* Fix webhook rules equality when internal is empty
The current implementation of the 'webhookRulesEqual' didn't check for
the corner case were both the internal representation and the API have
length of one, but the internal representation has 1 rule with no
selectors.
In this case the 'webhookRulesEqual' should return false, as the 2
configurations are not the same.
Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
* Fix tests
Add a small time delay when checking if a Policy is ready in tests to
ensure that the Policy is actually ready.
Signed-off-by: Ioannis Bouloumpasis <buluba@arrikto.com>
* add support for roles, cluster roles and subjects in kyverno cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* fixed bug where negation of kernel version caused cpolr to fail
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* small fix in function validateString
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Added necessary tests
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Added one more test
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Add more tests and added a policy to the test folder
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* added policy for test cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Adds e2e test for JSON patch mutate policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies the config to use the optimal version of that policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* Fixes the lint issuue
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies test to pass
Signed-off-by: afzal442 <afzal442@gmail.com>
* adds changes to resources
Signed-off-by: afzal442 <afzal442@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Fix variable substitution when inline jmespath objects are defined
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add additional test cases which use brackets
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate preprocessing for anchors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* updates for foreach and mutate
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* allow tests to pass on Windows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add elementIndex variable
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix jsonResult usage
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add mutate validation and fix error in validate.foreach
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* do not skip validation for all array entries when one is skipped
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add foreach tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove unused declarations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert namespaceWithLabelYaml
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate of element list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update CRDs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Update api/kyverno/v1/policy_types.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/custom-functions/policy.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/foreach/policies.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* accept review comments and format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add comments to strategicMergePatch buffer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* load context and evaluate preconditions foreach element
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add test for foreach mutate context and precondition
* precondition testcase
* address review comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* update roles and rolebindings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert label and fix perms
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* restrict role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix whitespace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests and roles
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove ingress extensions/v1beta1
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix chart
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* tighten and clarify Kyverno roles and permissions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fake commit to trigger workflows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert tests and update test role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add newlines
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove invalid param
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cleanup roles in Helm templates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove `mutate` cluster role binding
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Add path_canonicalize custom JMESPath function
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
* Add CLI test for the custom path_canonicalize function
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
* remove the extra parameter
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
Co-authored-by: weiwei.danny <weiwei.danny@bytedance.com>
* Add `pattern_match` custom JMESPath function analogous to `regex_match`
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* Add CLI test for the custom `pattern_match` function
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* set default value of "request.operation" equals to "CREATE"
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* handles the value of "request.operation" as "CREATE" in the CLI
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* fixed the failing e2e test case
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added logs
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added test case
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Handle durations with standard comparison operators
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Fix error strings
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Added CLI tests for duration operations
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Added tests with different units
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* fix check for CREATE request
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add unit test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* added base64 jmespath functions
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* added base64_decode test to emulate working with secret
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Update regex to allow number in func name
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Added CLI tests for preconditions and custom funcs
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
Co-authored-by: AverageMarcus <git@marcusnoble.co.uk>
Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
* Added test-e2e-local in the Makefile
* Added a proper Indentation
* Added 3 more fields
* Added getPolicyResourceFullPath function
* Updating the patchedResource path to full path
* Converts Namespaced policy to ClusterPolicy
* Added GetPatchedResourceFromPath function
* Added GetPatchedResource function
* Checks for namespaced-policy from policy name provided bu user
* Generalizing resultKey for both validate and mutate. Also added kind field to this key
* Added Type field to PolicySpec
* To handle mutate case when resource and patchedResource are equal
* fetch patchResource from path provided by user and compare it with engine patchedResource
* generating result by comparing patchedResource
* Added kind to resultKey
* Handles namespaced policy results
* Skip is required
* Added []*response.EngineResponse return type in ApplyPolicyOnResource function
* namespaced policy only surpasses resources having same namespace as policy
* apply command will print the patchedResource whereas test will not
* passing engineResponse instead of validateEngineResponse because it supports results for both validate and mutate case
* default namespace will printed in the output table if no namespace is being provided by the user
* Added e2e test for mutate policy and also examples for both type of policies
* Created a separate function to get resultKey
* Changes in the resultKey for validate case
* Added help description for test command in the cli
* fixes code for more test cases
* fixes code to support more cases and also added resources for e2e-test
* some small changes like adding brackets, clubbing 2 if cond into one, changing variable name, etc.
* Rearrange GetPatchedResourceFromPath function to get rid from repetion of same thing twice.
* Added kind in the result section of test.yaml for all test-cases
* engineResponse will handle different types of response
* GetPatchedResource() uses GetResource function to fetch patched resource
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* implement global anchor for patch strategic merge
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fixed unit tests for mutation global anchor
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* added global anchor in validation
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fix some global anchor issues found during testing
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* run go tidy
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* fixed tests
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* fixed some tests
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* finish implementing global anchor
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* WIP: lower global anchor strictness
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* Revert "WIP: lower global anchor strictness"
This reverts commit 08e176a042.
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* global anchor for mutation
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* substitute vars in map keys
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* add test for 2316 issue case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* remove contains function
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* added test for contains issue case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* added 2241 test case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* update the log level for not resolved variables
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* deprecate policy status
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove policy status tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generate metrics
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add image verification
* inline policy list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cosign version and dependencies updates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add registry initialization
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add build tag to exclude k8schain for cloud providers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add build tag to exclude k8schain for cloud providers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* generate deep copy and other fixtures
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix deep copy issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* mutate images to add digest
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add certificates to Kyverno container for HTTPS lookups
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align flag syntax
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update docs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update dependencies
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update dependencies
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* patch image with digest and fix checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* hardcode image for demos
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add default registry (docker.io) before calling reference.Parse
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix definition
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* increase webhook timeout
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix args
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* run gofmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* rename for clarity
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix HasImageVerify check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* align make test commands
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter error
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle API conflict and retry
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix reviewdog issues
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix make for unit tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* improve error message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix durations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle errors in tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* print policy name
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add retries and duration to error log
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix time check in tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* round creation times in test
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix retry loop
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove timing check for policy creation
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix e2e error - policy not found
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* update string comparison method
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* fix test Generate_Namespace_Label_Actions
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
* add debug info for e2e tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix error
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix generate bug
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add check for update operations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* increase time for deleteing a resource
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Shuting Zhao <shutting06@gmail.com>
* forbid variables in match/exclude/patchesJson6902.path sections
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fix e2e test
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* edits related to the PR comments
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* return err, if variable path could not be resolved
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fixed {{@}} behavior
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* fix json merge logic
Signed-off-by: Max Goncharenko <kacejot@fex.net>
* add e2e tests for Flux use case
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
* added sample test
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when creating the new namespace without the label, there should not have any generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when adding the matched label to the namespace, the target resource should be generated
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* removing comments
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* trying to check updated network policy
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when synchronize flag is set to true in the policy, one cannot delete the generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* trying to check updated generate policy
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: change synchronize to false in the policy, the label in generated resource should be updated to policy.kyverno.io/synchronize: disable
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: when changing the content in generate.data, the change should be synced to the generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* added comments
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* case: with synchronize==false, one should be able to delete the generated resource
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* handling error
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* added retrying
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* minor e2e fixes
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* e2e fixes
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* added logs of mutate error
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* printing configmap
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* printing configmap using BY
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* removing print statements
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* print configmap name
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* printing complete configmap
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
* Improved testing to allow 'skip' status and fail if tested results do not exist
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Ensure exit 0 is seen as failure when should be failure
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* pkg/webhooks/server.go
* remove test for blocking deletes on generatated & synchronized resources
* remove test for blocking deletes on generatated & synchronized resources
* added api templates
* E2E test for generate roles, rolebindings, clusterrole and clusterrolebindings
* table driven e2e tests
* table driven e2e tests and go fmt
* removed unwanted vars
* increased sleep time
* removed role generation clone
* increated sleep time
* added rolebinding clone and retry mechanism for get resources
* modified test for clone
* added namespace to role
* added namespace variable
* added git actions job
* changed build name
* removed docker login
* added role verbs
* removed github actions job and rbac file
* added clusterrole test with clone
* fixed travis issue
* - support wildcards for namespaces
* do not annotate resource, unless policy is an autogen policy
* close HTTP body
* improve messages
* remove policy store
Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.
We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.
* handle wildcard namespaces in background processing
* fix unit tests 1) remove platform dependent path usage 2) remove policy store
* add test case for mutate with wildcard namespaces
