mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
7796 commits 15 branches 540 tags 276 MiB
Commit graph

949 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
b689f1f15c
fix: kind wash in mutate policy helper (#3698) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-27 19:38:31 +05:30
Vyankatesh Kudtarkar
d72ecd4853
Fix test command git issue (#3692) 
Co-authored-by: shuting <shutting06@gmail.com>
 2022-04-27 12:49:40 +01:00
Charles-Edouard Brétéché
a6924a11ab
refactor: use typed k8s client in tls package (#3678) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-26 20:18:14 +00:00
Charles-Edouard Brétéché
c97af0094f
refactor: config package logger (#3683) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-26 21:55:24 +02:00
Charles-Edouard Brétéché
8c930134ef
feat: remove deprecated flags (#3680) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-04-26 14:53:01 +00:00
Vyankatesh Kudtarkar
ae75b97cb7
Fix issue pod should not be ready until the policy cache loaded (#3646) 
* fix issue pod should not be ready until the policy cache  loaded.

* remove unused code

* remove testcase

* add test case

* fix issue

* add lister

* fix lift issue

* address comment
 2022-04-26 06:26:46 +00:00
Vyankatesh Kudtarkar
4cbfecc0d9
remove Validate Cmd (#3674) 2022-04-26 04:03:03 +00:00
Vyankatesh Kudtarkar
56c90fd087
Support context variables when using foreach CLI (#3637) 
* Support context variables when using foreach CLI

* add testcases
 2022-04-25 16:36:31 +00:00
shuting
2c4ca04e25
bump to Go 1.17.9 (#3671) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-04-25 13:26:00 +00:00
shuting
2a656f6de0
feat: mutate existing resources (#3669) 
* feat: mutate existing, replace GR by UR in webhook server (#3601)

* add attributes for post mutation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR informer to webhook server

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace gr by ur across entire packages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add YAMLs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs & fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR deletion handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add api docs for v1beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix clientset method

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix v1beta1 client registration

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing - generates UR for admission requests (#3623)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace with UR in policy controller generate rules (#3635)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* - enable mutate engine to process mutateExisting rules; - add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* implemented ur background reconciliation for mutateExisting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook update error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* temporary comment out new unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing, replace GR by UR in webhook server (#3601)

* add attributes for post mutation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR informer to webhook server

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace gr by ur across entire packages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix missing policy.kyverno.io/policy-name label (#3599)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor cli code from pkg to cmd (#3591)

* refactor cli code from pkg to cmd

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes in imports

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes tests

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixed conflicts

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* moved non-commands to utils

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>

* add YAMLs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs & fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR deletion handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add api docs for v1beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix clientset method

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add-kms-libraries for cosign (#3603)

* add-kms-libraries

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* Shifted providers to cosign package

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add support for custom image extractors (#3596)

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>

* Update vulnerable dependencies (#3577)

Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix v1beta1 client registration

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing - generates UR for admission requests (#3623)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* updating version in Chart.yaml (#3618)

* updatimg version in Chart.yaml

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

* changes from, make gen-helm

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Allow kyverno-policies to have preconditions defined (#3606)

* Allow kyverno-policies to have preconditions defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix docs

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace with UR in policy controller generate rules (#3635)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - enable mutate engine to process mutateExisting rules; - add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* implemented ur background reconciliation for mutateExisting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook update error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* temporary comment out new unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Image verify attestors (#3614)

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* support multiple attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rm CLI tests (not currently supported)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* apply attestor repo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix entryError assignment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add intermediary certs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Allow defining imagePullSecrets (#3633)

* Allow defining imagePullSecrets

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use dict for imagePullSecrets

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Simplify how imagePullSecrets is defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix race condition in pCache (#3632)

* fix race condition in pCache

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refact: remove unused Run function from generate (#3638)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* Remove helm mode setting (#3628)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refactor: image utils (#3630)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* -resolve lift comments; -fix informer sync issue

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refact the update request cleanup controller

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* - fix delete request for mutateExisting; - fix context variable substitution; - improve logging

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - enable events; - add last applied annotation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* enable mutate existing on policy creation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update autogen code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* merge main

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address list comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix "Implicit memory aliasing in for loop"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove unused definitions

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-25 12:20:40 +00:00
Prateek Pandey
5054148fec
refactor: use the typed ns informer in GR controller (#3554) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-04-21 14:12:34 +08:00
Prateek Pandey
11a4884524
refact: remove unused Run function from generate (#3638) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-04-20 22:03:25 +08:00
Jim Bugwadia
3b1a1acd9a
Image verify attestors (#3614) 
* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* support multiple attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rm CLI tests (not currently supported)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* apply attestor repo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix entryError assignment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add intermediary certs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-04-19 08:35:12 -07:00
Mritunjay Kumar Sharma
b815caef5d
refactor cli code from pkg to cmd (#3591) 
* refactor cli code from pkg to cmd

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes in imports

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes tests

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixed conflicts

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* moved non-commands to utils

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-04-14 12:20:18 +00:00
Prateek Pandey
9def86c49a
refactor generate controller (#3589) 
* refact generate controller

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* rename the dir to background

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-04-13 12:45:04 +00:00
Shubham Gupta
f70cd4222f
Update hash of dependencies instead of mutable version (#3582) 
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-04-12 10:22:38 +01:00
Charles-Edouard Brétéché
fe0ad3c68f
refactor: add os utils sub package (#3528) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-04-01 06:59:44 +00:00
Prateek Pandey
bdb675b9c0
feat: generate support for namespace policy (#3472) 
* feat: generate support for namespace policy

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* use policy spec instead

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor the changes

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* add synced flag for Namespace policies

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-03-29 13:04:33 +00:00
Charles-Edouard Brétéché
20069c13c3
feat: stop mutating rules (#3410) 
* feat: stop adding autogen annotation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: stop mutating rules

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: stop mutating rules

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: use toggle

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: review comments

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-28 22:01:27 +08:00
Charles-Edouard Brétéché
65409890b4
refactor: remove ns lister from webhookconfig (#3452) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
 2022-03-23 16:04:02 +08:00
Charles-Edouard Brétéché
5816144912
feat: use IsReady method (#3426) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-21 09:18:54 +00:00
Charles-Edouard Brétéché
4136566bd9
feat: add toggle package for feature flags (#3419) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-18 16:16:42 +00:00
Charles-Edouard Brétéché
865eef248d
feat: stop adding autogen annotation (#3379) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-18 11:30:49 +00:00
shuting
69518b7c9c
Fix webhook re-creation error (#3403) 
* fix webhook re-creation issue

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook monitor blocking call

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-03-16 15:23:46 +00:00
Rob Best
7a8c19e0cb
Support registry keychain from cloud providers (#3036) 
* Enable cloud provider registry keychains

It's desirable that Kyverno supports using workload identity and other
cloud provider metadata services for registry credentials.

Signed-off-by: Rob Best <robertbest89@gmail.com>

* Always initialize registry keychain

This supports using docker configuration on disk and credentials from
cloud providers without having to specify image pull secrets.

Signed-off-by: Rob Best <robertbest89@gmail.com>

* Get pull secrets from kyverno service account

It was previously using 'default'. I think it makes more sense to use
the service account that Kyverno actually runs with.

Signed-off-by: Rob Best <robertbest89@gmail.com>

* Don't split empty pull secrets list

Signed-off-by: Rob Best <robertbest89@gmail.com>

* Add KYVERNO_SVC_ACCOUNT to config manifests

Signed-off-by: Rob Best <robertbest89@gmail.com>

* Don't retrieve secrets from service account

Signed-off-by: Rob Best <robertbest89@gmail.com>

* Reduce scope of keychain changes

Just enable cloud provider keychains.

Signed-off-by: Rob Best <robertbest89@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-01-26 07:28:36 +00:00
shuting
376a8d3b22
Reduce throttling requests for Kyverno managed resources (#3016) 
* remove resoureCache from the event controller

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* create rcr using typed client to reduce PUT throttling request

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-01-21 18:36:05 +08:00
Kumar Mallikarjuna
e39489f838
SharedInformers for WebhookConfigurations (#3007) 
* SharedInformers for WebhookConfigurations

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Add GVK to typed resources

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Remove ToUnstructured()

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Remove default informers from Resource Cache

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Formatted files

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
 2022-01-19 15:57:32 +00:00
Abhinav Sinha
b5341b685d
Support namespaceSelector with dynamic webhook enabled (#2953) 
* Support `namespaceSelector` with dynamic webhook enabled

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

* Implemented suggested changes

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

* Implemented suggest changes

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

Co-authored-by: shuting <shutting06@gmail.com>
 2022-01-19 07:59:08 +00:00
Naman Lakhwani
1580837526
refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979) 
* initial commit

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* adding docker-buildx-builder to makefile

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* reverting git describe in makefile

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* uploading sbom for each kyverno image

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* small nits

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* scanning image before pushing and removed cosign.pub

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
 2022-01-18 15:07:59 -08:00
Kumar Mallikarjuna
771d62b735
Added Kyverno specific SharedInformerFactory (#2987) 
* Added Kyverno specific SharedInformerFactory

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Replace ToUnstructured()

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Add GVK to returned resource

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

Co-authored-by: shuting <shutting06@gmail.com>
 2022-01-18 15:52:48 +00:00
shuting
b6447e0649
Remove resourceCache from engine (#3013) 
* update log messages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove resourceCache from the background controller when:
- register resource scope
- list resources per namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - use client call for configmap lookup;
- remove resourceCache from policy controller, webhook server and generate controller

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-01-18 12:59:35 +00:00
shuting
de6c6f2199
cherry-pick #2980 (#3001) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-01-17 13:00:39 +00:00
Sambhav Kothari
1af9e48b0d
Add image data to validate image configs (#2946) 
* Add image data to validate image configs

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>

* Add tests for image context

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>

* Add e2e test cases for image size policy

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-01-17 04:06:44 +00:00
Boojapho
c8e93356fe
chore: bump golang to 1.7.6 in dockerfiles (#2968) 
Signed-off-by: Michael McLeroy <michaelmcleroy@cloudfitsoftware.com>

Co-authored-by: Michael McLeroy <michaelmcleroy@cloudfitsoftware.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2022-01-14 07:57:33 +00:00
Kumar Mallikarjuna
037a320fba
Added TLS annotation check in the initContainer (#2956) 
* Added TLS annotation check in the initContainer

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Error checks

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Refactor annotation addition code

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Strict error reporting

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Error handling for Secrets

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Updated error conditions

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Update for nil error

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
 2022-01-11 08:47:24 +00:00
Jim Bugwadia
a9fef256c7
updates for foreach and mutate (#2891) 
* updates for foreach and mutate

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* allow tests to pass on Windows

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add elementIndex variable

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix jsonResult usage

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add mutate validation and fix error in validate.foreach

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* do not skip validation for all array entries when one is skipped

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add foreach tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix format errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unused declarations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert namespaceWithLabelYaml

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix mutate of element list

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update CRDs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Update api/kyverno/v1/policy_types.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/validate/validate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/validate/validate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update test/cli/test/custom-functions/policy.yaml

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update test/cli/test/foreach/policies.yaml

Co-authored-by: Steven E. Harris <seh@panix.com>

* accept review comments and format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add comments to strategicMergePatch buffer

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* load context and evaluate preconditions foreach element

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add test for foreach mutate context and precondition

* precondition testcase

* address review comments

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-01-05 09:36:33 +08:00
Frank Jogeleit
abb5bd2947
Add SelectorLabel to (Cluster)PolicyReporter resources (#2841) 
Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>

Co-authored-by: shuting <shutting06@gmail.com>
 2021-12-17 05:03:52 +00:00
Sebastian Widmer
80664d339f
Add command-line flags to allow setting client rate limits (QPS/Burst) (#2797) 
* Add `-clientRateLimitQPS` and `-clientRateLimitBurst` flags to allow controlling client rate limits.

Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>

* Return error if QPS is higher than max value  of float32

Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
 2021-12-08 14:03:07 +01:00
Marcus Noble
1966c82c6d
Fix various go lint issues (#2639) 
* Fix various go lint issues

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Fix if mistake

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Simplified returns

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
 2021-10-29 17:06:03 +02:00
Siddharth Lal
11a9eb3fb9
switched to default serve mux (#2592) 
Signed-off-by: Siddharth Lal <siddharthlal25@gmail.com>
 2021-10-26 16:09:07 -07:00
shuting
0ee045be4f
update Golang base image to 1.17.2 (#2596) 
Signed-off-by: ShutingZhao <shutting06@gmail.com>
 2021-10-25 21:32:07 -07:00
Jim Bugwadia
36763d8cc2
Merge pull request #2536 from ShubhamPalriwala/signature-and-sbom-repo 
Shift Image signatures and SBOM to different repo
 2021-10-15 07:09:44 -07:00
Bricktop
ab8822963b
Add exclusions to make gosec happy (#2540) 
* Add exclusions to make gosec happy

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Add forgotten file

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-10-13 15:05:13 -07:00
ShubhamPalriwala
5417b9d3c1 feat: shift sigs and sbom 
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
 2021-10-13 21:34:04 +05:30
Kumar Mallikarjuna
254be4c1d3
Leader Election for initContainer (#2489) 
* Local build

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Leader Election for initContainer

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Lease deletion

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Use wrc client

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* log error out

Signed-off-by: ShutingZhao <shutting06@gmail.com>

Co-authored-by: ShutingZhao <shutting06@gmail.com>
 2021-10-06 16:12:07 -07:00
Anushka Mittal
efe0c28f6b
Fixes port names in flags (#2490) 
* fixed port names in flags

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* minor fixes

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
 2021-10-06 14:41:07 -07:00
treydock
b460490984
Improve init container to use DeleteCollection to remove policy reports (#2477) 
* Improve init container to use DeleteCollection to remove policy reports

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Do not use go routine for each namespace

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
 2021-10-06 11:25:38 -07:00
shuting
c2751828d1
update the flag to "autoUpdateWebhooks" (#2482) 
Signed-off-by: ShutingZhao <shutting06@gmail.com>
 2021-10-06 11:24:51 -07:00
Anushka Mittal
3914c513a8
Changing flag names for consistency (#2467) 
* changing flag names for consistency

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* changes for backward compatibility

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* updated the CHANGELOG.md

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
 2021-10-06 10:32:48 -07:00
shuting
b10947b975
Dynamic webhooks (#2425) 
* support k8s 1.22, update admissionregistration.k8s.io/v1beta1  to admissionregistration.k8s.io/v1

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - add failurePolicy to policy spec; - fix typo

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - add schema validation for failurePolicy; - add a printer column

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* set default failure policy to fail if not defined

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* resolve conflicts

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix missing type for printerColumn

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* refactor policy controller

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add webhook config manager

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - build webhook objects per policy update; - add fail webhook to default webhook configurations

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix panic on policy update

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* - set default webhook configs rule to empty; - handle policy deletion

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* reset webhook config if policies with a specific failurePolicy are cleaned up

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* handle wildcard pocliy

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* update default webhook timeout to 10s

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* cleanups

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* added webhook informer to re-create it immediately if missing

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* update tag webhookTimeoutSeconds description

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix e2e tests

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* fix linter issue

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* correct metric endpoint

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add pol.generate.kind to webhooks

Signed-off-by: ShutingZhao <shutting06@gmail.com>
 2021-10-05 00:15:09 -07:00
Jim Bugwadia
23af42dc92
allow alternate image repositories (#2393) 
* allow alternate image repositories

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* generate CRD YAMLs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-16 16:11:38 -07:00
Yashvardhan Kukreja
5fcd9b83d9
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-09-10 14:39:12 -07:00
Frank Jogeleit
c522343c03
Update PolicyReport CRDs to wgpolicyk8s.io/v1alpha2 (#1825) 2021-08-21 10:35:17 -07:00
Jim Bugwadia
7e053cccd7 Merge branch 'main' of https://github.com/kyverno/kyverno into main 2021-07-20 21:49:53 -07:00
shuting
b2515fa9eb
Add default image registry to patched resource (#2166) 2021-07-20 21:20:37 -07:00
Jim Bugwadia
1fdb49e47a fix typo 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-07-20 09:29:58 -07:00
Jim Bugwadia
003c865ab9
deprecate policy status (#2136) 
* deprecate policy status

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove policy status tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix generate metrics

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-07-14 12:18:59 -07:00
Jim Bugwadia
13caaed8b7
Feature/cosign (#2078) 
* add image verification

* inline policy list

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* cosign version and dependencies updates

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add registry initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add build tag to exclude k8schain for cloud providers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add build tag to exclude k8schain for cloud providers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* generate deep copy and other fixtures

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix deep copy issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* mutate images to add digest

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add certificates to Kyverno container for HTTPS lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align flag syntax

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update docs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update dependencies

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update dependencies

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* patch image with digest and fix checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* hardcode image for demos

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add default registry (docker.io) before calling reference.Parse

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix definition

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* increase webhook timeout

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix args

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* run gofmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rename for clarity

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix HasImageVerify check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter error

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle API conflict and retry

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix reviewdog issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix make for unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve error message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix durations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle errors in tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* print policy name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add retries and duration to error log

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix time check in tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* round creation times in test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix retry loop

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove timing check for policy creation

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix e2e error - policy not found

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update string comparison method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test Generate_Namespace_Label_Actions

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add debug info for e2e tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix error

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix generate bug

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for update operations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* increase time for deleteing a resource

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Shuting Zhao <shutting06@gmail.com>
 2021-07-09 18:01:46 -07:00
Valentin Velkov
63f4c9a884
Configurable success events on policies & resources. Generating failure events on policies by default. (#1939) 
* Remove unused event.Reason const

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate failure events on policies

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate success events on policy

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Introduce 'generateSuccessEvents' flag

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Unit tests & chart fix

Signed-off-by: Velkov <valentin.velkov@sap.com>
 2021-06-29 14:43:11 -07:00
shuting
6f07ea407f
Customize namespaceSelector of Webhookconfigurations (#2003) 
* customize namespaceSelector of webhook configurations from configMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update webhook configurations base on UPDATEs of Kyverno ConfigMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* register webhook configurations with the namespaceSelector from ConfigMap

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address golint comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* validate webhooks config format

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix NotDefined scenario

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-06-14 13:01:40 -07:00
Vineeth Reddy
6d2cb87370
change min support kubernetes version to 1.16 for kyverno 1.4 (#1935) 
* change min support kubernetes version to 1.16 for kyverno 1.4

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* migrate deployment to apps/v1

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>
 2021-06-08 13:14:28 -07:00
shuting
e9a972a362
feat: HA (#1931) 
* Fix Dev setup

* webhook monitor - start webhook monitor in main process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leaderelection

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* - add isLeader; - update to use configmap lock

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add initialization method - add methods to get attributes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove newContext in runLeaderElection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to GenerateController

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add leader election to generate cleanup controller

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Gracefully drain request

* HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920)

* enable leader election for webhook register

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* extract certManager to its own process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* leader election for cert manager

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* certManager - init certs by the leader

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy report controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* rebuild leader election config

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start informers in leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start policy informers in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* enable leader election in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* move eventHandler to the leader election start method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add clusterrole leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixed generate flow (#1936)

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* - init separate kubeclient for leaderelection - fix webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup Kyverno managed resources on stopLeading

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* tag v1.4.0-beta1

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix cleanup process on Kyverno stops

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* bump kind to 0.11.0, k8s v1.21 (#1980)

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
Co-authored-by: vyankatesh <vyankateshkd@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
 2021-06-08 12:37:19 -07:00
Yashvardhan Kukreja
b0ef84c581 added e2e tests: ensuring the availability of kyverno's prometheus metrics-server 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:09:17 +05:30
Yashvardhan Kukreja
bb80e1b641
added: initial prometheus client setup 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-16 13:06:14 +05:30
shuting
e9952fbaf2
Remove secret from default resourceCache (#1878) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-05-04 22:10:01 -07:00
Vyankatesh Kudtarkar
ab8d077384
Fix Dev setup (#1815) 
Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-21 12:35:13 -07:00
Shuting Zhao
4d01f76797 - fix variable validation; - update log level 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-31 13:24:36 -07:00
treydock
0131f375f1
Register webhooks only once service endpoint is ready (#1741) 
* Register webhooks only once service endpoint is ready

Fixes #1740

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Wait for webhook to become ready in main loop

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Better error handling and logging around checking endpoint

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Log soft failure as info, remove redundant return

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
 2021-03-30 13:46:01 -07:00
shuting
fd9acf21a7
Auto-recover policy report (#1730) 
* auto-recover policy report

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add flag background-scan to tune this interval

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup webhook configurations when Kyverno deployment is deleted

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reconcile policy reports if Kyverno Configmap changes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-25 12:28:03 -07:00
shuting
c08843ef77
Add Images info to variables context (#1725) 
* - remove supportMutateValidate; - refactor new context in the webhook

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add ImageInfo to variables context

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* revert unexpected changes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-23 10:34:03 -07:00
Shuting Zhao
c3360b7389 make the number of generate workers configurable 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-22 19:14:06 -07:00
shuting
c816cf3d69
Add certificate renewer in webhook registration controller (#1692) 
* load TLS pair from existing secret, if applicable

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove Kyverno managed secrets during shutdown

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add certificate renewer; - re-structure certificate package

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* commit un-saved file

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* eliminate throttling requests while registering webhook configs

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* disable webhook monitor (in old pod) during rolling update

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove webhook cleanup logic from init container

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update PR template

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update link to the website repo

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update repo name

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-16 11:31:04 -07:00
shuting
70d90ffb06
- remove preProcessJSONPatches; - update local Dockerfile (#1703) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-15 10:29:46 -07:00
shuting
c8a41d83f7
Update Dockerfile; remove securityContext runAsUser (#1695) 
* - run Kyverno with specific uid; - remove "runAsUser" from deployment manifest

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add LD_FLAGS when push Kyverno images

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start Kyverno with UID 10001

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update initContainer and CLI Dockerfiles

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-10 14:47:09 -08:00
Raj Babu Das
0b832a038d
Adding multi arch support in all kyverno components (AMD6 and ARM64) (#1542) 
* Adding multi arch support

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* Adding multi arch support

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* minor refactors

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* adding buildx action in e2e.yaml

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* Adding kyvernopre

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* Adding kyvernopre

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* Adding amd build

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* Adding go env

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* minor fix

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* removing docker tag

Signed-off-by: Raj Das <mail.rajdas@gmail.com>

* Adding local dockerfile build command

Signed-off-by: rajdas98 <mail.rajdas@gmail.com>
 2021-02-18 18:09:01 -08:00
shuting
2f2d6c2e38
Upgrade client libraries to 0.20.2 (#1547) 
* upgrade clients to 0.20.2

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove debug log

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix unit tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix e2e test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-07 20:26:56 -08:00
shuting
bd44dbff41
Reduce RCR Throttling (#1545) 
* buffer report change requests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix clusterReportChangeRequest

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* further reduce RCRs in background scan

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-07 19:46:50 -08:00
shuting
39b27a16ed
Reduce throttling requests (GET) (#1522) 
* add resource lister to even handler

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* use lister to get Kyverno deployment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add lister for webhook configs

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-05 09:58:10 -08:00
Pooja Singh
32522e7827
namespace selector (#1532) 
* updated crd with namespace selector

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for validate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added condition in utils for namespace labels

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added function for extracting namespace label using lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added lister in generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* commented generate controller changes

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in apply.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in generation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in mutation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label for validation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* using dynaminc informer

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-03 13:09:42 -08:00
Jim Bugwadia
e8e3b93a5f
api server lookups (#1514) 
* initial commit for api server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initial commit for API server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert cli image name (#1507)

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Refactor resourceCache; Reduce throttling requests (background controller) (#1500)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix merge issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add nil check for API client

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2021-02-01 12:59:13 -08:00
shuting
c692263177
Refactor resourceCache; Reduce throttling requests (background controller) (#1500) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-29 17:38:23 -08:00
Raj Babu Das
9da94d5220
Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495) 
* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
 2021-01-29 11:58:07 -08:00
Jim Bugwadia
05da4190f8
handle discovery errors for metrics API group (#1494) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-01-24 11:34:02 -08:00
shuting
62a4a3a7da
Reduce throttling - skip sending API request for filtered resources (#1489) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-21 18:58:53 -08:00
shuting
d82f19be4e
Feature/fix dev mode execution (#1477) 
* add serverIP to X.509 certificate SANs

* disable webhook monitor in debug mode

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2021-01-20 15:25:27 -08:00
shuting
3908808e7a
Rename filterK8Resources to filterK8sResources (#1452) 
* Remove lock embedded in CRD controller, use concurrent map to store shcemas

* delete rcr info from data store

* skip policy validation on status update

* - remove status check in policy mutation; - fix test

* Remove fqdncn flag

* add flag profiling port

* skip policy mutation & validation on status update

* sync policy status every minute

* update log messages

* rename filterK8Resources to filterK8sResources
 2021-01-07 11:27:50 -08:00
shuting
52d091c5a3
Improve / clean up code (#1444) 
* Remove lock embedded in CRD controller, use concurrent map to store shcemas

* delete rcr info from data store

* skip policy validation on status update

* - remove status check in policy mutation; - fix test

* Remove fqdncn flag

* add flag profiling port

* skip policy mutation & validation on status update

* sync policy status every minute

* update log messages
 2021-01-06 16:32:02 -08:00
shuting
35aa3149c8
Remove lock embedded in CRD controller, use concurrent map to store shcemas (#1441) 2021-01-04 23:17:17 -08:00
NoSkillGirl
c66e2a7058 adding label to clone source 2020-12-29 18:04:20 +05:30
NoSkillGirl
1412b922f7 folder structure refactoring 2020-12-29 16:47:54 +05:30
NoSkillGirl
dfaeaa7f8e add lables update fix 2020-12-29 16:35:48 +05:30
NoSkillGirl
9913af0253 adding GR for older GR's 2020-12-29 15:35:12 +05:30
NoSkillGirl
53e2e38cd3 enqueing gr on getting deleted 2020-12-24 12:28:32 +05:30
shuting
3c5f9f8888
1398 - Reduce RCR throttling requests (#1406) 
* reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR

* - refactor policy controller; - fix RCR issue

* - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests

* update CRD schema

* fix typo
 2020-12-21 11:04:19 -08:00
Pooja Singh
bff7229678
1345 use GR lister (#1387) 
* improved log message

* added lister for GR

* added label to GR

* added wait for cache is sync
 2020-12-14 14:52:13 -08:00
shuting
39421ca6e9
Reduce RCR throttling requests (#1376) 
* reduce RCR throtlling requests

* update logger in init container
 2020-12-09 09:29:52 -08:00
shuting
c1764a85d1
1370 clean up stale RCRs (#1373) 
* remove env "POLICY-TYPE"

* clean up resource in goroutine

* clean up stale RCRs on namespace deletion

* go vet

* clean up code
 2020-12-08 23:04:16 -08:00
shuting
630a9cc94c
Fix Kyverno crash when CRD is not installed (#1353) 
* ignore Kyverno CRDs existence check when server is not available

* clean up cluster / reportChangeRequest

* resolve PR comments
 2020-12-03 19:19:36 -08:00
shuting
2ec5a0fa42
1319 fix throttling (#1348) 
* fix policy status and generate controller issues

* shorten ACTION column name

* update logs

* improve naming

* add temp logs for troubleshooting

* cleanup logs

* apply generate policy to old & new resource in webhook

* cleanup log messages

* cleanup log messages

* cleanup log messages

* fix clean up of policy report in init container

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2020-12-01 12:30:08 -08:00
Shuting Zhao
6e1be1c901 fix https://github.com/kyverno/kyverno/issues/1324 2020-11-30 12:54:48 -08:00
Jim Bugwadia
2344b2c305
1319 fix throttling (#1341) 
* fix policy status and generate controller issues

* shorten ACTION column name

* update logs

Co-authored-by: Shuting Zhao <shutting06@gmail.com>
 2020-11-30 11:22:20 -08:00
Jim Bugwadia
ec95724e97
update webhook registration and monitor (#1318) 
* update webhook registration and monitor

* update log

* fix test

* improve logs

* improve logs

* format changes

* decrease interval for webhook config checks
 2020-11-26 16:07:06 -08:00
Shuting Zhao
2292bf860b update policyreport group to wgpolicyk8s.io 2020-11-11 15:09:07 -08:00
shuting
5e07ecc5f3
Add Policy Report (#1229) 
* add report in cli

* policy report crd added

* policy report added

* configmap added

* added jobs

* added jobs

* bug fixed

* added logic for cli

* common function added

* sub command added for policy report

* subcommand added for report

* common package changed

* configmap added

* added logic for kyverno cli

* added logic for jobs

* added logic for jobs

* added logic for jobs

* added logic for cli

* buf fix

* cli changes

* count bug fix

* docs added for command

* go fmt

* refactor codebase

* remove policy controller for policyreport

* policy report removed

* bug fixes

* bug fixes

* added job trigger if needed

* job deletation logic added

* build failed fix

* fixed e2e test

* remove hard coded variables

* packages adde

* improvment added in jobs sheduler

* policy report yaml added

* cronjob added

* small fixes

* remove background sync

* documentation added for report command

* remove extra log

* small improvement

* tested policy report

* revert hardcoded changes

* changes for demo

* demo changes

* resource aggrigation added

* More changes

* More changes

* - resolve PR comments; - refactor jobs controller

* set rbac for jobs

* add clean up in job controller

* add short names

* remove application scope for policyreport

* move job controller to policyreport

* add report logic in command apply

* - update policy report types;  - upgrade k8s library; - update code gen

* temporarily comment out code to pass CI build

* generate / update policyreport to cluster

* add unit test for CLI report

* add test for apply - generate policy report

* fix unit test

* - remove job controller; - remove in-memory configmap; - clean up kustomize manifest

* remove dependency

* add reportRequest / clusterReportRequest

* clean up policy report

* generate report request

* update crd clusterReportRequest

* - update json tag of report summary; - update definition manifests; -  fix dclient creation

* aggregate reportRequest into policy report

* fix unit tests

* - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report

* remove

* generate reportRequest in kyverno namespace

* update resource filter in helm chart

* - rename reportRequest to reportChangeRequest; -rename clusterReportRequest to clusterReportChangeRequest

* generate policy report in background scan

* skip generating report change request if there's entry results

* fix results entry removal when policy / rule gets deleted

* rename apiversion from policy.kubernetes.io to policy.k8s.io

* update summary.* to lower case

* move reportChangeRequest to kyverno.io/v1alpha1

* remove policy report flag

* fix report update

* clean up policy violation CRD

* remove violation CRD from manifest

* clean up policy violation code - remove pvGenerator

* change severity fields to lower case

* update import library

* set report category

Co-authored-by: Yuvraj <yuvraj.yad001@gmail.com>
Co-authored-by: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2020-11-09 11:26:12 -08:00
Jim Bugwadia
48b98bd17b
allow text after patch versions (#1230) 2020-11-02 22:14:36 -08:00
Shuting Zhao
cdc5190c56 update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00
Mohan B E
51ac382c6c
Feature/configmaps var 724 (#1118) 
* added configmap data substitution for foreground mutate and validate

* added configmap data substitution for foreground mutate and validate fmt

* added configmap lookup for background

* added comments to resource cache

* added configmap data lookup in preConditions

* added parse strings in In operator and configmap lookup docs

* added configmap lookup docs

* modified configmap lookup docs
 2020-09-22 14:11:49 -07:00
Yuvraj
b7524467a3
Reconcile Generate request on policy update (#1096) 
* policy report crd added

* added namespaced rule

* remove extra field from crd

* revert crd change

* remove policy report chnages

* remove policy report chnages

* remove policy report chnages

* remove policy report chnages

* added logic for gr

* revert changes

* fixed generate rules

* fixed generate rules

* fixed generate rules

* fixed generate rules

* remove extra logs

* remove extra logs

* fixed e2e test

* remove extra logs

* crd issue resolved

* added check for sync

* add labels update

* add label update

* added permission to role

* roles added to helm

* roles added to helm
 2020-09-03 14:34:23 -07:00
NoSkillGirl
afc340ea5f removed todo 2020-09-01 08:41:59 +05:30
NoSkillGirl
b61412ca7a minor validation changes 2020-08-31 18:18:10 +05:30
Yuvraj
b648c2edd6
Events take several minutes to show on the resource (#1083) 
* git action added

* changed retry method

* remove time method

* increase worker for event generator
 2020-08-26 14:28:34 +05:30
NoSkillGirl
afe98bb93c Added set flag 2020-08-22 01:07:03 +05:30
Yuvraj
06148a58c5
cli docker images added (#1073) 
* cli docker images added

* cli docker images added
 2020-08-21 09:45:04 -07:00
Mohan B E
f60deecdce
Feature/namespaced policy 280 (#1058) 
* namespaced policy crd and cache

* modified main.go

* removed kyverno

* implemented policy violation generator for namespaced policy on audit

* modified cache

* added validation for cluster resource types

* install.yaml

* install.yaml

* removed namespaces from crd and refactored code

* modified NamespacePolicy to Policy

* added ClusterRole aggregate for policies

* modified clusterrole
 2020-08-19 09:07:23 -07:00
shuting
d6062fdd47
Add go fmt (#1055) 
* remove empty flag

* format code

* revert change in install.yaml
 2020-08-14 12:21:06 -07:00
Yuvraj
73840e3c5f
configrable rules added (#1017) 
* configrable rules added

* fix exclude group logic from code

* flag added in yaml

* exclude username added

* exclude username added

* config interface implimented

* configure exclude username

* get role ref

* test case fixed

* panic fix

* move from interface to slice

* exclude added in mutate

* trim strings

* configmap changes added

* kustomize changes for configmap

* k8s resources added
 2020-08-07 17:09:24 -07:00
Mohan B E
a14828246d
Feature/api version 852 (#1028) 
* apiVersion support for generate

* added apiVersion to crds
 2020-08-07 09:47:33 +05:30
evalsocket
26ae7e2052 merge master changes 2020-07-10 15:25:05 -07:00
evalsocket
014db64ed2 validation added for deny request for generated resource 2020-07-10 11:48:27 -07:00
shuting
87fa77fbcc
965 add validate audit handler (#967) 
* store policy names cache to reduce lookup time

* add validate audit handler

* fix #958, remove auto-gen annotation on Pod

* formatting code

* update processTime to readable format

* #586, add back unit test

* update logging info

* remove unused interface

* handle generate policy in a single thread in weboook

* resolve pr comments
 2020-07-09 11:48:34 -07:00
shuting
ed52bd3d9f
Add policy cache based on policyType (#960) 
* add policy cache based on policyType

* fetch policy from cache in webhook

* add unit test for policy cache

* update log for exclude resources filter

* skip webhook mutation on DELETE operation

* remove duplicate k8s version check

* add description
 2020-07-02 12:49:10 -07:00
Shuting Zhao
2550f4c86d - enable profiling; - update install.yaml 2020-06-02 16:50:51 -07:00
Jim Bugwadia
5cdcbec3c9
Bugfix/1.1.6 adjust resync and cleanup unused (#884) 
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces

* adjust all resync periods

* remove unused data fields

* add pattern for match
 2020-05-27 19:51:34 -07:00
Jim Bugwadia
838d02c475
Bugfix/659 support wildcards for namespaces (#871) 
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces
 2020-05-26 10:36:56 -07:00
Shuting Zhao
74387d2ee4 Fix CI 2020-05-18 20:10:30 -07:00
Yuvraj
277402ba4c
Feature - Add checks for k8s version when Kyverno starts (#831) 
* Added k8s version check for mutating and validating'

* version check adde

* middelware added

* formate

* Added timeout flag value to webhook server timeout middelware and refactore kubernetes version check

* Fixed test cases

* Removed log

* Update kubernetes version check

* Added check for mutate and validate

* Skip Validation in handleValidateAdmissionRequest if kubernetes version is below 1.14

* Update return object AdmissionResponse

* fixed condition for skiping mutation

* Handle condition for skip feature in case of kubernetes version 1.14.2
 2020-05-18 17:00:52 -07:00
Jim Bugwadia
573eb9cf13 increase worker count for policyController 2020-05-17 14:48:17 -07:00
Jim Bugwadia
bc37d27de6 remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00
shravan
20b161a270 765 resolved merge conflicts 2020-03-29 09:09:26 +05:30
shravan
91223deae2 754 resolved merge conflicts 2020-03-28 16:43:19 +05:30
shravan
b5af456f64 Revert "754 merge conflicts" 
This reverts commit 39f75db435.
 2020-03-28 16:36:19 +05:30
shravan
39f75db435 754 merge conflicts 2020-03-28 16:30:18 +05:30
shravan
6efe0252a3 765 save commit 2020-03-27 19:06:06 +05:30
shravan
2443a9997d 754 crds can be immidiatly validate on startup - changed locks so as to not timeout requests 2020-03-25 02:00:30 +05:30
shivkumar dudhani
4320111c5c fix logs api 2020-03-20 11:43:21 -07:00
shivkumar dudhani
e6e5bbb603 Merge branch 'master' into access_check 2020-03-17 17:23:18 -07:00
shivkumar dudhani
d327309d72 refactor logging 2020-03-17 16:25:34 -07:00
shivkumar dudhani
1b1ab78f77 logs & access 2020-03-17 11:05:20 -07:00
shuting
2768574a39
Merge pull request #737 from shravanshetty1/536_extend_cli_v3 
#536 - kyverno CLI
 2020-03-16 09:54:27 -07:00
shravan
892f8c7040 527 resolving merge conflicts 2020-03-13 10:01:50 +05:30
shravan
9656975b5a 527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30
shravan
1fa88e0dd0 536 workin cli 2020-03-06 03:00:18 +05:30
shravan
888d2ae171 522 save commit 2020-03-04 19:16:26 +05:30
shravan
40e92ebacf 527 decoupling sender and reciever 2020-02-29 22:39:27 +05:30
shravan
053ccde6b8 527 stopCh changes 2020-02-29 17:19:00 +05:30
shravan
4c573bd3c7 527 ci fixes 2020-02-25 21:07:00 +05:30
shravan
d32cd9363e 527 save commit 2020-02-25 20:55:07 +05:30
shravan
36e775edb0 527 resolved merge conflicts 2020-02-24 20:19:28 +05:30
shravan
d080aa18ce 527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30
shravan
d758a4ad45 527 added accurate violation Count 2020-02-23 23:24:18 +05:30
shravan
592df74c57 527 tested mutate needs further testing 2020-02-22 23:35:02 +05:30
shravan
a15a741cb4 527 save commit 2020-02-22 16:57:00 +05:30
shivkumar dudhani
14609ae7d9 remove cli(revert changes) 2020-02-20 15:27:10 -08:00
shivkumar dudhani
9b38289a84 remove openapi validation(manual revert) 2020-02-20 15:09:20 -08:00
shuting
cf59326c64
Merge pull request #701 from nirmata/700_bug 
add kubernetes server version check
 2020-02-18 10:01:30 -08:00
shravan
15656a0518 536 resolving merge conflicts 2020-02-15 22:32:42 +05:30
shravan
b5e5f3eeda 527 save commit 2020-02-15 16:38:59 +05:30
shivkumar dudhani
9ab92ecc0a fix build errors- fakeclient implementation 2020-02-14 18:20:12 -08:00
shivkumar dudhani
2687ffcbee add kubernetes server version check 2020-02-14 18:12:28 -08:00
shravan
1f0582baf3 Merge branch 'master' into 522_validate_policy_resource_data 2020-02-09 21:25:49 +05:30
shravan
f0a8b20668 253 resolving merge conflicts 2020-02-06 08:14:35 +05:30
Jim Bugwadia
a1b49f72a3
fix gofmt and golint issues (#667) 
* fix gofmt and golint issues

* add keys to structs

* fix compile error

* fix clusterrolebinding creation

* fix test
 2020-02-03 13:38:24 -08:00
shravan
c4a8efbd7b Merge branch 'master' into 253_ValidationInMutationFlag_v3 2020-01-29 14:34:15 +05:30
shravan
225bc8c584 536 enabling use as a kubectl plugin 2020-01-26 11:53:51 +05:30
shravan
78edfd2f7d Merge branch '522_validate_policy_resource_data' into 536_extend_cli 2020-01-25 17:57:16 +05:30
shravan
865eb57812 resolving merge conflicts 2020-01-25 16:38:12 +05:30
shravan
e1b9a13590 resolving merge conflicts 2020-01-25 14:55:36 +05:30
shravan
78cae242c5 522 restructured files 2020-01-25 14:53:12 +05:30
Shivkumar Dudhani
8c1d79ab28
linter suggestions (#655) 
* cleanup phase 1

* linter fixes phase 2
 2020-01-24 12:05:53 -08:00
shravan
81ea5ba157 253 fixing circle ci issues 2020-01-24 23:40:05 +05:30
shravan
1b707f10a0 522 added ability to override default openAPI document 2020-01-24 22:27:21 +05:30
shravan
79999c4948 extended cli 2020-01-17 00:05:15 +05:30
shravan
8dc6b06d79 resolving merge conflicts 2020-01-11 18:33:11 +05:30
shuting
0f398e631d
Merge pull request #599 from nirmata/542_feature 
flag to use FQDN as CommonName in CSR
 2020-01-10 18:38:18 -08:00
shivkumar dudhani
1e5f871665 lowercase the cmdline arg 2020-01-08 16:40:19 -08:00
Shivkumar Dudhani
3cf9141f4d
593 feature (#594) 
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* initial commit

* fix trailing quote in patch

* remove comments

* initial condition (equal & notequal)

* initial support for conditions

* initial support fo conditions in generate

* support precondition checks

* cleanup

* re-evaluate GR on namespace update using dynamic informers

* add status for generated resources

* display loaded variable SA

* support delete cleanup of generate request main resources

* fix log

* remove namespace from SA username

* support multiple variables per statement for scalar values

* fix fail variables

* add check for userInfo

* validation checks for conditions

* update policy

* refactor logs

* code review

* add openapispec for clusterpolicy preconditions

* Update documentation

* CR fixes

* documentation

* CR fixes

* update variable

* fix logs

* update policy

* pre-defined variables (serviceAccountName & serviceAccountNamespace)

* update test
 2020-01-07 15:13:57 -08:00
Shivkumar Dudhani
ffd2179b03
538 (#587) 
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* cleanup

* CR fixes

* fix logs
 2020-01-07 10:33:28 -08:00
shivkumar dudhani
38dcb2e94f flag to use FQDN as CommonName in CSR 2020-01-06 16:12:53 -08:00
Shuting Zhao
dce1e0555a move helper to pkg/utils 2020-01-03 10:41:47 -08:00
Shuting Zhao
e466a8e1df gofmt 2020-01-02 19:46:02 -08:00
Shuting Zhao
b5192dc559 remove old crd namespacedpolicyviolation 2020-01-02 15:33:57 -08:00
Shivkumar Dudhani
3fa411e982
581 bug (#582) 
* parse flag before using args

* update CI build script
 2019-12-30 10:48:04 -08:00
Shivkumar Dudhani
39e08aa1fc
76 cache invalidate (#557) 
* invalidate local cache of registererd resources

* update client in initContainer

* update message
 2019-12-16 12:55:44 -08:00
shivkumar dudhani
a19785261d Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00
Shuting Zhao
a107ad7ac8 rename namespacedpolicyviolation: update codegen 2019-12-11 16:07:39 -08:00
Shuting Zhao
b2ad71cc5e remove channel, introduced a flag to indicate the webhook creation status 2019-12-05 15:49:02 -08:00
Shuting Zhao
183f844029 - move resourcewebhookregister to webhookconfig 2019-12-05 13:51:02 -08:00
Shuting Zhao
0f5cf40eda - holds resource webhook creation requests in a quene; - remove webhookinformer from policy controller and webhookregistrationclient 2019-12-04 12:31:27 -08:00
shivkumar dudhani
2476940ddf remove cluster and namespace PV controller 2019-11-26 18:21:09 -08:00
Shuting Zhao
f506789498 create resource mutating webhook after verifying webhook is active 2019-11-25 18:07:11 -08:00
shivkumar dudhani
0d4bbb5a38 refactor 2019-11-19 10:13:03 -08:00
shivkumar dudhani
40b685c9db merge with v1.1.0 2019-11-18 11:48:36 -08:00
shivkumar dudhani
3df71f6fea Merge branch 'v1.1.0' into 507_bug 2019-11-18 11:44:17 -08:00
Shivkumar Dudhani
61b202c64a
420 init container (#501) 
* init container to cleanup stale webhook configurations if any.

* remove test code

* use internal pkg for os signals

* move webhook cleanup before http.server shutown.

* update make file and remove init

* update CI script
 2019-11-18 11:41:37 -08:00
shuting
d9229b329b change logger to glog 2019-06-03 17:54:19 -07:00
shivdudhani
c205cca38b introduce glog, remove log.logger references 2019-05-30 12:28:56 -07:00
Jim Bugwadia
c4e6b42635 rename CLI folder 2019-05-22 20:53:27 -07:00
shuting
de83a16493 rename pkg to kyverno 2019-05-21 11:00:09 -07:00
shuting
ffe644f821 Support Mutate from command line 2019-05-20 13:02:55 -07:00