Charles-Edouard Brétéché
7a15231a1c
fix: reduce startup probe delay ( #5296 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-11-10 13:49:22 +00:00
Nikhil Sharma
6d801b26db
feat: create cleanup new CRDs ( #5233 )
...
* create new cleanup CRDs
Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>
* fix package
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-11-08 08:42:35 +00:00
Pratik Shah
6cdbd55f93
Fixed description for secret name ( #5228 )
...
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
2022-11-07 10:59:16 +05:30
shuting
3fc157717a
feat: support disabling schema validation on the patched resource ( #5197 )
...
* Support disable schema validation on the patched resource
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update api doc
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-11-03 08:12:44 +00:00
Charles-Edouard Brétéché
d2658a1bc8
refactor: support Audit and Enforce validation failure actions ( #5152 )
...
* feat: remove policy mutation code
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* refactor: support Audit and Enforce failure actions
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* codegen
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* typo
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* update changelog
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-11-01 09:56:52 +00:00
Pratik Shah
2c4a2dab7e
Fixed issue-5102: Show rule count and type in output ( #5106 )
...
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Pratik Shah <pratik@infracloud.io>
2022-10-27 10:05:32 +00:00
Charles-Edouard Brétéché
e4bf66e756
feat: remove policy mutation for auto-gen rules ( #5123 )
...
* feat: remove policy mutation code
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* Fix
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* changelog
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-10-25 23:43:46 +00:00
Santosh Kaluskar
8eb1d3988c
Add AGE in printer columns of CRDs ( #5119 )
...
* Add AGE in printer columns of CRDs
Signed-off-by: Santosh Kaluskar <dtshbl@gmail.com>
* codegen
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Santosh Kaluskar <dtshbl@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-24 19:28:23 +00:00
Charles-Edouard Brétéché
0b8c9334d2
feat: add categories support to our CRDs ( #5112 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-10-24 10:40:38 +00:00
XDRAGON2002
a3c129f469
[Feature] create command line option to set failurePolicy globally ( #4991 )
...
* add forceFailurePolicyIgnore flag
Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
* cleanup code
Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
* add logging
Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
* resolve merge conflicts
Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
* fix codegen
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-21 18:13:36 +00:00
Charles-Edouard Brétéché
4b3a7b7da8
fix: add more infos in reports printers ( #5027 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-10-18 09:56:14 +02:00
Charles-Edouard Brétéché
ac3b5eed22
feat: add startup probes support ( #4896 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: treydock <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
2022-10-16 18:50:28 +02:00
Pratik Shah
caab013a86
Fixed issue-4530: Added separate attestor type for secrets and KMS ( #4733 )
...
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
2022-10-14 09:40:46 +00:00
Charles-Edouard Brétéché
064980bd9a
fix: admission reports printer ( #4950 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-14 08:22:00 +00:00
Pratik Shah
8a0083105d
Added support to specify key signature algorithm in verifyImages ( #4855 )
...
Signed-off-by: Pratik Shah <pratik@infracloud.io>
Signed-off-by: Pratik Shah <pratik@infracloud.io>
2022-10-14 05:39:57 +00:00
Charles-Edouard Brétéché
4f3656abc6
chore: update controller-tools to v0.10.0 ( #4918 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-10-13 07:23:44 +00:00
James Callahan
33b5bb2a8a
fix: don't specify rules when aggregationRule is set ( #4867 )
...
Fixes #4866
Signed-off-by: James Callahan <jamescallahan@bitgo.com>
Signed-off-by: James Callahan <jamescallahan@bitgo.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-12 14:17:51 +00:00
shuting
4d90b7b561
Update PSa images dsecription ( #4840 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-10-07 08:09:31 +00:00
ShutingZhao
dd1fe55ec9
Fix CRD format issue
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-10-06 03:50:39 +08:00
Charles-Edouard Brétéché
51b07b7bf3
fix: validationFailureAction default value ( #4822 )
...
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-05 18:09:21 +00:00
Charles-Edouard Brétéché
7e0884ca36
fix: publish yaml manifests in release instead of repo ( #4738 )
...
* fix: publish yaml manifests in release instead of repo
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* ignore
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* pin actions
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* messages
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix helm gen crds
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* chart app version
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* makefile
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-03 15:12:43 +00:00
shuting
1d83e86c12
Add PSa policy validations ( #4735 )
...
* Validate PSa control names
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add validation checks for the PSa rule
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-29 12:03:13 +08:00
Prateek Pandey
38c252952d
feat: add matchlabel selector support with multiple clone ( #4713 )
...
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-28 17:44:38 +02:00
Charles-Edouard Brétéché
e0ab72bb9a
feat: reports v2 implementation ( #4608 )
...
This PR refactors the reports generation code.
It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds.
The new reports system is based on 4 controllers:
Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation
Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes
Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace)
Resources controller is responsible for watching reports that need background scan reports
I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong.
I also added a flag to split reports in chunks to avoid creating too large resources.
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-28 17:15:16 +05:30
shuting
34c6920129
Support PSa integration by controlName
only ( #4710 )
...
* Remove "restrictedField" and "values" from podSecurity.exclude
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Remove commented code
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add unit tests for restricted_runAsNonRoot
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add baseline unit tests
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add unit tests for restricted controls
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Removes PSa tests at the engine level
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - Update API docs; - Add unit tests for wildcard images
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Remove autogen conversion for PSa policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* copy pod with DeepCopy()
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-28 10:03:53 +00:00
Charles-Edouard Brétéché
481a09823f
refactor: use pod name as leader id ( #4680 )
...
* refactor: use pod name as leader id
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix manifests
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* makefile
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* leader client
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-26 16:25:27 +00:00
Charles-Edouard Brétéché
47b3704848
fix: missing elements in v2beta1 api ( #4654 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-19 09:55:04 +00:00
Charles-Edouard Brétéché
530a584f76
fix: background printer column ( #4617 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-14 06:54:56 +00:00
Charles-Edouard Brétéché
dfb566a458
fix: typo ( #4582 )
...
* fix: typo
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* fix: typo
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-10 16:11:38 +00:00
Vyankatesh Kudtarkar
aa6abd99f2
Support V2beta1 Version ( #4514 )
...
introduce new version V2beta1 which remove deprecated CRD
types from version v1.
Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>
2022-09-08 11:19:16 +00:00
Prateek Pandey
1cacd0173d
feat: allow cloning multiple resource from a namespace ( #4384 )
2022-09-08 04:47:09 +00:00
Abhishek Kumar
5681a2a2dc
Improve printer column name for validationFailureAction ( #4488 )
...
Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com>
Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-02 05:33:33 +00:00
shuting
c1b1cbb7da
Add PodSecurity description ( #4475 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-09-01 09:03:41 +00:00
ToLToL
1b9a2fca21
Extend Pod Security Admission ( #4364 )
...
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
Riko Kudo
5f5cda9fee
Yaml signing and verification ( #4235 )
...
* enable YAML verification using k8s-manifest-sigstore
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
comment out role and rolebinding for dryrun
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix log message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
change default value of dryrun option
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
support gpg signature
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* upgrade manifest sigstore version and support multi sigs
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix validate.manifest rule
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd and add small fix
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
set cosign experimental env when keyless verification
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* improve default ignoreFields
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* add unit-test for k8smanifest
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update install yaml
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version and support one or more signatures
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
add unit-test for k8smanifest multi-signature
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix manifest verify policy and move dryrun rbac to dryrun dir
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version and resolve conflict
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
enable YAML verification using k8s-manifest-sigstore
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
comment out role and rolebinding for dryrun
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix pubkey setting
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
upgrade manifest sigstore version and support multi sigs
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix validate.manifest rule
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update crd and add small fix
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
update k8s-manifest-sigstore version and support one or more signatures
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix verifyManifest result message
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
fix manifest verify policy and move dryrun rbac to dryrun dir
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
add small fix
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* remove generic name
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix sonatype-lift issue and unit-test error
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* fix gofumpt error
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
* update manifest rule to use attestor
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* remove unused value
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* resolve conflict
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix install.yaml
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix to set COSIGN_EXPERIMENTAL env variable when keyless verification
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix misspell
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* enable kyverno cli in validate.manifests rule (#3 )
* enable kyverno cli in validate.manifests rule
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version and improve error handling for better result output
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update crds and deepcopy
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update unit test
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* change to use spec.rules.exclude.subjects instead of skipUsers (#4 )
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* update k8s-manifest-sigstore version
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix yaml signing sigstore (#5 )
* update k8s-manifest-sigstore version
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* add a comment for dryrun option field
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* enable to include ClusterPolicy/Policy in match resource
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix log style and env variable settings
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* simplify manifest verify func
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix func name
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix sonatype warning
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix default ignoreFields
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix yaml signing sigstore rbac (#6 )
* fix dryrun rbac to have minimal permissions
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix lint error
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix unit-test error
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix gofumpt error
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* fix log style
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* updated CRD documentation
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* resolve go.mod conflicts
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
* updated helm stuff
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché
cf0ee93de8
feat: enable autogen internals by default ( #4381 )
...
* feat: enable autogen internals by default
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* change e2e tests
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* change e2e tests matrix
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-08-25 23:01:43 +08:00
Charles-Edouard Brétéché
2882a4fb13
fix: missing aggregated role for UR ( #4378 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-08-23 12:07:44 +00:00
George
648511383c
Update wgpolicyk8s.io CRDs ( #4355 )
...
* Update policyreport api
Signed-off-by: George Sedky <george@devopzilla.com>
* Run codegen to generate CRDs
Signed-off-by: George Sedky <george@devopzilla.com>
Signed-off-by: George Sedky <george@devopzilla.com>
Co-authored-by: George Sedky <george@devopzilla.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-08-22 07:18:33 +00:00
Anutosh Bhat
663e7584ae
Tightened scope on apiGroups for Kyverno:events Clusterrole ( #4292 )
...
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-08-03 15:36:03 +00:00
Jim Bugwadia
943c3a1929
use failurePolicy to block or allow requests, on policy errors ( #4183 )
...
* use failurePolicy to block or allow requests, on policy errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add warnings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* codegen
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add unit tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle network errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix title conversion
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix path in generated file
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix fake metrics
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add check for klog flag initialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* check for flag reinitialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* check for flag reinitialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix spelling
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix flag init
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-08-02 20:24:02 +05:30
Jim Bugwadia
4aa0767728
add applyRules to control whether one or all rules are applied ( #4196 )
...
* add ruleSelector
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix selector logic for skipped rules
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* change names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generated paths
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add image variable to context when rule processing starts
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix messages
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update generate rules
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-07-29 15:02:26 +08:00
Anutosh Bhat
dafa27e928
Corrected description for UpdateRequest struct ( #4215 )
...
* Corrected description for UpdateRequest struct
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
* Added changes for docs
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
* Added diff shown in verify generate tests
Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-07-19 12:16:50 +00:00
Charles-Edouard Brétéché
210a709bb3
feat: policy status for autogen rules ( #4173 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-07-03 15:09:18 -07:00
Charles-Edouard Brétéché
b29207f585
fix: use official controller-gen ( #4171 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2022-07-01 15:25:59 +00:00
Joe Bowbeer
606b2cb946
fix: add seccompProfile ( #4178 )
...
Signed-off-by: Joe Bowbeer <joe.bowbeer@gmail.com>
2022-07-01 01:47:19 +00:00
shuting
008b9ab48e
sync release versions ( #4133 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-06-17 09:30:06 +00:00
treydock
660e8f34f9
Exclude Kyverno namespace by default ( #4079 )
...
* Exclude Kyverno namespace by default
Fixes #4075
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
2022-06-07 12:55:27 +00:00
shuting
d30778eab6
Sync v1.7.0 release manifests ( #4051 )
...
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-06-02 11:20:33 +00:00
Charles-Edouard Brétéché
9e9e119f83
feat: add aggregated cluster role support ( #3845 )
...
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-06-01 13:05:52 +00:00
Charles-Edouard Brétéché
dae3dad027
refactor: used typed admission request in ur ( #4022 )
...
* refactor: add policy event listener in ur controller (#4012 )
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
(cherry picked from commit cd1fa030ee
)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: used typed admission request in ur
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* refactor: used typed admission request in ur
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
* Handle the error properly
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-05-29 07:27:14 +00:00