Jim Bugwadia
838d02c475
Bugfix/659 support wildcards for namespaces ( #871 )
...
* - support wildcards for namespaces
* do not annotate resource, unless policy is an autogen policy
* close HTTP body
* improve messages
* remove policy store
Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.
We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.
* handle wildcard namespaces in background processing
* fix unit tests 1) remove platform dependent path usage 2) remove policy store
* add test case for mutate with wildcard namespaces
2020-05-26 10:36:56 -07:00
Shivkumar Dudhani
ffd2179b03
538 ( #587 )
...
* initial commit
* background policy validation
* correct message
* skip non-background policy process for add/update
* add Generate Request CR
* generate Request Generator Initial
* test generate request CR generation
* initial commit gr generator
* generate controller initial framework
* add crd for generate request
* gr cleanup controller initial commit
* cleanup controller initial
* generate mid-commit
* generate rule processing
* create PV on generate error
* embed resource type
* testing phase 1- generate resources with variable substitution
* fix tests
* comment broken test #586
* add printer column for state
* return if existing resource for clone
* set resync time to 2 mins & remove resource version check in update handler for gr
* generate events for reporting
* fix logs
* cleanup
* CR fixes
* fix logs
2020-01-07 10:33:28 -08:00
Shuting Zhao
261560eafb
mutate rule: do not ignore empty key in resource if overlay has nested anchor
2019-11-27 16:07:15 -08:00
Jim Bugwadia
8348c5761c
fix tests
2019-11-11 18:51:21 -08:00
Jim Bugwadia
87be5ca4b8
update policies and test cases
2019-11-11 17:55:54 -08:00
Jim Bugwadia
3ffb0cfa39
add disallow_sysctl and move policies
2019-11-11 17:17:09 -08:00
Jim Bugwadia
05503e4fd1
update other policies
2019-11-11 14:09:07 -08:00
Jim Bugwadia
dd4d091c23
update restrict_automount_sa_token
2019-11-10 21:57:20 -08:00
Jim Bugwadia
5e8b6c4183
update add_networkPolicy
2019-11-10 21:27:50 -08:00
Jim Bugwadia
244909ebb3
update require_probes
2019-11-10 21:18:17 -08:00
Jim Bugwadia
c1be682a93
update require_pod_requests_limits
2019-11-10 21:06:49 -08:00
Jim Bugwadia
f668113904
update add_ns_quota
2019-11-10 20:58:57 -08:00
Jim Bugwadia
a6d5fb6e30
update restrict_image_registries
2019-11-10 18:13:01 -08:00
Jim Bugwadia
f31abbffab
update disallow_latest_tag
2019-11-10 17:54:38 -08:00
Jim Bugwadia
7f54e8e2e3
Merge branch '451_fix_disallow_host_net_port' into 452_make_sample_policy_rule_names_consistent
...
# Conflicts:
# samples/best_practices/disallow_host_network_hostport.yaml
# test/scenarios/samples/best_practices/disallow_host_network_port.yaml
2019-11-10 17:35:43 -08:00
Jim Bugwadia
20736e5e81
update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc
2019-11-10 15:50:18 -08:00
Jim Bugwadia
170e2a5179
update disallow_docker_sock_mount and disallow_host_network_port
2019-11-10 12:53:48 -08:00
Jim Bugwadia
fd1a26db29
update DisallowBindMounts
2019-11-09 16:33:19 -08:00
Jim Bugwadia
fae8ac0325
update RequireReadOnlyRootFS
2019-11-09 16:18:33 -08:00
Jim Bugwadia
121b81a83b
update disallow new capabilities
2019-11-09 16:07:16 -08:00
Jim Bugwadia
cba79c69a2
update disallow_priviledged
2019-11-08 20:04:42 -08:00
Jim Bugwadia
5ce8fd7a9a
update disallow_root_user
2019-11-08 19:25:43 -08:00
Jim Bugwadia
6baa678e27
rename add_safe_to_evict
2019-11-08 19:02:49 -08:00
Shuting Zhao
58054ef5b6
remove duplicate test
2019-11-07 12:13:34 -08:00
Jim Bugwadia
1173e062c9
- add policy and test for known ingress
...
- fix messages and remove unnecessary comments in testrunner/scenario.go
2019-11-05 19:07:44 -08:00
Jim Bugwadia
cab87f24ba
add tect case
2019-11-05 15:32:45 -08:00
Shuting Zhao
4195f45a42
add missing scenario test
2019-11-05 10:19:42 -08:00
Jim Bugwadia
35bed4bc6a
add safe-to-evict annotation
2019-11-04 17:55:13 -08:00
Jim Bugwadia
41afefbe8e
add disallow Helm tiller
2019-11-03 18:19:06 -08:00
Jim Bugwadia
1323a9a81e
add policy and test case
2019-11-01 15:19:26 -07:00
Jim Bugwadia
440c23f231
add test case (currently fails)
2019-11-01 11:40:23 -07:00
shivkumar dudhani
9b9f6686cb
remove comments
2019-10-14 14:17:16 -07:00
shivkumar dudhani
4e5f551fa7
clean up
2019-10-14 14:10:34 -07:00
shivkumar dudhani
530ac6962c
initial clean up
2019-10-14 12:36:19 -07:00
Shuting Zhao
eb8bd71ac2
add test scenario - missing image tag
2019-10-10 19:13:04 -07:00
Shuting Zhao
38bf4d6055
add 'deny-use-of-host-fs'
2019-10-10 18:42:54 -07:00
Shuting Zhao
300665b22b
Merge branch 'best_practice_policies' of https://github.com/nirmata/kyverno into best_practice_policies
2019-10-10 12:30:14 -07:00
Shuting Zhao
24f3b8ac96
disallow automountServiceAccountToken
2019-10-10 12:29:48 -07:00
shivkumar dudhani
dbc35eb8f4
enable disabled tests
2019-10-10 12:22:07 -07:00
Shuting Zhao
7fcc6bbd33
require default namespace resource quota
2019-10-10 10:46:11 -07:00
Shuting Zhao
3087257b46
disallow use of default namespace
2019-10-10 10:34:49 -07:00
Shuting Zhao
012360ae3a
allow trusted registries
2019-10-10 10:29:10 -07:00
Shuting Zhao
4d29b461ff
add require_image_tag_not_latest.yaml
2019-10-09 18:35:07 -07:00
Shuting Zhao
b5475fda5d
comment out failed testscenarios
2019-10-09 18:31:09 -07:00
Shuting Zhao
3e1ef320a8
add require_probes.yaml
2019-10-09 17:49:00 -07:00
Shuting Zhao
ea25ed8460
add check-pod-request-limit.yaml
2019-10-09 17:37:31 -07:00
Shuting Zhao
18c190447f
update require-readonly-rootfilesystem.yaml
2019-10-08 22:09:58 -07:00
Shuting Zhao
cb44585d70
add disallow_readonly_rootfilesystem.yaml
2019-10-08 22:05:15 -07:00
Shuting Zhao
c755df6b70
add scenario_validate_disallow_hostpid_hostipc.yaml
2019-10-08 21:58:05 -07:00
Shuting Zhao
ce41e4a99d
add disallow_host_network_hostport.yaml
2019-10-08 21:51:35 -07:00
