mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
4830 commits 17 branches 550 tags 289 MiB
Commit graph

572 commits

Author SHA1 Message Date
Arsh Sharma
fbc80cdfae
adding support for multiple names in match and exclude blocks (#2010) 
* add names in rd struct

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* added checking logic

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* updated yamls

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* wip: fix empty set problem

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* working with exclude

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* fixing name and names

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* added error if both name and names are specified

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* added tests

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* changed empty set logic, fixed whitespaces and comments

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>

* fix match and exclude bug

Signed-off-by: RinkiyaKeDad <arshsharma461@gmail.com>
 2021-06-28 22:31:22 -07:00
Arsh Sharma
7e9be24d90
updating minio verison (#1956) 2021-06-09 19:16:26 -07:00
shuting
e9a972a362
feat: HA (#1931) 
* Fix Dev setup

* webhook monitor - start webhook monitor in main process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leaderelection

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* - add isLeader; - update to use configmap lock

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add initialization method - add methods to get attributes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove newContext in runLeaderElection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to GenerateController

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add leader election to generate cleanup controller

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Gracefully drain request

* HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920)

* enable leader election for webhook register

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* extract certManager to its own process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* leader election for cert manager

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* certManager - init certs by the leader

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy report controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* rebuild leader election config

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start informers in leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start policy informers in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* enable leader election in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* move eventHandler to the leader election start method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add clusterrole leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixed generate flow (#1936)

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* - init separate kubeclient for leaderelection - fix webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup Kyverno managed resources on stopLeading

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* tag v1.4.0-beta1

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix cleanup process on Kyverno stops

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* bump kind to 0.11.0, k8s v1.21 (#1980)

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
Co-authored-by: vyankatesh <vyankateshkd@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
 2021-06-08 12:37:19 -07:00
Bricktop
d8ad5ba8c8
Remove unneeded fmt error (#1927) 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-06-01 10:54:21 -07:00
Yashvardhan Kukreja
b8f8a47d8d feat: added kyverno_policy_rule_execution_latency_milliseconds metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:06:36 +05:30
Yashvardhan Kukreja
43a138a12b feat: added kyverno_policy_rule_results_info metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:05:14 +05:30
Yashvardhan Kukreja
833d097c0a
feat: added kyverno_policy_changes_info metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-16 18:07:32 +05:30
Yashvardhan Kukreja
fea074f493
feat: added kyverno_policy_rule_info_total metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-16 18:07:32 +05:30
Yashvardhan Kukreja
bb80e1b641
added: initial prometheus client setup 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-16 13:06:14 +05:30
Yashvardhan Kukreja
6b0334f776
fix: consider policy's namespace as well while report rule results to policyreports (#1897) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-07 16:28:32 -07:00
Vyankatesh Kudtarkar
299547f376
Matched list to configure the matched resources (#1844) 
* Fix Dev setup

* initial commit

* add testcases for matchlist

* fix e2e issue

* fix comment

* fix issue

* fix lock issue

* revert changes

* fix cache issue

* Fix cache test

* fix policy object

* fix comments

* fix public methos issue

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-05-06 12:02:06 -07:00
Thoro
e80d18e692
Add function label_match, to use matchLabel in JMESPath, usage: label_match(labels_from_network_policy, labels_from pod) bool, Remove validation for JMESPath (#1862) 
Signed-off-by: Thomas Rosenstein <thomas@thoro.at>
 2021-05-04 09:28:30 -07:00
Vyankatesh Kudtarkar
f921bf47d2
Bug fix -1855 : Errors updating cluster policy (#1863) 
* Fix Dev setup

* Bug fix -1855 : Errors updating cluster policy

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-05-03 14:58:57 -07:00
shuting
618a69961e
Disable auto-gen when a rule has mixed of kinds: pod & pod controllers (#1847) 
* disable auto-gen when a rule has mixed of kinds: pod & pod controllers

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* Bugfix :  Make match.resources.kinds required (#1843)

* Fix Dev setup

* make kind required in MatchResources

* add test cases

Co-authored-by: vyankatesh <vyankatesh@neualto.com>

* address PR comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update background canAutoGen unit tests

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-29 14:59:37 -07:00
Vyankatesh Kudtarkar
34af7a930c
Bugfix : Make match.resources.kinds required (#1852) 
* Fix Dev setup

* Bugfix : Make match.resources.kinds required

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-29 11:14:55 -07:00
Vyankatesh Kudtarkar
caa6a90b27
Bug 1799: Fix mutate policy defaults and Fix endless look of auto-gen rules. (#1839) 
* Fix Dev setup

* Mutate policy defaults (1799)

* fix look for exclude ResourceDescription

* fix condition

* reuse code

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-29 09:51:23 -07:00
Shuting Zhao
e9c2d899c9 fix the unit test 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-28 14:52:26 -07:00
Shuting Zhao
85dde7e960 Enable image substitution in the background mode 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-28 14:21:11 -07:00
Max Goncharenko
8050c4e77b
moved variable substitution to higher level to avoid unhandled cases (#1785) 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-04-13 11:44:43 -07:00
shuting
f3ca1d78f1
Fix log message (#1779) 
* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update printer column - validation failure action

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-08 12:10:30 -07:00
Vyankatesh Kudtarkar
e2cd04c91f
Fix #1446 :Failed to mutate policy (#1767) 
* Fix failed to mutate policy

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix autogen rule issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* addPolicy and AddNsPolicy changes

* fix code indentation

* change kind -> policy

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix kind for policy

* fix comments

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-04-07 16:34:45 -07:00
Max Goncharenko
01004e1db0
Fix #1754 Invalid variable validation (#1770) 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-04-06 10:56:06 -07:00
Jim Bugwadia
fb368ba24b
Merge pull request #1755 from realshuting/1749_fix_concurrent_read_write 
Fix concurrent read/write when loading configmap data
 2021-04-01 13:39:27 -07:00
shuting
72fd921cb6
fix exclude logic (#1756) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-31 22:02:36 -07:00
Shuting Zhao
b0cee60100 change the order for variable validation: add allowed vars first 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-31 14:29:46 -07:00
Jim Bugwadia
8d03f8c59e merge main 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-03-25 18:00:02 -07:00
Jim Bugwadia
6dff9e0ab9 merge and resolve conflicts 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-03-25 16:43:12 -07:00
shuting
fd9acf21a7
Auto-recover policy report (#1730) 
* auto-recover policy report

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add flag background-scan to tune this interval

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup webhook configurations when Kyverno deployment is deleted

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reconcile policy reports if Kyverno Configmap changes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-25 12:28:03 -07:00
Jim Bugwadia
4d70013e22
Merge pull request #1724 from MarcelMue/fix-apipath-validation 
Make validateAPICall work with special characters in variables
 2021-03-24 22:28:09 -07:00
Marcel Mueller
c10a994045 Rename variable to kyvernoapicallvariable 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-03-23 18:24:17 +01:00
Pooja Singh
4128410207
Enhancement/existence anchor - should loop all the items in the array (#1719) 
* updated validating policy code

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* changed existance logic to loop all the items in array

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* updated comments and error messages

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-03-19 15:18:26 -07:00
Marcel Mueller
4f96232e62 Make validateAPICall work with special characters in variables 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-03-19 20:29:55 +01:00
Max Goncharenko
24c4f06ecd Fix #1506; Resolve path reference in entire rule instead of just pattern/overlay 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-03-16 13:45:40 +02:00
Vyankatesh Kudtarkar
9e831ec959
Bug Fix: Extends match / exclude to use apiGroup and apiVersion (#1218) (#1656) 
* Extends match / exclude to use apiGroup and apiVersion

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

* fix gvk issue

Signed-off-by: vyankatesh <vyankatesh@neualto.com>

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
 2021-03-04 16:45:52 -08:00
Yashvardhan Kukreja
10c714d5ba
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-03-01 20:31:06 -08:00
Pooja Singh
070f13783f
added namespace label in context (#1644) 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-25 20:52:53 -08:00
Jim Bugwadia
0d1f0b5897
Merge pull request #1636 from realshuting/1621_fix_configmap_variables 
Substitute variables in context.configMap
 2021-02-25 19:53:11 -08:00
Shuting Zhao
c4ebef7b0d - support AllowMissingPathOnRemove and EnsurePathExistsOnAdd in patchesJSON6902 
- upgrade to evanphx/json-patch/v5

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-25 15:25:07 -08:00
Shuting Zhao
edc89c7b50 fix unit test 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 17:22:34 -08:00
Shuting Zhao
d770d6680b add request.namespace in the background process 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 17:22:23 -08:00
Shuting Zhao
17c72c1578 substitute variables in context.configMap 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 16:27:20 -08:00
shuting
267be0815f
Bug fixes - policy validation, auto-generated rules, apiCall support in mutate and generate (#1629) 
* Fix invalid policy reports generated for blocked resource

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1464 - copy context and preconditions to auto-gen rules

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1628 - add policy validations

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1593 - support apiCall in mutate and generate

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 12:08:26 -08:00
shuting
6fc349716c
Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes #1480

* store resource name and kind in (c)rcr's annotation
 2021-02-19 09:09:41 -08:00
Yashvardhan Kukreja
478f32b8b4
fix: allowed templatised values to be exempted from validation checks (#1599) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-02-16 13:06:07 -08:00
Pooja Singh
32522e7827
namespace selector (#1532) 
* updated crd with namespace selector

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for validate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added condition in utils for namespace labels

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added function for extracting namespace label using lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added lister in generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* commented generate controller changes

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in apply.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in generation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in mutation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label for validation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* using dynaminc informer

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-03 13:09:42 -08:00
Yashvardhan Kukreja
03c77e4145
feat: validation 'value' field under 'deny.conditions' in a rule object (#1510) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-02-01 13:27:16 -08:00
Jim Bugwadia
e8e3b93a5f
api server lookups (#1514) 
* initial commit for api server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initial commit for API server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert cli image name (#1507)

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Refactor resourceCache; Reduce throttling requests (background controller) (#1500)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix merge issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add nil check for API client

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2021-02-01 12:59:13 -08:00
shuting
c692263177
Refactor resourceCache; Reduce throttling requests (background controller) (#1500) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-29 17:38:23 -08:00
shuting
e54776ee7e
Bug fix - namespace is not returned properly (#1491) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-22 17:56:41 -08:00
shuting
62a4a3a7da
Reduce throttling - skip sending API request for filtered resources (#1489) 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-01-21 18:58:53 -08:00