché	b3021f5a57	refactor: openapi controller part 2 (#4910 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-12 22:24:16 +05:30
Charles-Edouard Brétéché	de67a507cd	refactor: openapi controller part 1 (#4901 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-10-12 11:38:48 +00:00
Prateek Pandey	23ab7390a3	fix: hardening policy validation for generate cloneList (#4881 ) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-10-11 23:35:07 +05:30
Charles-Edouard Brétéché	ebe86473fc	feat: use a dedicated policy metrics controller (#4818 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-07 10:53:54 +00:00
ansalamdaniel	27de93a3d2	fix: add policy validation for ValidationFailureActionOverride field (#4784 ) Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>	2022-10-06 06:16:12 +00:00
Charles-Edouard Brétéché	7213abec36	fix: remove reference to controller runtime log (#4779 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-03 12:55:39 +02:00
Charles-Edouard Brétéché	209bab2059	refactor: more context less chans (#4764 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-03 09:19:01 +00:00
yinka	688b4fb8e3	add package logger in files (#4766 ) * add package logger in files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add package logger to initContainer and other files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helm default values Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-02 19:45:03 +00:00
Charles-Edouard Brétéché	9aca37fe9f	refactor: use context in openapi controller (#4760 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-30 11:56:47 +00:00
Prateek Pandey	38c252952d	feat: add matchlabel selector support with multiple clone (#4713 ) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-28 17:44:38 +02:00
Charles-Edouard Brétéché	e0ab72bb9a	feat: reports v2 implementation (#4608 ) This PR refactors the reports generation code. It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds. The new reports system is based on 4 controllers: Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace) Resources controller is responsible for watching reports that need background scan reports I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong. I also added a flag to split reports in chunks to avoid creating too large resources. Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-28 17:15:16 +05:30
Prateek Pandey	9cc1e6b2b3	fix: handle auth permission for cloneList validation (#4684 ) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-26 13:23:00 +05:30
Charles-Edouard Brétéché	328fdc8b3d	feat: add feature flag to disable background scan (#4638 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-19 12:00:36 +00:00
Vyankatesh Kudtarkar	c7bcd5fadf	Fix multiple crd slowness issue (#4275 ) Signed-off-by: Vyankatesh vyankateshkd@gmail.com * fix multiple crd issue	2022-09-12 16:14:28 +08:00
Prateek Pandey	1cacd0173d	feat: allow cloning multiple resource from a namespace (#4384 )	2022-09-08 04:47:09 +00:00
Charles-Edouard Brétéché	a95d61b9d7	refactor: client wrappers (#4519 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-07 12:01:43 +08:00
Charles-Edouard Brétéché	1947dafed6	fix: load policy and add tests (#4515 ) * fix: load policy and add tests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix callers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-09-06 15:16:44 +00:00
Charles-Edouard Brétéché	1e25bfd16f	feat: remove context api call constraints (#4389 ) * feat: add raw api call support Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: remove context api call constraints Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-01 08:30:04 +00:00
ToLToL	1b9a2fca21	Extend Pod Security Admission (#4364 ) * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[].securityContext.capabilities.add Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-08-31 09:16:31 +00:00
Charles-Edouard Brétéché	f243a7dd84	refactor: make toggles easier to define and use (#4456 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-08-31 06:41:14 +00:00

1 2 3 4 5 ...

694 commits