* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
* When the value of the variables not present will assigned as nil
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added cli test cases
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* fixed failing test cases
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* remove extra line
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
- Change in namespace for test-generate example
- Change cloneResource to cloneSourceResource
- Add support for namespaced Policy and fix log messages
- Add test-generate in Makefile and an example of namespaced Policy
- Fix namespaced policy issue and add comments
- Refactor according to new generate controller
- Add json tag to GeneratedResource field of RuleResponse struct
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* handle subresources
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix logger name
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix webhook and logs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Load mutate.targets via dclient
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Do not fail on namespace cleanup for e2e generate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Fix wildcard name listing for a certain namespace
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Rename onPolicyUpdate to mutateExistingOnPolicyUpdate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Enable "mutateExistingOnPolicyUpdate" on policy events
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
* add certificates attestor
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle duplicate images; use container name as key
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* use OldObject for modify requests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* use unique image names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* merge main
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* create a single annotation patch across rules and images
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt and change annotation key name
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* split certs from keys
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add Rekor and fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* remove YAML multiline support in CM values
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove unused code
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
- Remove GenerateRequest Informer
- Rename GenerateRequest to UpdateRequest in logs and vars
- Fix initContainer leader election
- Convert GenerateRequest to UpdateRequest in initContainer
- Remove unused methods
- Add printer column ruleType to UR
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Fix webhook rules equality when internal is empty
The current implementation of the 'webhookRulesEqual' didn't check for
the corner case were both the internal representation and the API have
length of one, but the internal representation has 1 rule with no
selectors.
In this case the 'webhookRulesEqual' should return false, as the 2
configurations are not the same.
Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
* Fix tests
Add a small time delay when checking if a Policy is ready in tests to
ensure that the Policy is actually ready.
Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
* add support for roles, cluster roles and subjects in kyverno cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* fixed bug where negation of kernel version caused cpolr to fail
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* small fix in function validateString
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Added necessary tests
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Added one more test
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Add more tests and added a policy to the test folder
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* added policy for test cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Adds e2e test for JSON patch mutate policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies the config to use the optimal version of that policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* Fixes the lint issuue
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies test to pass
Signed-off-by: afzal442 <afzal442@gmail.com>
* adds changes to resources
Signed-off-by: afzal442 <afzal442@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Fix variable substitution when inline jmespath objects are defined
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add additional test cases which use brackets
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate preprocessing for anchors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* updates for foreach and mutate
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* allow tests to pass on Windows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add elementIndex variable
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix jsonResult usage
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add mutate validation and fix error in validate.foreach
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* do not skip validation for all array entries when one is skipped
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add foreach tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove unused declarations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert namespaceWithLabelYaml
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate of element list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update CRDs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Update api/kyverno/v1/policy_types.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/custom-functions/policy.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/foreach/policies.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* accept review comments and format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add comments to strategicMergePatch buffer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* load context and evaluate preconditions foreach element
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add test for foreach mutate context and precondition
* precondition testcase
* address review comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* update roles and rolebindings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert label and fix perms
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* restrict role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix whitespace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests and roles
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove ingress extensions/v1beta1
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix chart
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* tighten and clarify Kyverno roles and permissions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fake commit to trigger workflows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert tests and update test role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add newlines
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove invalid param
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cleanup roles in Helm templates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove `mutate` cluster role binding
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Add path_canonicalize custom JMESPath function
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
* Add CLI test for the custom path_canonicalize function
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
* remove the extra parameter
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
Co-authored-by: weiwei.danny <weiwei.danny@bytedance.com>
* Add `pattern_match` custom JMESPath function analogous to `regex_match`
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* Add CLI test for the custom `pattern_match` function
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* set default value of "request.operation" equals to "CREATE"
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* handles the value of "request.operation" as "CREATE" in the CLI
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* fixed the failing e2e test case
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added logs
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added test case
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Handle durations with standard comparison operators
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Fix error strings
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Added CLI tests for duration operations
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Added tests with different units
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* fix check for CREATE request
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add unit test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* added base64 jmespath functions
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* added base64_decode test to emulate working with secret
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Update regex to allow number in func name
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Added CLI tests for preconditions and custom funcs
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
Co-authored-by: AverageMarcus <git@marcusnoble.co.uk>
Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
* Added test-e2e-local in the Makefile
* Added a proper Indentation
* Added 3 more fields
* Added getPolicyResourceFullPath function
* Updating the patchedResource path to full path
* Converts Namespaced policy to ClusterPolicy
* Added GetPatchedResourceFromPath function
* Added GetPatchedResource function
* Checks for namespaced-policy from policy name provided bu user
* Generalizing resultKey for both validate and mutate. Also added kind field to this key
* Added Type field to PolicySpec
* To handle mutate case when resource and patchedResource are equal
* fetch patchResource from path provided by user and compare it with engine patchedResource
* generating result by comparing patchedResource
* Added kind to resultKey
* Handles namespaced policy results
* Skip is required
* Added []*response.EngineResponse return type in ApplyPolicyOnResource function
* namespaced policy only surpasses resources having same namespace as policy
* apply command will print the patchedResource whereas test will not
* passing engineResponse instead of validateEngineResponse because it supports results for both validate and mutate case
* default namespace will printed in the output table if no namespace is being provided by the user
* Added e2e test for mutate policy and also examples for both type of policies
* Created a separate function to get resultKey
* Changes in the resultKey for validate case
* Added help description for test command in the cli
* fixes code for more test cases
* fixes code to support more cases and also added resources for e2e-test
* some small changes like adding brackets, clubbing 2 if cond into one, changing variable name, etc.
* Rearrange GetPatchedResourceFromPath function to get rid from repetion of same thing twice.
* Added kind in the result section of test.yaml for all test-cases
* engineResponse will handle different types of response
* GetPatchedResource() uses GetResource function to fetch patched resource
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* implement global anchor for patch strategic merge
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fixed unit tests for mutation global anchor
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* added global anchor in validation
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fix some global anchor issues found during testing
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* run go tidy
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* fixed tests
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* fixed some tests
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* finish implementing global anchor
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* WIP: lower global anchor strictness
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* Revert "WIP: lower global anchor strictness"
This reverts commit 08e176a042.
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* global anchor for mutation
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* substitute vars in map keys
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* add test for 2316 issue case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* remove contains function
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* added test for contains issue case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* added 2241 test case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* update the log level for not resolved variables
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* deprecate policy status
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove policy status tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generate metrics
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add image verification
* inline policy list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cosign version and dependencies updates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add registry initialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add build tag to exclude k8schain for cloud providers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add build tag to exclude k8schain for cloud providers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* generate deep copy and other fixtures
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix deep copy issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* mutate images to add digest
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add certificates to Kyverno container for HTTPS lookups
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align flag syntax
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update docs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update dependencies
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update dependencies
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* patch image with digest and fix checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* hardcode image for demos
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add default registry (docker.io) before calling reference.Parse
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix definition
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* increase webhook timeout
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix args
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* run gofmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* rename for clarity
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix HasImageVerify check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter error
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle API conflict and retry
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix reviewdog issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix make for unit tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* improve error message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix durations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle errors in tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* print policy name
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add retries and duration to error log
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix time check in tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* round creation times in test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix retry loop
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove timing check for policy creation
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix e2e error - policy not found
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* update string comparison method
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* fix test Generate_Namespace_Label_Actions
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* add debug info for e2e tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix error
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generate bug
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add check for update operations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* increase time for deleteing a resource
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Shuting Zhao <shutting06@gmail.com>
* forbid variables in match/exclude/patchesJson6902.path sections
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fix e2e test
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* edits related to the PR comments
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* return err, if variable path could not be resolved
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fixed {{@}} behavior
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fix json merge logic
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* add e2e tests for Flux use case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* added sample test
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when creating the new namespace without the label, there should not have any generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when adding the matched label to the namespace, the target resource should be generated
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* removing comments
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* trying to check updated network policy
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when synchronize flag is set to true in the policy, one cannot delete the generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* trying to check updated generate policy
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: change synchronize to false in the policy, the label in generated resource should be updated to policy.kyverno.io/synchronize: disable
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when changing the content in generate.data, the change should be synced to the generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* added comments
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: with synchronize==false, one should be able to delete the generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* handling error
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* added retrying
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* minor e2e fixes
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* e2e fixes
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* added logs of mutate error
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* printing configmap
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* printing configmap using BY
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* removing print statements
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* print configmap name
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* printing complete configmap
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* Improved testing to allow 'skip' status and fail if tested results do not exist
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Ensure exit 0 is seen as failure when should be failure
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* pkg/webhooks/server.go
* remove test for blocking deletes on generatated & synchronized resources
* remove test for blocking deletes on generatated & synchronized resources
* added api templates
* E2E test for generate roles, rolebindings, clusterrole and clusterrolebindings
* table driven e2e tests
* table driven e2e tests and go fmt
* removed unwanted vars
* increased sleep time
* removed role generation clone
* increated sleep time
* added rolebinding clone and retry mechanism for get resources
* modified test for clone
* added namespace to role
* added namespace variable
* added git actions job
* changed build name
* removed docker login
* added role verbs
* removed github actions job and rbac file
* added clusterrole test with clone
* fixed travis issue
* - support wildcards for namespaces
* do not annotate resource, unless policy is an autogen policy
* close HTTP body
* improve messages
* remove policy store
Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.
We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.
* handle wildcard namespaces in background processing
* fix unit tests 1) remove platform dependent path usage 2) remove policy store
* add test case for mutate with wildcard namespaces
