mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
2069 commits 15 branches 540 tags 276 MiB
Commit graph

1118 commits

Author SHA1 Message Date
Shuting Zhao
ecbbd04bc5 - remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00
shivkumar dudhani
38dcb2e94f flag to use FQDN as CommonName in CSR 2020-01-06 16:12:53 -08:00
Shuting Zhao
9194251a38 fix pod controller annotation to "none" 2020-01-06 14:41:25 -08:00
Shuting Zhao
77955ff212 change the policy action to operate on it's own validationFailureAction 2020-01-06 14:41:02 -08:00
Shuting Zhao
f5411c1c76 update policymutation_test 2020-01-03 15:19:33 -08:00
Shuting Zhao
dce1e0555a move helper to pkg/utils 2020-01-03 10:41:47 -08:00
Shuting Zhao
0c9053d50d register resource webhook in policy control loop 2020-01-02 20:25:30 -08:00
Shuting Zhao
956cb0559a - register resource webhook when policy controller starts; - add debug log 2020-01-02 19:12:45 -08:00
Shuting Zhao
b5192dc559 remove old crd namespacedpolicyviolation 2020-01-02 15:33:57 -08:00
Shuting Zhao
b493600754 remove omitemptu on pocliy.spec and policy.spec.rules 2020-01-02 12:17:47 -08:00
Shuting Zhao
d36934fe11 Merge commit '5b8ab3842b43a72cc675b93b8b72e290adfca1d2' into 518_pod_controller 
# Conflicts:
#	pkg/api/kyverno/v1/types.go
#	pkg/engine/mutation.go
#	pkg/engine/mutation_test.go
#	pkg/engine/validation.go
#	pkg/policy/existing.go
 2020-01-02 10:32:17 -08:00
Shivkumar Dudhani
5b8ab3842b
Support variable substitution (#549) 
* initial commit

* variable substitution

* update tests

* update test

* refactor engine packages for validate & generate

* update vendor

* update toml

* support variable substitution in overlay mutation

* missing update

* fix indentation in logs

* store context values as single JSON document using merge patches.

* remove duplicate functions

* fix message string

* Handle processing of policies in background (#569)

* remove condition check while generating mutation patch as conditions are verified in the first iteration

* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* fix order to correct policy registration

* update comment

Co-authored-by: shuting <shutting06@gmail.com>

* refactor

Co-authored-by: shuting <shutting06@gmail.com>
 2019-12-30 17:08:50 -08:00
Shuting Zhao
56c03f712a only generate rule on policy creation 2019-12-27 15:57:43 -08:00
Shuting Zhao
bae2865550 - add =() to volumes; - update error msg 2019-12-27 14:59:12 -08:00
Shuting Zhao
340dee24bc Merge branch 'master' into 544_documentation 
# Conflicts:
#	pkg/engine/overlay_test.go
 2019-12-27 13:04:07 -08:00
Shuting Zhao
f2a0f0e3dc replace annotation match by regexp 2019-12-27 12:57:06 -08:00
Shuting Zhao
eb6ab9d2d8 fix rule mis-application 2019-12-26 19:05:12 -08:00
Shuting Zhao
076196688e skip process existing pod if annotation present 2019-12-26 18:41:14 -08:00
Shuting Zhao
f0d943e970 Merge branch 'master' into 518_pod_controller 2019-12-26 15:35:23 -08:00
Shuting Zhao
54ecb7738a - insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 15:34:19 -08:00
Shivkumar Dudhani
085856baa1
add event source and format event messages (#565) 2019-12-26 11:50:41 -08:00
Shuting Zhao
b5255893e3 update autogen annotation for pod controllers 2019-12-26 10:09:49 -08:00
Shuting Zhao
a8aa83573b fix merge error 2019-12-20 19:08:26 -08:00
Shuting Zhao
1f0187e8ea Merge commit 'f1330ede8234eb4d449eb9ec72b41c627488350d' into 518_pod_controller 2019-12-20 19:06:35 -08:00
Shuting Zhao
8be4db3de3 Merge branch '529_query' into 518_pod_controller 2019-12-20 18:55:08 -08:00
Shuting Zhao
cc87ea7339 add unit test 2019-12-20 18:53:44 -08:00
Shuting Zhao
74b85d8143 generate rule for pod controllers 2019-12-20 18:53:29 -08:00
Shuting Zhao
e3a8cabe8d add omitempty to types 2019-12-20 18:51:07 -08:00
shivkumar dudhani
d04f49b5d8 fix message string 2019-12-17 17:16:50 -08:00
shivkumar dudhani
2a56a8e043 remove duplicate functions 2019-12-17 16:37:52 -08:00
shivkumar dudhani
a86aa06e28 Merge branch 'master' into 529_query 2019-12-17 16:36:58 -08:00
shivkumar dudhani
615f1ae940 Merge branch 'master' into 529_query 2019-12-17 16:22:00 -08:00
shivkumar dudhani
38987d50c3 store context values as single JSON document using merge patches. 2019-12-17 16:06:13 -08:00
Shuting Zhao
0d71e4a669 remove condition check while generating mutation patch as conditions are verified in the first iteration 2019-12-16 18:26:38 -08:00
shuting
4149d706e8
Merge pull request #558 from nirmata/428_quantity 
implement quantity comparison
 2019-12-16 15:53:09 -08:00
Shivkumar Dudhani
39e08aa1fc
76 cache invalidate (#557) 
* invalidate local cache of registererd resources

* update client in initContainer

* update message
 2019-12-16 12:55:44 -08:00
Shuting Zhao
35adbbe0df convert type boolean to string in /metadata/annotation 2019-12-13 18:04:19 -08:00
Shuting Zhao
5ced2409a3 update test 2019-12-13 13:30:24 -08:00
Shuting Zhao
0969aa9bf9 implement quantity comparison 2019-12-13 13:17:22 -08:00
shivkumar dudhani
793d878b18 correct webhook endpoint 2019-12-13 11:13:58 -08:00
shivkumar dudhani
c4da72ad3e fix indentation in logs 2019-12-13 09:49:09 -08:00
Shuting Zhao
625e45c847 remove duplicate code 2019-12-12 18:55:40 -08:00
shivkumar dudhani
0bd05fd227 missing update 2019-12-12 18:48:53 -08:00
shivkumar dudhani
5659f2fbcf merge master 2019-12-12 18:44:52 -08:00
shivkumar dudhani
8414681e60 support variable substitution in overlay mutation 2019-12-12 18:25:54 -08:00
shivkumar dudhani
10fc1b47ba Merge branch 'master' into v1.1.0 2019-12-12 16:54:42 -08:00
shivkumar dudhani
745727fd70 add missing files 2019-12-12 16:35:37 -08:00
shivkumar dudhani
a19785261d Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00
shivkumar dudhani
b5de11fc0e refactor engine packages for validate & generate 2019-12-12 15:02:59 -08:00
shivkumar dudhani
507c43ddca update test 2019-12-12 10:55:10 -08:00
shivkumar dudhani
8b1e084691 update tests 2019-12-12 10:47:25 -08:00
shivkumar dudhani
7c9bc6fecf variable substitution 2019-12-12 10:19:45 -08:00
Shuting Zhao
2c783cfe02 rename namespacedpolicyviolation: update code 2019-12-11 16:09:05 -08:00
Shuting Zhao
a107ad7ac8 rename namespacedpolicyviolation: update codegen 2019-12-11 16:07:39 -08:00
shivkumar dudhani
4c55fe00bc Merge branch 'v1.1.0' into 524_bug 2019-12-11 11:21:31 -08:00
shivkumar dudhani
75eee39d7d remove fix for 535 2019-12-11 11:18:38 -08:00
shivkumar dudhani
ad54683f71 CR fixes 2019-12-11 11:15:13 -08:00
shuting
f06b19bb14
Merge pull request #525 from nirmata/421_test_webhook 
421 test webhook
 2019-12-11 11:13:37 -08:00
shivkumar dudhani
12edc56613 initial commit 2019-12-11 09:45:22 -08:00
shivkumar dudhani
4c2a16904c update tests 2019-12-10 09:15:50 -08:00
Shuting Zhao
8edb00d714 - skip processing mutate rule if condition is not met; - update debugging info 2019-12-09 19:28:34 -08:00
Shuting Zhao
b2ad71cc5e remove channel, introduced a flag to indicate the webhook creation status 2019-12-05 15:49:02 -08:00
Shuting Zhao
183f844029 - move resourcewebhookregister to webhookconfig 2019-12-05 13:51:02 -08:00
Shuting Zhao
1c1f47bbc5 correct error msg 2019-12-05 11:57:34 -08:00
Shuting Zhao
b99293018e add unit test 2019-12-05 11:55:00 -08:00
shivkumar dudhani
4f174779dc remove typed client ref 2019-12-05 11:52:13 -08:00
Shuting Zhao
55f243b55b add validation for a policy userInfo 2019-12-04 18:50:51 -08:00
Shivkumar Dudhani
ffe3bdb677
remove newline from engine response strings (#537) 
* remove newline from engine response strings

* add scenario file updates

* cr: remove . in trailing msg string
 2019-12-04 18:04:42 -08:00
shivkumar dudhani
a498c2c36d update msg 2019-12-04 17:28:47 -08:00
shivkumar dudhani
1642682aa2 528_add_webhook_defaults 2019-12-04 17:28:39 -08:00
Shuting Zhao
0f5cf40eda - holds resource webhook creation requests in a quene; - remove webhookinformer from policy controller and webhookregistrationclient 2019-12-04 12:31:27 -08:00
shivkumar dudhani
eed7115563 pv for resource with no names assigned 2019-12-03 17:15:50 -08:00
shivkumar dudhani
0f6f3c1e02 missing update 2019-12-02 17:29:41 -08:00
shivkumar dudhani
0ea1d9986a cleanup resource & policy 2019-12-02 17:15:47 -08:00
Shuting Zhao
51642cbcf3 skip process mutate patches if conditon tag is not present 2019-11-27 19:40:47 -08:00
Shuting Zhao
e743a4702c escape slash in annotation patch 2019-11-27 17:51:33 -08:00
Shuting Zhao
261560eafb mutate rule: do not ignore empty key in resource if overlay has nested anchor 2019-11-27 16:07:15 -08:00
shivkumar dudhani
e7607fae87 refactor cluster and oplicy violation cleanup 2019-11-27 11:23:29 -08:00
shivkumar dudhani
2476940ddf remove cluster and namespace PV controller 2019-11-26 18:21:09 -08:00
shivkumar dudhani
678b7416c1 refactor policy violation resource 2019-11-26 18:07:15 -08:00
Shuting Zhao
f6db1b9e87 create policy webhookcfgs after verifying webhook status 2019-11-25 18:22:05 -08:00
Shuting Zhao
a963843245 fix none namespace error 2019-11-25 18:14:04 -08:00
Shuting Zhao
f506789498 create resource mutating webhook after verifying webhook is active 2019-11-25 18:07:11 -08:00
Shuting Zhao
8b0fb4b801 remove VerifyMutatingWebhook during shutdown 2019-11-25 13:08:02 -08:00
Shivkumar Dudhani
990c32b6bd
fix test (#521) 2019-11-22 12:54:34 -08:00
Shivkumar Dudhani
734ef44b17
504 bug (#505) 
* correct role/clusterrole kind

* remove namespace from resource spec

* namespace lister to filter on namespace

* CR fixes

* refactor

* add namespace field back to types
 2019-11-22 12:23:50 -08:00
shuting
6f22f334da
Merge pull request #517 from nirmata/local_test 
explicitly set resource version of policy violation when update
 2019-11-19 10:26:38 -08:00
Shuting Zhao
50f53ac651 explicitly set resource version of policy violation when update 2019-11-18 18:04:57 -08:00
Shivkumar Dudhani
a81d5c9ae7
update event message (#515) 2019-11-18 17:13:48 -08:00
shivkumar dudhani
40b685c9db merge with v1.1.0 2019-11-18 11:48:36 -08:00
shivkumar dudhani
3df71f6fea Merge branch 'v1.1.0' into 507_bug 2019-11-18 11:44:17 -08:00
Shivkumar Dudhani
89c298b5f2
policy violation name format update (#502) 2019-11-18 11:42:00 -08:00
Shivkumar Dudhani
61b202c64a
420 init container (#501) 
* init container to cleanup stale webhook configurations if any.

* remove test code

* use internal pkg for os signals

* move webhook cleanup before http.server shutown.

* update make file and remove init

* update CI script
 2019-11-18 11:41:37 -08:00
shivkumar dudhani
09cd524625 CR fixes 2019-11-18 11:12:36 -08:00
shivkumar dudhani
3c3931b67b wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00
shivkumar dudhani
57e8e2a395 Revert "wait for cache to sync and cleanup" 
This reverts commit 9c3b32b903.
 2019-11-15 15:57:18 -08:00
shivkumar dudhani
cde9d9d3cd Revert "missing file" 
This reverts commit cd43dba947.
 2019-11-15 15:56:46 -08:00
shivkumar dudhani
cd43dba947 missing file 2019-11-15 15:53:34 -08:00
shivkumar dudhani
9c3b32b903 wait for cache to sync and cleanup 2019-11-15 15:53:22 -08:00
shivkumar dudhani
a315c22e2f refer informer cache in policy controller for mutatingwebhookconfigs 2019-11-15 14:01:40 -08:00
Shuting Zhao
8bf60a7fea correct role/clusterrole kind 2019-11-14 15:49:11 -08:00
Shuting Zhao
22162b28f2 handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00
Shuting Zhao
c140f660f6 fix pv cleanup #496 2019-11-14 12:01:41 -08:00
Shivkumar Dudhani
e841a1b204
filter namespaces (#491) 
* filter namespaces

* fix test
 2019-11-13 19:08:00 -08:00
shuting
14697f9d06
Merge pull request #490 from nirmata/local_test 
fix annotation patch in mutate rule
 2019-11-13 19:02:17 -08:00
Shivkumar Dudhani
69d4cb0b27
remove v1alpha pkgs (#489) 2019-11-13 18:58:49 -08:00
Shuting Zhao
79a7bde4ab - fix test; - improve logging 2019-11-13 18:44:18 -08:00
Shuting Zhao
a1ce6e4297 fix annotation patch in mutate rule 2019-11-13 17:56:56 -08:00
Shuting Zhao
722c12f82c - return detailed error message; - set pv name with old pv when updates the pv 2019-11-13 15:49:53 -08:00
Shivkumar Dudhani
3ab0790342
use PolicyContext with engine.Generate (#483) 2019-11-13 15:46:43 -08:00
shuting
ded0183aa2
Merge pull request #478 from nirmata/472_update_apiversion 
472 update apiversion
 2019-11-13 15:19:27 -08:00
Shivkumar Dudhani
23ba517fef
add patched resource + correct register handlers (#482) 2019-11-13 15:16:46 -08:00
Shuting Zhao
eab9609c6a update api in tests 2019-11-13 13:56:07 -08:00
Shuting Zhao
b67577994a update apiversion to v1 in code 2019-11-13 13:41:08 -08:00
Shivkumar Dudhani
765a17df03
423 policy store (#471) 
* fix log format

* update test
 2019-11-13 13:21:00 -08:00
Shivkumar Dudhani
7a12e12cb5
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00
Shuting Zhao
670d665aed cleanup unused code 2019-11-13 13:01:08 -08:00
Shuting Zhao
9e0f39efcf remove GetOwners() 2019-11-13 12:34:55 -08:00
Shuting Zhao
81ac13cb05 lookup policies from policy store in webhook 2019-11-13 12:15:51 -08:00
Shuting Zhao
fc35a52ad8 Merge branch 'master' into 455_namespace_pv 
# Conflicts:
#	definitions/install_debug.yaml
#	main.go
#	pkg/webhooks/mutation.go
#	pkg/webhooks/server.go
#	pkg/webhooks/validation.go
 2019-11-13 11:46:46 -08:00
Shuting Zhao
e2af3852f9 fix comments 2019-11-13 10:37:57 -08:00
Shuting Zhao
3c2d98ef9f fix test 2019-11-13 10:21:33 -08:00
Shuting Zhao
e36ba36e9f - resolve comments - remove unused code 2019-11-13 10:17:03 -08:00
shivkumar dudhani
0d44229110 fix tests 2019-11-13 08:07:11 -08:00
Shuting Zhao
b5b3dae145 fix logging format 2019-11-13 00:47:37 -08:00
Shuting Zhao
71ad192ced fix test 2019-11-13 00:37:34 -08:00
Shuting Zhao
45dc0bd358 Merge commit 'da5c03f89df3007088b27fc84b08827170e16eda' into 345_support_usergroup_info 
# Conflicts:
#	test/scenarios/samples/best_practices/add_safe_to_evict2.yaml
 2019-11-13 00:31:07 -08:00
Shuting Zhao
fc2cf7659b Merge commit 'da5c03f89df3007088b27fc84b08827170e16eda' into 455_namespace_pv 2019-11-13 00:28:04 -08:00
Shuting Zhao
01b915de8d remove unused function 2019-11-13 00:27:44 -08:00
Shuting Zhao
196c7b36b0 update pv labels if it changes 2019-11-13 00:03:01 -08:00
Shuting Zhao
55b0bf0d3a add event handler for NamespacedPolicyViolation 2019-11-12 23:43:29 -08:00
Shuting Zhao
bdcb2eac6a claim namespaced policy violations 2019-11-12 23:19:38 -08:00
Jim Bugwadia
9d63cfc192 Merge branch 'master' into 452_make_sample_policy_rule_names_consistent 2019-11-12 23:16:01 -08:00
Shuting Zhao
37ad1249b2 - add dclient; - add retry getting resource before create pv 2019-11-12 20:19:20 -08:00
Shuting Zhao
7ca87b0ac6 Merge branch '455_namespace_pv' of https://github.com/nirmata/kyverno into 455_namespace_pv 
# Conflicts:
#	pkg/policyviolation/generator.go
#	pkg/policyviolation/namespacedpv.go
#	pkg/webhooks/report.go
 2019-11-12 19:18:34 -08:00
Shuting Zhao
cd6906c1c9 add namespace pv controller 2019-11-12 19:17:35 -08:00
Shuting Zhao
483db18711 create namespaced pv on resource owner 2019-11-12 19:16:11 -08:00
Shuting Zhao
5be2cea536 create namespace pv when validate policy fails 2019-11-12 19:15:20 -08:00
Shuting Zhao
b811bb269e rename policyviolation related package/function to clusterpolicyviolation 2019-11-12 19:12:36 -08:00
Shuting Zhao
1bfc8cfbb8 rebase with branch policy_store 2019-11-12 19:05:29 -08:00
Shuting Zhao
89e5e7fa54 integrate with pv genreator 2019-11-12 19:05:29 -08:00
Shuting Zhao
c651d06041 create namespaced pv on resource owner 2019-11-12 19:02:31 -08:00
Shuting Zhao
3706822df7 update crd 2019-11-12 19:02:31 -08:00
Shuting Zhao
2893cc3f7d create namespace pv when validate policy fails 2019-11-12 19:02:31 -08:00
Shuting Zhao
e7ec93a5ba rename policyviolation related package/function to clusterpolicyviolation 2019-11-12 19:02:31 -08:00
Shuting Zhao
0badf761a8 add namespace cluster policyviolation crd 2019-11-12 19:02:31 -08:00
Shuting Zhao
dfd41774f0 add namespace pv controller 2019-11-12 19:01:48 -08:00
shivkumar dudhani
1049e3fe81 pass dynamic client 2019-11-12 18:25:50 -08:00
shivkumar dudhani
f0505189d4 add log levels 2019-11-12 17:01:08 -08:00
shivkumar dudhani
d8bf7fa284 clean up fixes 2019-11-12 16:49:05 -08:00
Shuting Zhao
4a85aaa9ad Merge branch '455_namespace_pv' of https://github.com/nirmata/kyverno into 455_namespace_pv 2019-11-12 16:20:17 -08:00
Shuting Zhao
944685d392 rebase with branch policy_store 2019-11-12 16:19:31 -08:00
Shuting Zhao
8b5ddb66e3 integrate with pv genreator 2019-11-12 16:15:40 -08:00
Shuting Zhao
6a8e07d779 create namespaced pv on resource owner 2019-11-12 16:15:14 -08:00
Shuting Zhao
cde14c66b6 update crd 2019-11-12 16:14:47 -08:00
Shuting Zhao
162a9ee754 create namespace pv when validate policy fails 2019-11-12 16:14:47 -08:00
Shuting Zhao
7fa812dbc3 rename policyviolation related package/function to clusterpolicyviolation 2019-11-12 16:11:34 -08:00
Shuting Zhao
d675774278 add namespace cluster policyviolation crd 2019-11-12 16:04:14 -08:00
Shuting Zhao
799c417ae2 integrate with pv genreator 2019-11-12 16:04:00 -08:00
shivkumar dudhani
f271af95cc use store to hold values and queue for keys 2019-11-12 16:01:09 -08:00
Shuting Zhao
778a246d28 Merge commit 'ccbb6e33a5599b8fbb9315f9a55e1ed1ef18bbb7' into 455_namespace_pv 
# Conflicts:
#	main.go
#	pkg/namespace/report.go
#	pkg/policy/report.go
#	pkg/policyviolation/clusterpv.go
#	pkg/webhooks/validation.go
 2019-11-12 15:11:58 -08:00
Shuting Zhao
d294c1fa94 create namespaced pv on resource owner 2019-11-12 14:58:38 -08:00
shivkumar dudhani
ccbb6e33a5 introduce policy violation generator 2019-11-12 14:41:29 -08:00
Shuting Zhao
a67306f106 update crd 2019-11-12 13:32:50 -08:00
Shuting Zhao
4734dba10f create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00
Shuting Zhao
14769936a2 rename policyviolation related package/function to clusterpolicyviolation 2019-11-12 11:22:06 -08:00
Shuting Zhao
1f2b71ace8 add namespace cluster policyviolation crd 2019-11-12 11:21:23 -08:00
Shuting Zhao
3dd9672a5d handle error properly 2019-11-12 10:05:10 -08:00
Shuting Zhao
2a14c1f5dc - add profiling; - fix CLI 2019-11-11 21:23:26 -08:00
Shuting Zhao
546a25d025 add missing file 2019-11-11 21:06:09 -08:00
Shuting Zhao
85d04f609c remove overlay failure conditionNotPresent as it allows the tag not present 2019-11-11 21:03:34 -08:00
Shuting Zhao
5a3ed62b13 Merge branch 'master' into 345_support_usergroup_info 
# Conflicts:
#	pkg/engine/validation_test.go
#	pkg/webhooks/annotations.go
#	pkg/webhooks/annotations_test.go
#	pkg/webhooks/mutation.go
#	pkg/webhooks/server.go
#	pkg/webhooks/validation.go
 2019-11-11 19:19:08 -08:00
Shuting Zhao
d26029d3be fix unit test 2019-11-11 19:08:46 -08:00
Shuting Zhao
6c8f4f90da fix patches annotation 2019-11-11 18:52:26 -08:00
Jim Bugwadia
8348c5761c fix tests 2019-11-11 18:51:21 -08:00
Jim Bugwadia
87be5ca4b8 update policies and test cases 2019-11-11 17:55:54 -08:00
Jim Bugwadia
3ffb0cfa39 add disallow_sysctl and move policies 2019-11-11 17:17:09 -08:00
Shuting Zhao
02fd1227be reverse listResource interface 2019-11-11 16:10:55 -08:00
Shuting Zhao
586b197b00 user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00
Shuting Zhao
03e85c2266 make getRoleRef a separate package 2019-11-11 14:52:09 -08:00
Shuting Zhao
4a80f70957 add unit test 2019-11-11 14:29:36 -08:00
Jim Bugwadia
05503e4fd1 update other policies 2019-11-11 14:09:07 -08:00
shivkumar dudhani
f788f0e526 introduce policy store 2019-11-11 11:10:25 -08:00
Shuting Zhao
5b0a6d62a4 add unit test 2019-11-11 09:56:53 -08:00
Jim Bugwadia
dd4d091c23 update restrict_automount_sa_token 2019-11-10 21:57:20 -08:00
Jim Bugwadia
5e8b6c4183 update add_networkPolicy 2019-11-10 21:27:50 -08:00
Jim Bugwadia
244909ebb3 update require_probes 2019-11-10 21:18:17 -08:00
Jim Bugwadia
c1be682a93 update require_pod_requests_limits 2019-11-10 21:06:49 -08:00
Jim Bugwadia
f668113904 update add_ns_quota 2019-11-10 20:58:57 -08:00
Jim Bugwadia
a6d5fb6e30 update restrict_image_registries 2019-11-10 18:13:01 -08:00
Jim Bugwadia
f31abbffab update disallow_latest_tag 2019-11-10 17:54:38 -08:00
Jim Bugwadia
7f54e8e2e3 Merge branch '451_fix_disallow_host_net_port' into 452_make_sample_policy_rule_names_consistent 
# Conflicts:
#	samples/best_practices/disallow_host_network_hostport.yaml
#	test/scenarios/samples/best_practices/disallow_host_network_port.yaml
 2019-11-10 17:35:43 -08:00
Jim Bugwadia
20736e5e81 update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc 2019-11-10 15:50:18 -08:00
shivkumar dudhani
f11a05a652 create event on webhook status update 2019-11-10 13:30:15 -08:00
Jim Bugwadia
170e2a5179 update disallow_docker_sock_mount and disallow_host_network_port 2019-11-10 12:53:48 -08:00
Jim Bugwadia
fd1a26db29 update DisallowBindMounts 2019-11-09 16:33:19 -08:00
Jim Bugwadia
fae8ac0325 update RequireReadOnlyRootFS 2019-11-09 16:18:33 -08:00
Jim Bugwadia
121b81a83b update disallow new capabilities 2019-11-09 16:07:16 -08:00
Shivkumar Dudhani
1613434c46
458 cleanup (#464) 
* cleanup of policy violation on policy spec changes + refactoring

* remove unused code

* remove duplicate types

* cleanup references

* fix info log and clean code

* code clean

* remove dead code
 2019-11-08 20:45:26 -08:00
Jim Bugwadia
cba79c69a2 update disallow_priviledged 2019-11-08 20:04:42 -08:00
Jim Bugwadia
5ce8fd7a9a update disallow_root_user 2019-11-08 19:25:43 -08:00
Jim Bugwadia
6baa678e27 rename add_safe_to_evict 2019-11-08 19:02:49 -08:00
Shuting Zhao
981b378c86 match rbac info when process a rule 2019-11-08 18:58:09 -08:00
Shuting Zhao
6048d59949 change engine interface to take policyContext struct 2019-11-08 18:57:27 -08:00
Shuting Zhao
0e9a952d64 get rbac info for an admission request 2019-11-08 18:56:24 -08:00
Shuting Zhao
3f59b4cf10 change client.ListResource to take listOptions 2019-11-08 18:54:43 -08:00
Shuting Zhao
a7e55ed25e update types for match/exclude 2019-11-08 18:53:29 -08:00
Shivkumar Dudhani
687c0c6470
Merge pull request #418 from nirmata/391_feature 
Check if mutating webhook admission control is enabled
 2019-11-08 12:55:28 -08:00
Shuting Zhao
ec331b8d17 remove resource info in the validation error 2019-11-07 12:30:58 -08:00
Shuting Zhao
a30b8a604d update format 2019-11-07 12:13:35 -08:00
Shuting Zhao
443619757e update tests/scenario 2019-11-07 12:13:35 -08:00
Shuting Zhao
15895d3852 - aggregate resource info per rule; - remove resource info in each success message; 2019-11-07 12:13:35 -08:00
Shuting Zhao
2dec70cc72 make expected message optional in scenario file 2019-11-07 12:13:34 -08:00
Shuting Zhao
98fa90bf1e update validation_test.go 2019-11-07 12:13:34 -08:00
Shuting Zhao
58054ef5b6 remove duplicate test 2019-11-07 12:13:34 -08:00
Shuting Zhao
de9ebd899b improve validation error message; update scenario files 2019-11-07 12:13:34 -08:00
Shuting Zhao
e3c9282e6a fix edit failure blocked by annotation change 
- as we change the patches key in annotation to "policies.kyverno.io/patches" in commit bdb3f40f15
 2019-11-07 12:13:34 -08:00
Shuting Zhao
caf7abfecc Get policy list once in handleAdmissionRequest 2019-11-07 12:13:16 -08:00
Shuting Zhao
38f1f3bbb9 Merge branch '414_mutate_safe-to-evict_emptydir' into 413_known_ingress 2019-11-06 17:58:09 -08:00
Shuting Zhao
8496a483dc - remove resource info per rule; - add resource info in each failed admission request 2019-11-06 17:14:32 -08:00
Shuting Zhao
4daa23f530 add missing file 2019-11-06 16:40:24 -08:00
Shuting Zhao
b32c6bf50b remove unused code 2019-11-06 16:16:50 -08:00
Shuting Zhao
d31ace604e fix test 2019-11-06 16:16:38 -08:00
Shuting Zhao
a7aec886b4 handle processOverlay with overlayError 2019-11-06 16:16:29 -08:00
Jim Bugwadia
1173e062c9 - add policy and test for known ingress 
- fix messages and remove unnecessary comments in testrunner/scenario.go
 2019-11-05 19:07:44 -08:00
Shuting Zhao
d0391ecab3 make the err "resource field is not present" a constant 2019-11-05 16:36:15 -08:00
Shuting Zhao
9f7b6eaaf6 skip applying mutate rule if condition key is not present in the resource, consider the rule as success 2019-11-05 16:27:06 -08:00
Jim Bugwadia
cab87f24ba add tect case 2019-11-05 15:32:45 -08:00
Shuting Zhao
664a85363a correct scenario test 2019-11-05 12:59:22 -08:00
Jim Bugwadia
5ded29f74e temp update for debugging 2019-11-05 12:28:44 -08:00
Shuting Zhao
662f649926 add comment to the code 2019-11-05 11:04:43 -08:00
Shuting Zhao
4195f45a42 add missing scenario test 2019-11-05 10:19:42 -08:00
Shuting Zhao
489e55d6c3 add best_practices scenario_mutate_safe-to-evict 2019-11-05 10:16:07 -08:00
Shuting Zhao
764d0fede2 Merge commit '35bed4bc6aef6622b89f0fc4dee9a175aa9768ff' into 158_array_validation 2019-11-05 09:50:32 -08:00
Shuting Zhao
3fbb9f8a35 Merge commit 'cfbd2120938b8a7f81f4a9c325fa3f6e816d2bf1' into 158_array_validation 2019-11-05 09:43:28 -08:00
Shuting Zhao
d9335a5f8c add warning message; remove existence anchor check in mutation 2019-11-04 19:23:48 -08:00
Shivkumar Dudhani
cfbd212093
Merge pull request #427 from nirmata/375_handle_json_numbers_resubmit 
375 handle json numbers resubmit
 2019-11-04 18:05:24 -08:00
Jim Bugwadia
35bed4bc6a add safe-to-evict annotation 2019-11-04 17:55:13 -08:00
Jim Bugwadia
41afefbe8e add disallow Helm tiller 2019-11-03 18:19:06 -08:00
Jim Bugwadia
3b1143c934
Merge pull request #436 from nirmata/411_no_docker_sock_mount 
411 no docker sock mount
 2019-11-01 15:38:40 -07:00
shivkumar dudhani
a191bd67f4 update message string 2019-11-01 15:21:23 -07:00
Jim Bugwadia
1323a9a81e add policy and test case 2019-11-01 15:19:26 -07:00
Jim Bugwadia
440c23f231 add test case (currently fails) 2019-11-01 11:40:23 -07:00
Shuting Zhao
86c00a8f30 return failure path for mutate condition check 2019-11-01 11:14:58 -07:00
Shuting Zhao
ef8bf695b1 mutate: support anchor on map/array 2019-10-31 20:38:24 -07:00
shivkumar dudhani
7e7286a9c1 support string - numbers comparison, use validatepattern in generate for subset check 2019-10-31 13:29:03 -07:00
Shivkumar Dudhani
92c96aaf1f
Revert "use validatepattern in generate rule to check for subset existance" 2019-10-31 13:21:38 -07:00
shivkumar dudhani
61c1ea5a49 use validatepattern in generate rule to check for subset existance 2019-10-31 13:04:56 -07:00
shivkumar dudhani
697f927b50 fix log 2019-10-30 14:09:37 -07:00
shivkumar dudhani
e022084dd0 add checker to verify if mutatingwebhook is enabled or not + refactoring 2019-10-30 13:39:19 -07:00
shivkumar dudhani
c7787eff8d Merge branch 'master' of github.com:nirmata/kyverno into 391_feature 2019-10-29 12:01:15 -07:00
shivkumar dudhani
ba94577d40 upates 2019-10-29 11:51:30 -07:00
shivkumar dudhani
6b97b5be3d merge master 2019-10-29 11:04:10 -07:00
shivkumar dudhani
a287067315 add backward support for command line arguments for filtering resources 2019-10-29 10:56:28 -07:00
shuting
fd90b25755
Revert "261 dynamic config" 2019-10-28 18:37:41 -07:00
shivkumar dudhani
4b19dd0715 Merge branch '261_dynamic_config' of github.com:nirmata/kyverno into 261_dynamic_config 2019-10-28 15:24:13 -05:00
shivkumar dudhani
a1d7f984db remove comments 2019-10-28 15:23:52 -05:00
Shivkumar Dudhani
158a499feb
Merge branch 'master' into 261_dynamic_config 2019-10-28 15:06:37 -05:00
Shuting Zhao
8047ed68d3 remove required mark for managedresource "kind" 2019-10-28 11:44:48 -07:00
Shivkumar Dudhani
22e7ab1c49
Merge branch 'master' into 261_dynamic_config 2019-10-25 19:17:15 -05:00
shivkumar dudhani
c119f0d34b split sync cache 2019-10-25 18:49:26 -05:00
shivkumar dudhani
56adc98b8c initial commit 2019-10-25 16:55:48 -05:00
Shuting Zhao
3a3efe00f1 - rename to managedResource; - refact code structure 2019-10-24 15:50:11 -07:00
Shuting Zhao
3c75a89489 Merge branch '387_pv_enforce' of https://github.com/nirmata/kyverno into 387_pv_enforce 
# Conflicts:
#	pkg/policyviolation/helpers.go
 2019-10-23 23:25:19 -07:00
Shuting Zhao
6e69c8b69b cleanup pv with dependant when blocked admission request pass 2019-10-23 23:18:58 -07:00
Shuting Zhao
1db901cca6 add comment 2019-10-23 09:58:42 -07:00
Shuting Zhao
e4791e5828 remove unused code 2019-10-21 15:55:20 -07:00
Shuting Zhao
f820cb4c83 implement #387 Generate clusterpolicyviolation when policy action set to "enforce" 2019-10-21 15:55:20 -07:00
shivkumar dudhani
3fa8834b4a policy validation: refactoring 2019-10-21 14:22:31 -07:00
Shuting Zhao
68c87a09ec add unit test for negationanchor on mutation 2019-10-18 18:17:11 -07:00
Shuting Zhao
2e1b731e35 fix test error 2019-10-18 17:50:26 -07:00
Shuting Zhao
32f94bca27 manage policy validation inside engine pkg 2019-10-18 17:45:24 -07:00
shivkumar dudhani
64eab3d1d6 initial commit 2019-10-18 17:38:46 -07:00
Shuting Zhao
7239b4d9b7 Merge commit '37c25daa17ad046f739e74d803cb78d887805bb4' into 346_validate_policy 
# Conflicts:
#	pkg/api/kyverno/v1alpha1/utils.go
 2019-10-18 10:09:44 -07:00
Shuting Zhao
01dae46580 remove unused code 2019-10-16 10:33:28 -07:00
Shuting Zhao
2ff6eb6e78 implement #387 Generate clusterpolicyviolation when policy action set to "enforce" 2019-10-15 20:56:41 -07:00
shuting
81f202752c
Merge pull request #379 from nirmata/337_policy_description 
337 policy description
 2019-10-15 14:34:14 -07:00
shuting
3232fadbe5
Merge pull request #389 from nirmata/388_bug 
delete PV if the P it refers to is stale
 2019-10-15 12:27:40 -07:00
Shuting Zhao
c6d5ec7575 Merge commit '82647670a54ead965c8cb964f3063409d0826070' into 337_policy_description 
# Conflicts:
#	pkg/testrunner/testrunner_test.go
#	samples/README.md
#	samples/best_practices/policy_validate_deny_runasrootuser.yaml
#	test/scenarios/samples/best_practices/scenario_validate_nonRootUser.yaml
 2019-10-15 12:27:22 -07:00
shivkumar dudhani
5d228d9586 fix error param 2019-10-15 11:30:06 -07:00
shivkumar dudhani
1a7b92f001 delete PV if the P it refers to is state 2019-10-15 11:07:22 -07:00
shivkumar dudhani
9b9f6686cb remove comments 2019-10-14 14:17:16 -07:00
Shuting Zhao
a384c263f4 remove duplicate test scenario 2019-10-14 14:14:18 -07:00
shivkumar dudhani
4e5f551fa7 clean up 2019-10-14 14:10:34 -07:00
Shuting Zhao
75806146c6 Merge branch 'best_practice_policies' into 337_policy_description 
# Conflicts:
#	samples/README.md
 2019-10-14 13:21:10 -07:00
shivkumar dudhani
530ac6962c initial clean up 2019-10-14 12:36:19 -07:00
Shuting Zhao
bdb3f40f15 rename mutate annotation to "policies.kyverno.io/patches" 2019-10-11 17:59:50 -07:00
Shuting Zhao
eb8bd71ac2 add test scenario - missing image tag 2019-10-10 19:13:04 -07:00
Shuting Zhao
38bf4d6055 add 'deny-use-of-host-fs' 2019-10-10 18:42:54 -07:00
Shuting Zhao
17f7eb6213 Merge branch 'master' into best_practice_policies 2019-10-10 18:15:55 -07:00
shivkumar dudhani
fd72ee3178 add unit tests 2019-10-10 17:34:20 -07:00
shivkumar dudhani
f6367cfe4a add negation anchor 2019-10-10 16:59:08 -07:00
Shuting Zhao
300665b22b Merge branch 'best_practice_policies' of https://github.com/nirmata/kyverno into best_practice_policies 2019-10-10 12:30:14 -07:00
Shuting Zhao
24f3b8ac96 disallow automountServiceAccountToken 2019-10-10 12:29:48 -07:00
shivkumar dudhani
dbc35eb8f4 enable disabled tests 2019-10-10 12:22:07 -07:00
Shuting Zhao
7fcc6bbd33 require default namespace resource quota 2019-10-10 10:46:11 -07:00
Shuting Zhao
3087257b46 disallow use of default namespace 2019-10-10 10:34:49 -07:00
Shuting Zhao
012360ae3a allow trusted registries 2019-10-10 10:29:10 -07:00
Shuting Zhao
4d29b461ff add require_image_tag_not_latest.yaml 2019-10-09 18:35:07 -07:00
Shuting Zhao
b5475fda5d comment out failed testscenarios 2019-10-09 18:31:09 -07:00
Shuting Zhao
3e1ef320a8 add require_probes.yaml 2019-10-09 17:49:00 -07:00
Shuting Zhao
ea25ed8460 add check-pod-request-limit.yaml 2019-10-09 17:37:31 -07:00
Shuting Zhao
18c190447f update require-readonly-rootfilesystem.yaml 2019-10-08 22:09:58 -07:00
Shuting Zhao
cb44585d70 add disallow_readonly_rootfilesystem.yaml 2019-10-08 22:05:15 -07:00
Shuting Zhao
c755df6b70 add scenario_validate_disallow_hostpid_hostipc.yaml 2019-10-08 21:58:05 -07:00
Shuting Zhao
ce41e4a99d add disallow_host_network_hostport.yaml 2019-10-08 21:51:35 -07:00
Shuting Zhao
0c0a9a69a6 add disallow_priviledged_privelegesecalation.yaml 2019-10-08 21:42:49 -07:00
Shuting Zhao
137d596e11 rename EngineResponseNew to EngineResponse accordingly 2019-10-08 16:23:24 -07:00
shuting
5c38c28904
Merge pull request #369 from nirmata/368_bug 
update engineResponse Name
 2019-10-08 16:02:07 -07:00
Shivkumar Dudhani
d973e84084
Merge pull request #366 from nirmata/best_practice_policies 
Add best practice policies
 2019-10-08 15:51:19 -07:00
Shuting Zhao
d7080c2d94 fix pr comment 2019-10-08 14:21:47 -07:00
shivkumar dudhani
70ff2fa177 update engineResponse Name 2019-10-08 10:57:24 -07:00
Shuting Zhao
2077409c85 fix 365 annotation_bug 2019-10-07 18:31:14 -07:00
Shuting Zhao
cac41d9fda using anyPattern for allowed image registries 2019-10-07 14:34:32 -07:00
Shuting Zhao
87d9cdd9dd best practice: volume white list 2019-10-07 12:46:34 -07:00
Shuting Zhao
16a851cd8b update sysctl 2019-10-07 11:35:04 -07:00
Shuting Zhao
c80f9e0f9d best_practice: sysctl 2019-10-07 11:21:14 -07:00
Shuting Zhao
2243e9e2e7 best practice: validate container capability 2019-10-04 18:15:39 -07:00
Shuting Zhao
0c09ba53eb best-practice: validate default proc mount 2019-10-04 17:48:57 -07:00
Shuting Zhao
1bd8663e4c add selinux best practice 2019-10-04 17:28:42 -07:00
Shuting Zhao
04c147eb77 add security context "fsgroup" 2019-10-04 16:50:23 -07:00
Shuting Zhao
57456e5f06 improve code 2019-10-03 18:19:47 -07:00
Shuting Zhao
ae393f567d make validation checks on different block internally 2019-10-03 17:53:46 -07:00
Shuting Zhao
e20d86f45c remove duplicate code: hasMutate.. 2019-10-03 17:00:05 -07:00
Shuting Zhao
c56c5c365d Provide more details to policy validation errors 2019-10-03 16:49:41 -07:00
Shuting Zhao
572418795a add validate checks for generate 2019-10-03 14:47:50 -07:00
Shuting Zhao
9d0b4c7d30 validate anchor in mutate and validate rule 2019-10-03 12:52:58 -07:00
shivkumar dudhani
c4e263564f CR: uncomment deadcode 2019-10-01 16:59:26 -07:00
shivkumar dudhani
7782c776f1 merge with master 2019-10-01 16:28:54 -07:00
Shivkumar Dudhani
e02d334dfc
Merge pull request #358 from nirmata/346_validate_policy 
346 validate policy
 2019-10-01 16:25:09 -07:00
Shuting Zhao
3ee2d57694 ignore kinds check on exclude resource description 2019-10-01 15:01:24 -07:00
shivkumar dudhani
515a31199e update equality operator 2019-10-01 13:08:34 -07:00
Shuting Zhao
a620c14c58 fix PR comment 2019-10-01 12:41:10 -07:00
shivkumar dudhani
17d80a08c0 introduce equality anchor 2019-10-01 12:35:14 -07:00
Shuting Zhao
8b174235df add unit tests 2019-10-01 11:50:10 -07:00
shivkumar dudhani
c3a2256c1c process policy in namespaces 2019-09-28 15:39:06 -07:00
shivkumar dudhani
56b2d2990b clean up 2019-09-28 14:20:39 -07:00
shivkumar dudhani
808cccb421 update validation logic 2019-09-28 14:09:46 -07:00
Shuting Zhao
28bb9c80b4 validate existing anchor of validate rule 2019-09-27 19:03:55 -07:00
Shuting Zhao
a72a73b8a9 fix warning 2019-09-27 16:35:09 -07:00
Shuting Zhao
8a7250ffef refactor policy validation, moved to pkg/api/kyverno 2019-09-27 16:31:27 -07:00
Shuting Zhao
76ad9406b1 only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00
shivkumar dudhani
ae3059b858 unit test initial check 2019-09-26 11:00:30 -07:00
shivkumar dudhani
087efffd96 support existance on list type 2019-09-25 21:01:45 -07:00
shivkumar dudhani
974fff169a support evaluation of nested values 2019-09-25 16:06:37 -07:00
shivkumar dudhani
c65f12b97b initial commit 2019-09-25 15:12:33 -07:00
Shuting Zhao
5e0415911a add best-practice: policy_validate_disallow_default_serviceaccount 2019-09-16 14:16:54 -07:00
shuting
3d02f81434
Merge pull request #351 from nirmata/348_feature_wildcardsNamespaces 
support wild cards for namespaces in rule resource description
 2019-09-12 23:06:51 -07:00
shivkumar dudhani
44af35d6e4 support wild cards for namespaces in rule resource description 2019-09-12 17:11:55 -07:00
shivkumar dudhani
5dab189743 fix event resource name + add filtered kinds to policy controller & namespace + fix messages 2019-09-12 15:04:35 -07:00