* Update kyverno-policies chart with latest pod-security policies
Fixes#3063Fixes#2277
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README to have better example
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use chart testing during e2e to test against ci values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix e2e tests for Helm chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix Kyverno chart testing to actually test values, and fix networkpolicy template
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README for exclusion
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Allow adding 'other' policies via Helm
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update Chart.yaml for kyverno-policies
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump minimum Kubernetes version in charts
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update kyverno-policies chart readme
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases (part 2)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use same logic to get git tag by using Makefile target for updating Helm values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* - update dev images tag; - update chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update to use dev tag when setting up e2e tests infra
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* default chart test image tag for busybox to latest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set image tag to latest for chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* correct tag
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test tag in e2e.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Enable cloud provider registry keychains
It's desirable that Kyverno supports using workload identity and other
cloud provider metadata services for registry credentials.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Always initialize registry keychain
This supports using docker configuration on disk and credentials from
cloud providers without having to specify image pull secrets.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Get pull secrets from kyverno service account
It was previously using 'default'. I think it makes more sense to use
the service account that Kyverno actually runs with.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't split empty pull secrets list
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Add KYVERNO_SVC_ACCOUNT to config manifests
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't retrieve secrets from service account
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Reduce scope of keychain changes
Just enable cloud provider keychains.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* initial commit
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* adding docker-buildx-builder to makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* reverting git describe in makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* uploading sbom for each kyverno image
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* small nits
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* scanning image before pushing and removed cosign.pub
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* update roles and rolebindings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert label and fix perms
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* restrict role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix whitespace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests and roles
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove ingress extensions/v1beta1
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix chart
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* tighten and clarify Kyverno roles and permissions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fake commit to trigger workflows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert tests and update test role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add newlines
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove invalid param
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cleanup roles in Helm templates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove `mutate` cluster role binding
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Added test-e2e-local in the Makefile
* Added a proper Indentation
* Added 3 more fields
* Added getPolicyResourceFullPath function
* Updating the patchedResource path to full path
* Converts Namespaced policy to ClusterPolicy
* Added GetPatchedResourceFromPath function
* Added GetPatchedResource function
* Checks for namespaced-policy from policy name provided bu user
* Generalizing resultKey for both validate and mutate. Also added kind field to this key
* Added Type field to PolicySpec
* To handle mutate case when resource and patchedResource are equal
* fetch patchResource from path provided by user and compare it with engine patchedResource
* generating result by comparing patchedResource
* Added kind to resultKey
* Handles namespaced policy results
* Skip is required
* Added []*response.EngineResponse return type in ApplyPolicyOnResource function
* namespaced policy only surpasses resources having same namespace as policy
* apply command will print the patchedResource whereas test will not
* passing engineResponse instead of validateEngineResponse because it supports results for both validate and mutate case
* default namespace will printed in the output table if no namespace is being provided by the user
* Added e2e test for mutate policy and also examples for both type of policies
* Created a separate function to get resultKey
* Changes in the resultKey for validate case
* Added help description for test command in the cli
* fixes code for more test cases
* fixes code to support more cases and also added resources for e2e-test
* some small changes like adding brackets, clubbing 2 if cond into one, changing variable name, etc.
* Rearrange GetPatchedResourceFromPath function to get rid from repetion of same thing twice.
* Added kind in the result section of test.yaml for all test-cases
* engineResponse will handle different types of response
* GetPatchedResource() uses GetResource function to fetch patched resource
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
- Remove dead newName specification
- Un-hardcode namespace from resources
- Create 'bundle' kustomization that keeps namespace hardcoding
This should be used (as a base) to generate static manifests
- Turn 'release' directory into kustomization that is only place with version numbers
Signed-off-by: James Callahan <jamescallahan@bitgo.com>
* Make Kyverno CRDs a seperate Helm chart capable of being updated/deleted
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Make E2E tests work with new chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Seems Helm lint needs values.yaml
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Can't use ct install for the CRDs because will end up getting uninstalled after test
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Ensure helm release accounts for new CRD chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update CRD chart versions
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Make CRD chart version match main kyverno chart version
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump chart versions
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* add image verification
* inline policy list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cosign version and dependencies updates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add registry initialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add build tag to exclude k8schain for cloud providers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add build tag to exclude k8schain for cloud providers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* generate deep copy and other fixtures
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix deep copy issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* mutate images to add digest
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add certificates to Kyverno container for HTTPS lookups
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align flag syntax
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update docs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update dependencies
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update dependencies
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* patch image with digest and fix checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* hardcode image for demos
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add default registry (docker.io) before calling reference.Parse
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix definition
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* increase webhook timeout
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix args
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* run gofmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* rename for clarity
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix HasImageVerify check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter error
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle API conflict and retry
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix reviewdog issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix make for unit tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* improve error message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix durations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle errors in tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* print policy name
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add retries and duration to error log
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix time check in tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* round creation times in test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix retry loop
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove timing check for policy creation
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix e2e error - policy not found
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* update string comparison method
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* fix test Generate_Namespace_Label_Actions
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* add debug info for e2e tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix error
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generate bug
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add check for update operations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* increase time for deleteing a resource
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Shuting Zhao <shutting06@gmail.com>
* Improved testing to allow 'skip' status and fail if tested results do not exist
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Ensure exit 0 is seen as failure when should be failure
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* added: make auto-generate target to sync the auto-generated code by kubebuilder
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
* synced: all the auto-generable files with kubebuilder's controller-gen
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
* Adding multi arch support
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* Adding multi arch support
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* minor refactors
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* adding buildx action in e2e.yaml
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* Adding kyvernopre
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* Adding kyvernopre
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* Adding amd build
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* Adding go env
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* minor fix
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* removing docker tag
Signed-off-by: Raj Das <mail.rajdas@gmail.com>
* Adding local dockerfile build command
Signed-off-by: rajdas98 <mail.rajdas@gmail.com>
* Dockerfile refactored
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* Adding non-root commands to docker images and enhanced the dockerfiles
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* changing base image to scratch
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* Minor typo fix
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* changing dockerfiles to use /etc/passwd to use non-root user'
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* minor typo
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* minor typo
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
* added api templates
* E2E test for generate roles, rolebindings, clusterrole and clusterrolebindings
* table driven e2e tests
* table driven e2e tests and go fmt
* removed unwanted vars
* increased sleep time
* removed role generation clone
* increated sleep time
* added rolebinding clone and retry mechanism for get resources
* modified test for clone
* added namespace to role
* added namespace variable
* added git actions job
* changed build name
* removed docker login
* added role verbs
* removed github actions job and rbac file
* added clusterrole test with clone
* fixed travis issue
* - support wildcards for namespaces
* do not annotate resource, unless policy is an autogen policy
* close HTTP body
* improve messages
* remove policy store
Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.
We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.
* handle wildcard namespaces in background processing
* fix unit tests 1) remove platform dependent path usage 2) remove policy store
* add test case for mutate with wildcard namespaces
* init container to cleanup stale webhook configurations if any.
* remove test code
* use internal pkg for os signals
* move webhook cleanup before http.server shutown.
* update make file and remove init
* update CI script
