kyverno

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00

Author	SHA1	Message	Date
shuting	ae4ff4f6b9	Fix dynamic webhook for namespace policies (#3044 ) * fix dynamic webhook for namespace policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * improve policy listing to reduce duplicate processing Signed-off-by: ShutingZhao <shuting@nirmata.com> * update logger Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-01-22 07:55:14 +00:00
Prateek Pandey	c30dfe70a5	fix deployment replica type conversion and refactor webhook logs (#3022 ) - add level in info webhook configuration update success logs - fix deployment replica count conversion issue Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>	2022-01-19 17:14:33 +00:00
Kumar Mallikarjuna	e39489f838	SharedInformers for WebhookConfigurations (#3007 ) * SharedInformers for WebhookConfigurations Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Add GVK to typed resources Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Remove ToUnstructured() Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Remove default informers from Resource Cache Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Formatted files Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>	2022-01-19 15:57:32 +00:00
Abhinav Sinha	b5341b685d	Support `namespaceSelector` with dynamic webhook enabled (#2953 ) * Support `namespaceSelector` with dynamic webhook enabled Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Implemented suggested changes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Implemented suggest changes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>	2022-01-19 07:59:08 +00:00
shuting	cde1d0f2b2	clean up managed resources when cannot find kyverno deployment (#3018 ) Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>	2022-01-18 16:45:24 +00:00
Kumar Mallikarjuna	771d62b735	Added Kyverno specific SharedInformerFactory (#2987 ) * Added Kyverno specific SharedInformerFactory Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Replace ToUnstructured() Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Add GVK to returned resource Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>	2022-01-18 15:52:48 +00:00
Abhinav Sinha	7ceba594b2	Corrected the value of `INIT_CONFIG` env in deployment (#2927 ) Signed-off-by: Abhinav Sinha <zeborg3@gmail.com> Co-authored-by: shuting <shutting06@gmail.com>	2022-01-07 10:52:34 +00:00
Kumar Mallikarjuna	214f338ec3	Fix TLS inconsitency in HA (#2910 ) * Fix TLS inconsitency in HA Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Add error checks Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Remove rendundant err definitions Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Handle all Secret errors Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>	2022-01-06 09:11:16 +00:00
shuting	df105ff596	Improve endpoint check (#2902 ) * improve endpoint checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * update make target for the local build Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug log Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-01-05 07:47:42 +00:00
Kumar Mallikarjuna	3f61e2dd3a	Added report generation for verifyImage rules (#2782 ) * Add report generation for verifyImage rules Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Add flag comment Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Mutation: handleDelete() Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Remove redundant delete Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Test validation failure Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Validation force rules test Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Default validation behaviour Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Manual rules Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Update Config Manager Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Move Delete check Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-01-05 07:07:44 +00:00
Prateek Pandey	f6e40b5dd1	feat(validation): support for ephemeral containers (#2875 ) Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>	2021-12-28 14:22:52 +00:00
Vyankatesh Kudtarkar	39a299f317	Update labels to fetch cluster role (#2842 )	2021-12-16 07:55:58 +00:00
Vyankatesh Kudtarkar	b7767d79d3	change cluster role labels (#2776 ) * change cluster role labels * change cluster role label value * fix cluster role label issue * fix comment	2021-12-02 15:52:34 +05:30
Steven E. Harris	f90b982903	Allow use of "pods/binding" subresource (#2721 ) For cases where a policy matches the "Bindings" kind in the "core/v1" API group and version, adjust the pertinent Webhook configuration rule to use the "pods/binding" subresource. Doing so allows observing and reacting to the Kubernetes scheduler (and its "extenders") assigning pods to nodes, before any other system actors observe that assignment. This is an opportune moment in between the pod' creation and a kubelet starting it running. Signed-off-by: Steven E. Harris <seh@panix.com>	2021-11-16 22:26:22 +01:00
Vyankatesh Kudtarkar	fa95132806	Fix: Hard-coded ClusterRoleName in OwnerRef breaks (#2718 ) * fix hardcoded clusterrole name * Fix label	2021-11-16 19:32:42 +08:00
Danny__Wei	84c44c0827	obtain webhook config name dynamically (#2698 )	2021-11-08 20:09:19 -08:00
Pooja Singh	0e8341166d	ignoring generate kinds from mutate webhook (#2656 ) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>	2021-11-06 23:06:00 +05:30
Vyankatesh Kudtarkar	6eb7cf57f7	bug fix : Kyverno policies block uninstall of Kyverno (#2659 ) * bug fix uninstall kyverno issue * rename the methods	2021-11-02 23:44:32 -07:00
Jose Armesto	831a9826d1	Restructure project to follow standards (#2632 ) Signed-off-by: Jose Armesto <github@armesto.net>	2021-10-29 18:13:20 +02:00
Marcus Noble	1966c82c6d	Fix various go lint issues (#2639 ) * Fix various go lint issues Signed-off-by: Marcus Noble <github@marcusnoble.co.uk> * Fix if mistake Signed-off-by: Marcus Noble <github@marcusnoble.co.uk> * Simplified returns Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>	2021-10-29 17:06:03 +02:00
Jamie	caf2180dca	fix: found a handful other magic strings that needed some webhook love (#2546 ) Signed-off-by: Random J Developer <interns@coreweave.com> Signed-off-by: Jamie Roberts <jroberts@coreweave.com>	2021-10-15 09:54:07 -07:00
ShutingZhao	28183be24f	fix webhook update for PodExecOptions Signed-off-by: ShutingZhao <shutting06@gmail.com>	2021-10-14 13:22:07 -07:00
Bricktop	ab8822963b	Add exclusions to make gosec happy (#2540 ) * Add exclusions to make gosec happy Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de> * Add forgotten file Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>	2021-10-13 15:05:13 -07:00
Sachin	a42e944c22	fix Potential file inclusion via variable (#2523 ) Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>	2021-10-13 10:48:45 -07:00
shuting	9dc2c2b4bf	Bugfixes - handle verifyImage rules for webhooks configurations (#2501 ) * dynamic webhooks for verifyImages rule Signed-off-by: ShutingZhao <shutting06@gmail.com> * add namespace env to the initContainer Signed-off-by: ShutingZhao <shutting06@gmail.com> * add debug log Signed-off-by: ShutingZhao <shutting06@gmail.com> * update operator schema validation tag Signed-off-by: ShutingZhao <shutting06@gmail.com> * set policy to ready if auto-update-webhook disabled Signed-off-by: ShutingZhao <shutting06@gmail.com>	2021-10-07 13:50:30 -07:00
ShutingZhao	b42c44eff0	update policy status to false if error occurs	2021-10-06 20:48:36 -07:00
ShutingZhao	08d75245a2	matching resources should be updated separate for mutate and validate rules Signed-off-by: ShutingZhao <shutting06@gmail.com>	2021-10-06 20:43:19 -07:00
Kumar Mallikarjuna	254be4c1d3	Leader Election for initContainer (#2489 ) * Local build Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Leader Election for initContainer Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Lease deletion Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Use wrc client Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * log error out Signed-off-by: ShutingZhao <shutting06@gmail.com> Co-authored-by: ShutingZhao <shutting06@gmail.com>	2021-10-06 16:12:07 -07:00
shuting	b10947b975	Dynamic webhooks (#2425 ) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>	2021-10-05 00:15:09 -07:00
Pooja Singh	ba00ead7f8	adding ownerRef with namespace (#2263 ) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>	2021-08-13 17:07:40 -07:00
Pooja Singh	f9616cbab1	Removing OwnerReference (#2251 ) * removing OwnerReference Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * removing comments Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>	2021-08-10 17:05:20 -07:00
Jim Bugwadia	e18e7fc443	fix typo Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2021-07-20 09:31:52 -07:00
Vyankatesh Kudtarkar	b1861081be	support for Disallow pod exec operation (#2138 )	2021-07-14 11:42:10 -07:00
shuting	65975a8b65	Enable webhooks configuration via Helm (#2032 ) * helm - enable configurations of webhooks Signed-off-by: Shuting Zhao <shutting06@gmail.com> * retry on update failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update Readme Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address lint errors Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-06-16 23:29:07 -07:00
shuting	6d5e988ebe	BugFix - update the annotation lastRequestTimestamp from active instances (#2019 ) * fix webhook monitor - inactive instance did not get latest request timestamp Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add checks for registered webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update veridy_deployment.sh Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add debug steps in e2d workflow Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix CI errors Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-06-15 18:39:22 -07:00
shuting	fa419439ec	fix merge eror (#2016 ) Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-06-14 15:50:34 -07:00
shuting	6f07ea407f	Customize namespaceSelector of Webhookconfigurations (#2003 ) * customize namespaceSelector of webhook configurations from configMap Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update webhook configurations base on UPDATEs of Kyverno ConfigMap Signed-off-by: Shuting Zhao <shutting06@gmail.com> * register webhook configurations with the namespaceSelector from ConfigMap Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address golint comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * validate webhooks config format Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix NotDefined scenario Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-06-14 13:01:40 -07:00
shuting	e9a972a362	feat: HA (#1931 ) * Fix Dev setup * webhook monitor - start webhook monitor in main process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leaderelection Signed-off-by: Jim Bugwadia <jim@nirmata.com> * - add isLeader; - update to use configmap lock Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add initialization method - add methods to get attributes Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove newContext in runLeaderElection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to GenerateController Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add leader election to generate cleanup controller Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Gracefully drain request * HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920) * enable leader election for webhook register Signed-off-by: Shuting Zhao <shutting06@gmail.com> * extract certManager to its own process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * leader election for cert manager Signed-off-by: Shuting Zhao <shutting06@gmail.com> * certManager - init certs by the leader Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy report controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * rebuild leader election config Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start informers in leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start policy informers in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * enable leader election in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * move eventHandler to the leader election start method Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add clusterrole leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixed generate flow (#1936) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * - init separate kubeclient for leaderelection - fix webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * cleanup Kyverno managed resources on stopLeading Signed-off-by: Shuting Zhao <shutting06@gmail.com> * tag v1.4.0-beta1 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix cleanup process on Kyverno stops Signed-off-by: Shuting Zhao <shutting06@gmail.com> * bump kind to 0.11.0, k8s v1.21 (#1980) Co-authored-by: vyankatesh <vyankatesh@neualto.com> Co-authored-by: vyankatesh <vyankateshkd@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>	2021-06-08 12:37:19 -07:00
shuting	e9952fbaf2	Remove secret from default resourceCache (#1878 ) Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-05-04 22:10:01 -07:00
Vyankatesh Kudtarkar	ab8d077384	Fix Dev setup (#1815 ) Co-authored-by: vyankatesh <vyankatesh@neualto.com>	2021-04-21 12:35:13 -07:00
shuting	9dab21619f	Match endpoint to the exact Kyverno Pod's IP (#1787 ) * update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update printer column - validation failure action Signed-off-by: Shuting Zhao <shutting06@gmail.com> * match endpoint ip with the exact pod ip Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add tag "app.kubernetes.io/name"; - reduce throttling requests when deletes webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add [SelfSubjectAccessReview,,] to resource filters Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-04-12 20:29:51 -07:00
Shuting Zhao	4d01f76797	- fix variable validation; - update log level Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-03-31 13:24:36 -07:00
treydock	0131f375f1	Register webhooks only once service endpoint is ready (#1741 ) * Register webhooks only once service endpoint is ready Fixes #1740 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Wait for webhook to become ready in main loop Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Better error handling and logging around checking endpoint Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Log soft failure as info, remove redundant return Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>	2021-03-30 13:46:01 -07:00
shuting	fd9acf21a7	Auto-recover policy report (#1730 ) * auto-recover policy report Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add flag background-scan to tune this interval Signed-off-by: Shuting Zhao <shutting06@gmail.com> * cleanup webhook configurations when Kyverno deployment is deleted Signed-off-by: Shuting Zhao <shutting06@gmail.com> * reconcile policy reports if Kyverno Configmap changes Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-03-25 12:28:03 -07:00
shuting	c816cf3d69	Add certificate renewer in webhook registration controller (#1692 ) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-03-16 11:31:04 -07:00
Yashvardhan Kukreja	d141f74015	performed cleanups (#1552 )	2021-02-07 21:19:25 -08:00
shuting	39b27a16ed	Reduce throttling requests (GET) (#1522 ) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>	2021-02-05 09:58:10 -08:00
Shuting Zhao	54b0afb8b9	clean up old webhooks before registering new ones	2020-12-08 15:04:24 -08:00
shuting	624b481df3	Fix 1351 - policy report (#1359 ) * ignore Kyverno CRDs existence check when server is not available * clean up cluster / reportChangeRequest * resolve PR comments * - fixes #1351; - clean up code * fo fmt	2020-12-04 10:04:46 -08:00
Jim Bugwadia	2344b2c305	1319 fix throttling (#1341 ) * fix policy status and generate controller issues * shorten ACTION column name * update logs Co-authored-by: Shuting Zhao <shutting06@gmail.com>	2020-11-30 11:22:20 -08:00

1 2 3 4

153 commits