kyverno

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00

Author	SHA1	Message	Date
Charles-Edouard Brétéché	666bcb3c15	chore: make k8s api import aliases consistent (#3950 ) * chore: make kyverno api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore: make apimachinery api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 22:14:31 +08:00
Charles-Edouard Brétéché	97cf1b3e95	feat: gracefull certificates rotation support (#3890 ) * refactor: remove deployment hash on certs secrets Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: add label on kyverno webhooks Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: implement update ca bundle Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * test: set very low validity and expiration intervals Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: writing secret Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add renew ca Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * decouple ca and tls validity duration Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactored code, everything is in place to finalize implementation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * use real validity periods Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-12 14:07:25 +00:00
Charles-Edouard Brétéché	8f825bb040	refactor: remove deployment hash on certs secrets (#3886 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-11 16:58:14 +02:00
Charles-Edouard Brétéché	2064a69b8a	refactor: make config vars private (#3823 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-11 06:14:30 +00:00
Charles-Edouard Brétéché	22e85209c4	fix: remove code to load CA from kubeconfig (#3860 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-10 16:12:22 +00:00
Charles-Edouard Brétéché	ba4413b25c	refactor: webhookconfig package (part 4) (#3835 )	2022-05-09 16:54:20 +01:00
Charles-Edouard Brétéché	27e7b2d326	refactor: webhookconfig package (part 3) (#3834 ) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhook config package (part 2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhookconfig package (part 3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-09 14:31:35 +00:00
Charles-Edouard Brétéché	af56adb0a6	refactor: webhookconfig package (part 1) (#3831 ) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-08 12:47:49 +01:00
Charles-Edouard Brétéché	972be16ad3	refactor: remove unstructured usage from webhookconfig (#3737 ) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-02 18:58:04 +08:00
Charles-Edouard Brétéché	a6924a11ab	refactor: use typed k8s client in tls package (#3678 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-04-26 20:18:14 +00:00
Kumar Mallikarjuna	771d62b735	Added Kyverno specific SharedInformerFactory (#2987 ) * Added Kyverno specific SharedInformerFactory Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Replace ToUnstructured() Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Add GVK to returned resource Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>	2022-01-18 15:52:48 +00:00
Vyankatesh Kudtarkar	39a299f317	Update labels to fetch cluster role (#2842 )	2021-12-16 07:55:58 +00:00
Vyankatesh Kudtarkar	b7767d79d3	change cluster role labels (#2776 ) * change cluster role labels * change cluster role label value * fix cluster role label issue * fix comment	2021-12-02 15:52:34 +05:30
Vyankatesh Kudtarkar	fa95132806	Fix: Hard-coded ClusterRoleName in OwnerRef breaks (#2718 ) * fix hardcoded clusterrole name * Fix label	2021-11-16 19:32:42 +08:00
Vyankatesh Kudtarkar	6eb7cf57f7	bug fix : Kyverno policies block uninstall of Kyverno (#2659 ) * bug fix uninstall kyverno issue * rename the methods	2021-11-02 23:44:32 -07:00
Bricktop	ab8822963b	Add exclusions to make gosec happy (#2540 ) * Add exclusions to make gosec happy Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Add forgotten file Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>	2021-10-13 15:05:13 -07:00
Sachin	a42e944c22	fix Potential file inclusion via variable (#2523 ) Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>	2021-10-13 10:48:45 -07:00
shuting	b10947b975	Dynamic webhooks (#2425 ) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>	2021-10-05 00:15:09 -07:00
Pooja Singh	ba00ead7f8	adding ownerRef with namespace (#2263 ) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>	2021-08-13 17:07:40 -07:00
Pooja Singh	f9616cbab1	Removing OwnerReference (#2251 ) * removing OwnerReference Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * removing comments Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>	2021-08-10 17:05:20 -07:00
shuting	e9a972a362	feat: HA (#1931 ) * Fix Dev setup * webhook monitor - start webhook monitor in main process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leaderelection Signed-off-by: Jim Bugwadia <jim@nirmata.com> * - add isLeader; - update to use configmap lock Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add initialization method - add methods to get attributes Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove newContext in runLeaderElection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to GenerateController Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add leader election to generate cleanup controller Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Gracefully drain request * HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920) * enable leader election for webhook register Signed-off-by: Shuting Zhao <shutting06@gmail.com> * extract certManager to its own process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * leader election for cert manager Signed-off-by: Shuting Zhao <shutting06@gmail.com> * certManager - init certs by the leader Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy report controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * rebuild leader election config Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start informers in leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start policy informers in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * enable leader election in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * move eventHandler to the leader election start method Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add clusterrole leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixed generate flow (#1936) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * - init separate kubeclient for leaderelection - fix webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * cleanup Kyverno managed resources on stopLeading Signed-off-by: Shuting Zhao <shutting06@gmail.com> * tag v1.4.0-beta1 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix cleanup process on Kyverno stops Signed-off-by: Shuting Zhao <shutting06@gmail.com> * bump kind to 0.11.0, k8s v1.21 (#1980) Co-authored-by: vyankatesh <vyankatesh@neualto.com> Co-authored-by: vyankatesh <vyankateshkd@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>	2021-06-08 12:37:19 -07:00
shuting	c816cf3d69	Add certificate renewer in webhook registration controller (#1692 ) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-03-16 11:31:04 -07:00
Yashvardhan Kukreja	d141f74015	performed cleanups (#1552 )	2021-02-07 21:19:25 -08:00
shuting	39b27a16ed	Reduce throttling requests (GET) (#1522 ) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-02-05 09:58:10 -08:00
shuting	624b481df3	Fix 1351 - policy report (#1359 ) * ignore Kyverno CRDs existence check when server is not available * clean up cluster / reportChangeRequest * resolve PR comments * - fixes #1351; - clean up code * fo fmt	2020-12-04 10:04:46 -08:00
Jim Bugwadia	ec95724e97	update webhook registration and monitor (#1318 ) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks	2020-11-26 16:07:06 -08:00
Shuting Zhao	cdc5190c56	update nirmata/kyverno to kyverno/kyverno	2020-10-07 11:12:31 -07:00
shuting	931d7cd47c	Set mutating webhhok reinvocationPolicy to IfNeeded (#1097 ) * add watch policy to clusterrole kyverno:customresources * fix build * fix nil pointer * skip json patches if the mutation is re-invoked * set resource mutating webhook invocation policy to IfNeeded	2020-09-03 08:54:37 -07:00
Mohan B E	f60deecdce	Feature/namespaced policy 280 (#1058 ) * namespaced policy crd and cache * modified main.go * removed kyverno * implemented policy violation generator for namespaced policy on audit * modified cache * added validation for cluster resource types * install.yaml * install.yaml * removed namespaces from crd and refactored code * modified NamespacePolicy to Policy * added ClusterRole aggregate for policies * modified clusterrole	2020-08-19 09:07:23 -07:00
shuting	39de46fe39	983 kustomize support (#1026 ) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments	2020-08-05 09:11:23 -07:00
shivkumar dudhani	d327309d72	refactor logging	2020-03-17 16:25:34 -07:00
shivkumar dudhani	1b1ab78f77	logs & access	2020-03-17 11:05:20 -07:00
Shuting Zhao	b26ed89880	- set failurepolicy of webhookconfiguraitons to ignore; - disable auto-gen on policy disabllow_default_namespace	2020-01-15 18:01:50 -08:00
shivkumar dudhani	1642682aa2	528_add_webhook_defaults	2019-12-04 17:28:39 -08:00
shivkumar dudhani	0ea1d9986a	cleanup resource & policy	2019-12-02 17:15:47 -08:00
shivkumar dudhani	bfb16b0c11	create policy mutating webhook config resouce + refactoring	2019-08-27 14:52:56 -07:00

36 commits