147 commits

Author	SHA1	Message	Date
dependabot[bot]	d36a42b815	chore(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#5652) ... Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.4.6 to 1.5.0. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.4.6...v1.5.0) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-12-12 08:51:04 +00:00
dependabot[bot]	dddfc5641e	chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#5650) ... Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.4.2 to 5.5.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.4.2...v5.5.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-12-12 15:07:44 +08:00
Charles-Edouard Brétéché	39b72eefb9	feat: add http clients tracing (#5630) ... * feat: add http clients tracing Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * check we are in a span before creating one and and context to metrics recording calls Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-12-09 09:09:11 +00:00
dependabot[bot]	a88db42743	chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635) ... Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.25.4 to 0.25.5. - [Release notes](https://github.com/kubernetes/cli-runtime/releases) - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.25.4...v0.25.5) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-12-09 08:56:21 +01:00
dependabot[bot]	2b2bd42c55	chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618) ... Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.3.0 to 0.4.0. - [Release notes](https://github.com/golang/crypto/releases) - [Commits](https://github.com/golang/crypto/compare/v0.3.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-12-08 15:45:31 +08:00
Charles-Edouard Brétéché	6cdc3f44cf	chore: bump a couple of deps (#5611) ... * chore: bump a couple of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: bump a couple of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: bump a couple of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-12-07 13:37:30 +00:00
Charles-Edouard Brétéché	a459aab26b	chore: bump a couple of deps (#5610) ... * chore: bump a couple of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * a couple more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-12-07 11:33:33 +00:00
Charles-Edouard Brétéché	3e44569fe2	chore: bump a couple of deps (#5593) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-12-07 06:39:27 +00:00
Charles-Edouard Brétéché	d19e870c17	refactor: update otlp packages (#5367) ... * fix: panic when disable metrics is true Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: update otlp packages Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update bunch of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * target infos Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com>	2022-12-06 15:41:00 +00:00
dependabot[bot]	3dce3fc7c7	chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559) ... Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.7.0 to 1.11.1. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.7.0...v1.11.1) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-12-05 19:23:07 +00:00
dependabot[bot]	205ef8f6a8	chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574) ... Bumps [golang.org/x/text](https://github.com/golang/text) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-12-05 15:57:54 +00:00
dependabot[bot]	3a8affab16	chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560) ... Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.23.0 to 1.24.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber-go/zap/compare/v1.23.0...v1.24.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-12-05 12:09:49 +00:00
Charles-Edouard Brétéché	6fe8d773ee	chore: bump a few deps (#5512) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-30 12:54:04 +00:00
Charles-Edouard Brétéché	c6faee2559	chore: bump a couple of deps (#5503) ... * chore: bump a couple of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * sigstore Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-29 13:09:14 +00:00
Charles-Edouard Brétéché	900002fcf9	chore: bump a bunch of deps (#5440) ... * chore: bump a bunch of deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-23 14:03:16 +08:00
Charles-Edouard Brétéché	4b11292835	chore: bump sigstore deps (#5376) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-11-21 21:48:34 +00:00
Nikhil Sharma	d44dc97990	feat: add cleanupPolicy validation code (#5279) ... * validate the cleanupPolicy Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> * add validation for DELETE permission for cleanupPolicy Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> * add separate binary for cleanupPolicy Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> * fix linter issues Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Signed-off-by: Nikhil Sharma <nikhilsharma230303@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-11-14 10:43:32 +01:00
Charles-Edouard Brétéché	6091af6fba	fix: wrong logger used (#5311) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-11-11 12:16:27 +05:30
Batuhan Apaydın	cbbd8488c8	feat: oci pull/push support for policie(s) (#5026) ... Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-24 18:47:20 +00:00
shuting	5279958943	Remove old version of golang.org/x/sys (#5125) ... Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-10-24 09:11:19 +00:00
Charles-Edouard Brétéché	7ceea1a08f	chore: bump a few deps (#4943) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-10-14 07:13:19 +00:00
Charles-Edouard Brétéché	cd5e0cfa74	chore: bump a couple of deps (#4925) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-13 11:04:23 +02:00
Charles-Edouard Brétéché	ecb0ad32ec	chore: bump a couple of deps (#4842) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-07 15:37:12 +05:30
Charles-Edouard Brétéché	7849fbbc8a	refactor: leader controllers management (#4832) ... * refactor: leader controllers management Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rename Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix start Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix deps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove dead code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-07 07:38:38 +00:00
yinka	266f2d397f	upgrade controller-runtime dependency (#4829) ... Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-06 11:07:37 +00:00
ShutingZhao	d3a18d0c83	Bump k8s libraries to v0.25.2 ... Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-10-06 03:50:39 +08:00
Charles-Edouard Brétéché	f7dde0ab96	chore: use concurrent map v2 (generics) (#4803) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-06 00:35:09 +08:00
Charles-Edouard Brétéché	83bd8bdbb5	chore: bump a couple of deps (#4802) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-04 12:21:47 +05:30
Charles-Edouard Brétéché	5fef84afd1	chore: bump a few deps (#4790) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-10-03 13:18:23 +00:00
Jim Bugwadia	081330d564	update cosign and k8s-manifest-sigstore (#4781) ... Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-10-03 14:46:20 +08:00
yinka	bb2e193d44	feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661) ... * feat: add feature flag to disable background scan (#4638) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * allow users configure JSON logging with a --logging-format=json flag Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Clean up changes Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * added kubeconfig and context flag to kyverno apply (#4524) Signed-off-by: Sandesh More <sandesh.more@infracloud.io> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * chore: publish sbom result to a different repositry from an image (#4665) Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Fix issue for wildcard versions (#4670) * Fix wildcard issue Co-Authored-By: vyankd <51167361+vyankd@users.noreply.github.com> * Delete res.yaml Co-Authored-By: vyankd <51167361+vyankd@users.noreply.github.com> Co-authored-by: vyankd <51167361+vyankd@users.noreply.github.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * chore: bump minimum go version (#4677) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: namespaced policy not validated in engine (#4653) * fix: namespaced policy not validated in engine Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: handle auth permission for cloneList validation (#4684) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: bump net standard lib (#4685) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * small fixes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add json logger Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix import Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix go mod Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix go mod Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * chore: simplify go mod (#4692) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: jmespath random error handling (#4697) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * refactor: replace signal package by signal.NotifyContext (#4691) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: shutdown controllers workers gracefully (#4681) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: split webhook handlers per failure policy (#4650) * fix: split webhook handlers per failure policy Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix handlers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * rolling update Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * better error message Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * refactor: use pod name as leader id (#4680) * refactor: use pod name as leader id Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix manifests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * makefile Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * leader client Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix: missing client wrapper (#4703) * fix: missing client wrapper Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * v1beta1 Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * v1alpha2 Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * policy report Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * chore: refactor manifests related makefile targets (#4706) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * deps Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Sandesh More <34198712+sandeshlmore@users.noreply.github.com> Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: vyankd <51167361+vyankd@users.noreply.github.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Pradeep Lakshmi Narasimha <pradeep.vaishnav4@gmail.com>	2022-09-29 07:49:29 +00:00
Prateek Pandey	01dbf7389d	fix: containerd dependency vulnerability (#4629) ... upgrade the containerd indirect deps to fixed version Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-09-29 05:40:55 +00:00
Abhinav Sinha	a1182859ad	Added x509_decode JMESPath function (#4664) ... * Added `x509_decode` JMESPath function Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Use `crypto/x509` stdlib Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Return result as `map[string]interface{}` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Made minor fixes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Fixed error with unmarshalling decoded certificate Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Added e2e test for decoding X.509 certs Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Reverted to using `smallstep/zcrypto` for X.509 Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Minor fix Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Addressed reviews Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Removed redundant dependency on `pkg/errors` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-09-28 18:15:39 +00:00
Charles-Edouard Brétéché	e0ab72bb9a	feat: reports v2 implementation (#4608) ... This PR refactors the reports generation code. It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds. The new reports system is based on 4 controllers: Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace) Resources controller is responsible for watching reports that need background scan reports I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong. I also added a flag to split reports in chunks to avoid creating too large resources. Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-28 17:15:16 +05:30
Charles-Edouard Brétéché	7209445cd3	chore: simplify go mod (#4692) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-26 18:25:03 +05:30
Charles-Edouard Brétéché	9e872305a2	fix: bump net standard lib (#4685) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-09-26 08:22:29 +00:00
Prateek Pandey	1807bd9a6f	chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) ... bump the cosign version to fix vulnerabilities with blob verification, CVE-2022-36056 Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-16 07:48:22 -07:00
Charles-Edouard Brétéché	bc4bf5ee27	chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-09-10 17:30:13 +00:00
Anurag	560cec329e	add random filter (#4527) ... * add random filter Signed-off-by: Anurag <contact.anurag7@gmail.com> * update go.mod file Signed-off-by: Anurag <contact.anurag7@gmail.com> * update go.sum Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fix Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Anurag <contact.anurag7@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-09-07 16:22:30 +00:00
Charles-Edouard Brétéché	fffd6aa9a0	chore: upgrade golang to 1.18 (#4505) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-05 09:32:45 +05:30
ToLToL	1b9a2fca21	Extend Pod Security Admission (#4364) ... * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add * Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-08-31 09:16:31 +00:00
Riko Kudo	5f5cda9fee	Yaml signing and verification (#4235) ... * enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché	888689df54	fix: update go-wildcard to v1.5.0 (#4444) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-29 17:10:01 +00:00
Prateek Pandey	34fe6c9058	bump cosign deps version to 1.11.1 (#4408) ... * bump cosign deps version to 1.11.1 to accommodate latest attestation verification fixes Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * bump github action go version to 1.18 Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-08-25 08:24:49 +00:00
dependabot[bot]	0bb575442d	chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328) ... Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.10.0 to 1.10.1. - [Release notes](https://github.com/sigstore/cosign/releases) - [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md) - [Commits](https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1) --- updated-dependencies: - dependency-name: github.com/sigstore/cosign dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-08-11 12:38:27 +08:00
Jim Bugwadia	943c3a1929	use failurePolicy to block or allow requests, on policy errors (#4183) ... * use failurePolicy to block or allow requests, on policy errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add warnings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add unit tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle network errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix title conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix path in generated file Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fake metrics Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add check for klog flag initialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for flag reinitialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for flag reinitialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix spelling Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix flag init Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-08-02 20:24:02 +05:30
Guilhem Lettron	b03e461f25	feat: auto optimize GOMAXPROCS (#4277) ... Signed-off-by: Guilhem Lettron <guilhem@barpilot.io>	2022-07-29 23:59:47 +08:00
Tathagata Paul	3e2894b6fa	feat: Opentelemetry support for metrics and traces (#3910) ... * integrating opentelemetry Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * fix multiple imports Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * fixed cli help statement Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * added init file for metrics Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-07-11 17:49:47 +00:00
Furkan Türkal	af3da5e19a	bump cosign to 1.9.1 to fix fulcio panic (#4117) ... Signed-off-by: Furkan <furkan.turkal@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-06-16 16:03:22 +00:00
Vyankatesh Kudtarkar	7245c92dcf	fix vulnerable (#4027)	2022-05-26 04:19:00 +00:00