mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
5660 commits 15 branches 540 tags 276 MiB
Commit graph

645 commits

Author SHA1 Message Date
Vyom Yadav
99d988e98c
feat: add support for subresources to validating and mutating policies (#4916) 
* feat: add support for subresources to validating and mutating policies

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

* Add CLI test cases with subresources for validating policies

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

* Fix existing e2e tests for validating policies and remove tests migrated to kuttl

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

* Add kuttl e2e tests for validating policies with subresources

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

* Add kuttl e2e tests for mutating policies with subresources

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

* Add kuttl e2e tests for validating policy by-pass by manipulating preconditions

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>

Signed-off-by: Vyom-Yadav <jackhammervyom@gmail.com>
 2022-12-10 00:45:23 +08:00
Charles-Edouard Brétéché
ff728d5f2b
feat: propagate context through engine (#5639) 
* feat: propagate context through engine

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: propagate context through engine

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: propagate context through engine

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: propagate context through engine

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-12-09 21:45:11 +08:00
Charles-Edouard Brétéché
7219b4f8a3
refactor: registry client (#5596) 
* refactor: registry client

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-12-07 23:08:37 +08:00
Charles-Edouard Brétéché
5b89e2e5f8
refactor: make policy context immutable and fields private (#5523) 
* refactor: make policy context immutable and fields private

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: make policy context immutable and fields private

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-12-02 16:14:23 +08:00
Charles-Edouard Brétéché
1ea4a0db19
refactor: use internal cmd package in kyverno (#5507) 2022-11-30 13:37:53 +00:00
Charles-Edouard Brétéché
c3be9e36a5
feat: propagate context to dynamic client (#5495) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-11-29 13:59:40 +00:00
Charles-Edouard Brétéché
6f1bd5fff2
chore: replace utils.ContainsString with builtin slices.Contains (#5496) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-11-29 08:04:49 +00:00
Charles-Edouard Brétéché
dfded5cc60
feat: propagate context to the metrics package (#5479) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-11-28 10:30:14 +00:00
Prateek Pandey
42221a93e4
fix: add clone check before validating namespace policy (#5459) 
fix: add clone check before validate clone namespace

- fix data policy validation
- add kuttl tests to validate the behaviour

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-11-25 12:49:22 +05:30
shuting
93eaead565
fix: mutate existing policy does not get applied when background=false (#5439) 
* fix mutate existing policies when background=false

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add the kuttl test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-11-23 08:16:06 +00:00
Charles-Edouard Brétéché
2178b9fe77
refactor: dynamic client use instrumented clients (#5436) 
* refactor: improve instrumented clients creation

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: instrumented clients code part 3

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: dynamic client

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-11-22 13:37:27 +00:00
Vyankatesh Kudtarkar
dc0a07e5d8
Handle Match resources kind (#5421) 
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-11-22 01:20:24 +00:00
Pratik Shah
dccb1f692a
Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) 
Signed-off-by: Pratik Shah <pratik@infracloud.io>

Signed-off-by: Pratik Shah <pratik@infracloud.io>
 2022-11-18 08:27:34 +00:00
Vyankatesh Kudtarkar
83a84c9d47
[Bug]: Fix wildcard any/all issue (#5387) 
* Fix wildcard for any/all match/excude kinds

* remove non required test

* add kuttl test

* Revert "add kuttl test"

This reverts commit d2245bc248.

* add kuttl test

* fix test
 2022-11-17 14:07:03 +00:00
shuting
b1367fd497
fix the entry length validation for the verify image rule (#5384) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-11-17 17:25:02 +05:30
Prateek Pandey
c0f479add9
fix: add validation for generate namespace policy (#5346) 
* fix: add validation for generate namespace policy

- generate of cluster scope resource not allowed
- Only allowed to generate resource in policy namespace

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* add unit tests to validate the behaviour

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* fix error logs

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-11-17 07:43:51 +00:00
Prateek Pandey
2b4ff1ef6d
fix: synchronize source resource update to clone list resource (#5317) 
* fix: synchronize source resource update to clone list target resource

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* add kuttl test to verify the clone list synchronized behavior

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor functions parameters

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* fix the kuttl test description and behavior README

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* Use entire content to compare

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-11-11 19:30:54 +00:00
Charles-Edouard Brétéché
6091af6fba
fix: wrong logger used (#5311) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-11-11 12:16:27 +05:30
Charles-Edouard Brétéché
564c92d4bf
fix: add warning when using deprecated validation failure action (#5219) 
* fix: add warning when using deprecated validation failure action

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-11-07 22:16:53 +00:00
Vyankatesh Kudtarkar
a6e866fe1f
Fix Keda policy installation issue (#5239) 2022-11-07 18:54:44 +05:30
shuting
da84b777bc
fix: too much information for the Policy Rule Execution Latency metric (#5208) 
* remove general_rule_latency_type

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove resource_request_operation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove resource_namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove resource_kind

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix linter

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-11-04 14:31:23 +08:00
Charles-Edouard Brétéché
f52da91b72
fix: early return in policy validation (#5200) 
* fix: early return in policy validation

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-11-03 09:05:23 +00:00
Charles-Edouard Brétéché
d2658a1bc8
refactor: support Audit and Enforce validation failure actions (#5152) 
* feat: remove policy mutation code

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: support Audit and Enforce failure actions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* typo

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update changelog

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-11-01 09:56:52 +00:00
Charles-Edouard Brétéché
e4bf66e756
feat: remove policy mutation for auto-gen rules (#5123) 
* feat: remove policy mutation code

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* changelog

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-10-25 23:43:46 +00:00
Charles-Edouard Brétéché
5a496ca212
refactor: simplify variables regex (#5075) 
* feat: add simple conformance tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* gh action

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* separate workflow

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix the bug

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix cli test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* improvements

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* improvements

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: variables regex

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-10-21 11:51:14 +08:00
Charles-Edouard Brétéché
ad2cbd3b33
feat: add simple conformance tests (#5073) 
* feat: add simple conformance tests
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-10-20 12:17:33 +00:00
Shivansh Yadav
becf73227b
validate patchJSON6902 (#4469) 
* validate patchJSON6902

Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com>

* validate patchJSON6902

Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com>

* test: validateJSON6902 tests

Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com>

* validate patchJSON6902

Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com>

* test: validate patchJSON6902

Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com>

Signed-off-by: Shivansh-yadav13 <yadavshivansh@gmail.com>
Signed-off-by: Shivansh Yadav <yadavshivansh@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-10-17 15:25:03 +00:00
Charles-Edouard Brétéché
cb0410dcf1
fix: policy not denied when kinds set is empty (#5016) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-17 14:10:42 +00:00
Pratik Shah
8a0083105d
Added support to specify key signature algorithm in verifyImages (#4855) 
Signed-off-by: Pratik Shah <pratik@infracloud.io>

Signed-off-by: Pratik Shah <pratik@infracloud.io>
 2022-10-14 05:39:57 +00:00
Charles-Edouard Brétéché
9e933e8d21
fix: set operation in context when necessary (#4940) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-13 19:33:49 +05:30
XDRAGON2002
03c41e7746
[Cleanup] Disable PolicySkipped events (#4913) 
* remove skip events

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* update conditions

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* improve conditions

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* remove redundant function

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-10-13 08:32:20 +00:00
Charles-Edouard Brétéché
b3021f5a57
refactor: openapi controller part 2 (#4910) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-12 22:24:16 +05:30
Charles-Edouard Brétéché
de67a507cd
refactor: openapi controller part 1 (#4901) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-10-12 11:38:48 +00:00
Prateek Pandey
23ab7390a3
fix: hardening policy validation for generate cloneList (#4881) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-10-11 23:35:07 +05:30
Charles-Edouard Brétéché
ebe86473fc
feat: use a dedicated policy metrics controller (#4818) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-07 10:53:54 +00:00
ansalamdaniel
27de93a3d2
fix: add policy validation for ValidationFailureActionOverride field (#4784) 
Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
 2022-10-06 06:16:12 +00:00
Charles-Edouard Brétéché
7213abec36
fix: remove reference to controller runtime log (#4779) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-10-03 12:55:39 +02:00
Charles-Edouard Brétéché
209bab2059
refactor: more context less chans (#4764) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-10-03 09:19:01 +00:00
yinka
688b4fb8e3
add package logger in files (#4766) 
* add package logger in files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* add package logger to initContainer and other files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* helm docs

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* helm default values

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* release notes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-10-02 19:45:03 +00:00
Charles-Edouard Brétéché
9aca37fe9f
refactor: use context in openapi controller (#4760) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-09-30 11:56:47 +00:00
Prateek Pandey
38c252952d
feat: add matchlabel selector support with multiple clone (#4713) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-09-28 17:44:38 +02:00
Charles-Edouard Brétéché
e0ab72bb9a
feat: reports v2 implementation (#4608) 
This PR refactors the reports generation code.
It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds.

The new reports system is based on 4 controllers:

Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation
Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes
Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace)
Resources controller is responsible for watching reports that need background scan reports
I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong.

I also added a flag to split reports in chunks to avoid creating too large resources.

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-09-28 17:15:16 +05:30
Prateek Pandey
9cc1e6b2b3
fix: handle auth permission for cloneList validation (#4684) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-09-26 13:23:00 +05:30
Charles-Edouard Brétéché
328fdc8b3d
feat: add feature flag to disable background scan (#4638) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-09-19 12:00:36 +00:00
Vyankatesh Kudtarkar
c7bcd5fadf
Fix multiple crd slowness issue (#4275) 
Signed-off-by: Vyankatesh vyankateshkd@gmail.com

* fix multiple crd issue
 2022-09-12 16:14:28 +08:00
Prateek Pandey
1cacd0173d
feat: allow cloning multiple resource from a namespace (#4384) 2022-09-08 04:47:09 +00:00
Charles-Edouard Brétéché
a95d61b9d7
refactor: client wrappers (#4519) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-09-07 12:01:43 +08:00
Charles-Edouard Brétéché
1947dafed6
fix: load policy and add tests (#4515) 
* fix: load policy and add tests

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix callers

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-09-06 15:16:44 +00:00
Charles-Edouard Brétéché
1e25bfd16f
feat: remove context api call constraints (#4389) 
* feat: add raw api call support

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: remove context api call constraints

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-09-01 08:30:04 +00:00
ToLToL
1b9a2fca21
Extend Pod Security Admission (#4364) 
* init commit for pss

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add test for Volume Type control

* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()

* remove unused code, still a JMESPATH problem with app armor ExemptProfile()

* test for Host Process / Host Namespaces controls

* test for Privileged containers controls

* test for HostPathVolume control

* test for HostPorts control

* test for HostPorts control

* test for SELinux control

* test for Proc mount type control

* Set to baseline

* test for Seccomp control

* test for Sysctl control

* test for Privilege escalation control

* test for Run as non root control

* test for Restricted Seccomp control

* Add problems to address

* add solutions to problems

* Add validate rule for PSA

* api.Version --> string. latest by default

* Exclude all values for a restrictedField

* add tests for kyverno engine

* code to be used to match kyverno rule's namespace

* Refacto pkg/pss

* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:

* EvaluatePod

* Use EvaluatePod in kyverno engine

* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add

* Check if PSSCheckResult matched at least one exclude value

* add tests for engine

* fix engine validation test

* config

* update go.mod and go.sum

* crds

* Check validate value: add PodSecurity

* exclude all restrictedFields when we only specify the controlName

* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path

* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)

* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go

* add all controls with containers in restrictedFields as comments

* add tests for capabilities and privileged containers and fix some errors

* add tests for host ports control

* add tests for proc mount control

* add tests for privilege escalation control

* add tests for capabilities control

* remove comments

* new algo

* refacto algo, working. Add test for hostProcess control

* remove unused code

* fix getPodWithNotMatchingContainers(), add tests for host namespaces control

* refacto ExemptProfile()

* get values for a specific container. add test for SELinuxOptions control

* fix allowedValues for SELinuxOptions

* add tests for seccompProfile_baseline control

* refacto checkContainers(), add test for seccomp control

* add test for running as non root control

* add some tests for runAsUser control, have to update current PSA version

* add sysctls control

* add allowed values for restrictedVolumes control

* add some tests for appArmor, volume types controls

* add tests for volume types control

* add tests for hostPath volume control

* finish merge conflicts and add tests for runAsUser

* update charts and crds

* exclude.images optional

* change volume types control exclude values

* add appAmor control

* fix: did not match any exclude value for pod-level restrictedFields

* create autogen for validate.PodSecurity

* clean code, remove logs

* fix sonatype lift errors

* fix sonatype lift errors: duplication

* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests

* beginning of autogen implement for validate.exclude

* Autogen for validation.PodSecurity

* working autogen with simple tests

* change validate.PodSecurity failure response format

* make codegen

* fix lint errors, remove debug prints

* fix tags

* fix tags

* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request

* Changes requested

* Changes requested 2

* Changes requested 3

* Changes requested 4

* Changes requested and make codegen

* fix host namespaces control

* fix lint

* fix codegen error

* update docs/crd/v1/index.html

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix path

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update crd schema

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update charts/kyverno/templates/crds.yaml

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
 2022-08-31 09:16:31 +00:00
Charles-Edouard Brétéché
f243a7dd84
refactor: make toggles easier to define and use (#4456) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-08-31 06:41:14 +00:00
shuting
3bf3dcc1af
Add the metric "kyverno_client_queries_total" (#4359) 
* Add metric "kyverno_kube_client_queries_total"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* publish metric for missing queries

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Refactor the way Kyverno registers QPS metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Move clientsets to a dedicated folder

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Wrap Kyverno client and policyreport client to register client query metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Switch to use wrapper clients

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-08-31 11:33:47 +05:30
Riko Kudo
5f5cda9fee
Yaml signing and verification (#4235) 
* enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix log message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

change default value of dryrun option

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

support gpg signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

set cosign experimental env when keyless verification

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* improve default ignoreFields

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* add unit-test for k8smanifest

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update install yaml

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add unit-test for k8smanifest multi-signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and resolve conflict

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* remove generic name

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix sonatype-lift issue and unit-test error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update manifest rule to use attestor

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* remove unused value

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve conflict

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix install.yaml

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix to set COSIGN_EXPERIMENTAL env variable when keyless verification

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix misspell

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable kyverno cli in validate.manifests rule (#3)

* enable kyverno cli in validate.manifests rule

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and improve error handling for better result output

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update crds and deepcopy

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update unit test

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* change to use spec.rules.exclude.subjects instead of skipUsers (#4)

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore (#5)

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* add a comment for dryrun option field

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable to include ClusterPolicy/Policy in match resource

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style and env variable settings

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* simplify manifest verify func

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix func name

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix sonatype warning

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix default ignoreFields

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore rbac (#6)

* fix dryrun rbac to have minimal permissions

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix lint error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix unit-test error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated CRD documentation

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve go.mod conflicts

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated helm stuff

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché
fc1a4601a7
refactor: introduce wildcard utils package (#4406) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-25 05:23:01 +00:00
Charles-Edouard Brétéché
144985ee5a
chore: fix golangcilint timeout (#4388) 
* chore: fix golangcilint timeout

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix commit sha

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* add .gitattributes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-24 21:08:24 +08:00
Anutosh Bhat
d92e16526f
Added appropriate logging levels to log.Info() calls wherever necessary (#4341) 
* Added appropriate logging levels to log.Info() calls wherever necessary

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

* Changed logging levels to 2

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-08-18 13:24:59 +00:00
Charles-Edouard Brétéché
421b490c56
feat: use tombstone helper (#4273) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-03 16:17:07 +00:00
Jim Bugwadia
943c3a1929
use failurePolicy to block or allow requests, on policy errors (#4183) 
* use failurePolicy to block or allow requests, on policy errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add warnings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle network errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix title conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix path in generated file

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fake metrics

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for klog flag initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix spelling

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix flag init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-08-02 20:24:02 +05:30
vivek kumar sahu
03cec01fb5
feature: added new type of event, PolicySkipped (#4251) 
* feature: added new type of event, PolicySkipped

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

* fix html docs

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-07-28 14:01:50 +08:00
Prateek Pandey
3f1997c0e8
fix split policyreport name with background scan (#4237) 
- fix split policyreport name with background scan
- fix the label selector initialising
- refactor the generatePolicyName func

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-07-21 14:31:42 +05:30
Vyankatesh Kudtarkar
530e38a6f4
fix check depreciated api issue (#4243) 2022-07-21 13:11:39 +08:00
Prateek Pandey
c0cc4b781c
use the unstructured list instead of interface type (#4210) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-07-12 15:07:40 +00:00
Tathagata Paul
3e2894b6fa
feat: Opentelemetry support for metrics and traces (#3910) 
* integrating opentelemetry

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* fix multiple imports

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* fixed cli help statement

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* added init file for metrics

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-07-11 17:49:47 +00:00
Jim Bugwadia
58337716c8
Fix merging JSON patches (#4202) 
* fix merge of image verify and mutate patches

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update json patch merge logic

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-07-11 09:26:31 +05:30
Vyankatesh Kudtarkar
12693e1a9c
fix external.metrics.k8s.io/v1beta1 issue (#4139) 
* fix external.metrics.k8s.io/v1beta1 issue

* update find resource discovery method

* revert validate.go

* revert chnages

* update discovery method

* fix error handler issue

* add logger support
 2022-07-01 03:00:05 +00:00
shuting
77fb10a430
Clean up RCRs if the count exceeds the threshold (#4148) 
* Clean up RCRs if the count exceeds the limit

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Sets reports to inactive on resourceExhausted error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix linter

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add a container flag changeRequestLimit

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Skip generating RCRs if resourceExhausted error occurs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* set default RCR limit to 1000

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Update log messages and CHANGELOG.md

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Address review comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Extract mapper to a separate file

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-06-28 06:18:57 +00:00
shuting
cd2d89bf55
Wait for informers' cache to be synced before starting controllers (#4155) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-06-28 04:55:52 +00:00
Jim Bugwadia
b68f4ba679
release event memory (#4138) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-06-23 00:37:46 +08:00
Charles-Edouard Brétéché
4a6d5f7864
refactor: move policy deletion code from policy controller to ur controller (#4013) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-24 21:05:11 +02:00
Vyankatesh Kudtarkar
bea0b794d5
add validation check to ensure the annotations quoted (#3976) 2022-05-24 12:45:23 +00:00
shuting
85b486eb27
Support @ for mutate targets (#3998) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-05-24 17:49:36 +05:30
Charles-Edouard Brétéché
c9f8a68d8a
fix: stop mutation policies when autogen internals is enabled (#4004) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-24 13:08:29 +02:00
Charles-Edouard Brétéché
1712dfa947
refactor: move label helper utils from policy package to background package (#3996) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-24 13:11:12 +05:30
Charles-Edouard Brétéché
1936d86623
fix: move ur controller filtering in reconciler (#3964) 
* fix: move ur controller filtering in reconciler

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: mark ur retry on conflict

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: test data

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: add filter back in update ur handler

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: added some logs about attempts and increased backoff

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: reconciliation logic

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: Test_Generate_Synchronize_Flag

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: small nits

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-20 00:06:56 +08:00
Charles-Edouard Brétéché
41a3f6c388
chore: make kyverno informers and listers import aliases consistent (#3958) 
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make dclient api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make clients import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make kube informers and listers import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make kyverno informers and listers import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-18 04:02:31 +00:00
Charles-Edouard Brétéché
572a76ce33
chore: make kube informers and listers import aliases consistent (#3957) 
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make dclient api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make clients import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make kube informers and listers import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 17:51:03 +02:00
Charles-Edouard Brétéché
5243763674
chore: make dclient import aliases consistent (#3951) 
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make dclient api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 14:40:51 +00:00
Charles-Edouard Brétéché
666bcb3c15
chore: make k8s api import aliases consistent (#3950) 
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 22:14:31 +08:00
Charles-Edouard Brétéché
5aaf2d8770
chore: make kyverno api import aliases consistent (#3939) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 13:12:43 +02:00
Prateek Pandey
a6718819c5
fix: use patch to update handler status in UR (#3928) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-05-17 16:21:53 +08:00
Charles-Edouard Brétéché
0099ef54ad
chore: enable gofmt and gofumpt linters (#3931) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 06:19:03 +00:00
Charles-Edouard Brétéché
c12f94d6d4
chore: enble gci linter (#3930) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-17 07:56:48 +02:00
Charles-Edouard Brétéché
52cc493e57
chore: enable misspell linter (#3932) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-16 19:08:57 +05:30
Charles-Edouard Brétéché
d7a3ba596d
chore: enable errname linter (#3926) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-16 18:51:31 +08:00
Dhaval Shah
fce35b91d2
[Bugbash] Kceu22 bugbash/fix staticcheck warnings (#3917) 
* cleanup: error string formating

Fixes Staticcheck ST1005
KubeCon EU 2022 BugBash

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* cleanup: merge var declaration with assignment

Fixes staticcheck S1021

Kubecon EU 2022 Bugbash

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* cleanup normalize yoda condition to simple compare

fixes staticcheck ST1017

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* cleanup: remove extraneous err param on executeTest

err is not used anywhere except to throw Fatal inside execureTest()
fix staticcheck SA4009

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* fix: match validation error message to actual errors

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* cleanup: more of normalize validation error messages

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

* cleanup: additional error message formatting fixes

Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com>

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-05-14 22:04:35 +01:00
Jim Bugwadia
0cd21ec0f3
skip var checks in attestations (#3876) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-05-11 09:31:48 +00:00
Charles-Edouard Brétéché
2064a69b8a
refactor: make config vars private (#3823) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-11 06:14:30 +00:00
Charles-Edouard Brétéché
97e5e64fd4
chore: enable whitespace linter (#3864) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-05-10 17:01:29 +00:00
shuting
5532203091
Handle errors properly for mutate and generate on existing resources (#3863) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-05-10 16:36:50 +00:00
Charles-Edouard Brétéché
d982ef77b3
chore: enable deadcode and unused linters (#3861) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-10 17:06:48 +02:00
Prateek Pandey
2866c06d95
tests: add unit tests for utils functions (#3857) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-05-10 13:45:48 +00:00
Charles-Edouard Brétéché
e2cf6cea5a
fix: golangci-lint warnings in pkg (#3846) 
* fix: golangci-lint warnings in cmd

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: golangci-lint warnings in pkg

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-05-10 09:24:27 +00:00
Jim Bugwadia
bc07943c81
handle subresources (#3841) 
* handle subresources

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix logger name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix webhook and logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-09 18:50:50 -07:00
Prateek Pandey
069d625786
refactor: remove unused functions (#3840) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-05-09 14:24:55 +05:30
Prateek Pandey
8b6d3d1f6a
feat: trigger generate on existing matched resource (#3819) 
* feat: trigger generate on existing matched resource

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor the triggers and fix review comments

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* add trigger for other matching kinds

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* implement match exclude using dynamic client

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor generate trigger

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* increase sleep timeout

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* optimize unstructured list

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* fix review comments

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* log refactor and clean debug comments

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-05-09 07:13:11 +00:00
Afzal Ansari
3845225db1
refactor: imported pkg redeclared and a few other unused func (#3827) 
* Removes paths redeclared

Signed-off-by: afzal442 <afzal442@gmail.com>

* fixes v1 redeclared

Signed-off-by: afzal442 <afzal442@gmail.com>

* fixes mergeSucceededResults func never used

Signed-off-by: afzal442 <afzal442@gmail.com>

* fixes func unused

Signed-off-by: afzal442 <afzal442@gmail.com>

* refactors unused func

Signed-off-by: afzal442 <afzal442@gmail.com>

* refactors unused func

Signed-off-by: afzal442 <afzal442@gmail.com>

* refactors getNamespacesForRule unused

Signed-off-by: afzal442 <afzal442@gmail.com>

* refactors policyNamespace unused

Signed-off-by: afzal442 <afzal442@gmail.com>

* refactors replacing loop with ...

Signed-off-by: afzal442 <afzal442@gmail.com>

* refactors func buildPolicyLabel unused

Signed-off-by: afzal442 <afzal442@gmail.com>

* removes unused func

Signed-off-by: afzal442 <afzal442@gmail.com>

* removes unused comment

Signed-off-by: afzal442 <afzal442@gmail.com>

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-05-07 16:44:57 +00:00
Sambhav Kothari
e55bf0bf6f
Relax JMESPath variable validation (#3826) 2022-05-07 16:40:53 +05:30
shuting
b4f2b63f53
Load mutate.targets via dclient (#3797) 
* Load mutate.targets via dclient

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Do not fail on namespace cleanup for e2e generate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix wildcard name listing for a certain namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Rename onPolicyUpdate to mutateExistingOnPolicyUpdate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Enable "mutateExistingOnPolicyUpdate" on policy events

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-05-06 05:46:36 +00:00
Vyankatesh Kudtarkar
13d8a96f92
Policy Validation check for onPolicyUpdate flag (#3814) 
* policy validation check for OnPolicyUpdate flag

* add validation check for onupdatepolicy flag
 2022-05-05 21:04:49 +08:00
shuting
8a9a98d8b5
Add handler to UR.status (#3791) 
* - Add "handler" to "ur.status"
- Mark / Unmark handler upon UR reconciliation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add field onPolicyUpdate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Update API docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add delay in generate e2e tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove duplicate logic for cleaning up the cloned resource

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-05-05 16:26:27 +05:30