* added new test-case flag to test command
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
* Update kyverno-policies chart with latest pod-security policies
Fixes#3063Fixes#2277
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README to have better example
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use chart testing during e2e to test against ci values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix e2e tests for Helm chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix Kyverno chart testing to actually test values, and fix networkpolicy template
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README for exclusion
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Allow adding 'other' policies via Helm
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update Chart.yaml for kyverno-policies
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump minimum Kubernetes version in charts
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update kyverno-policies chart readme
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases (part 2)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use same logic to get git tag by using Makefile target for updating Helm values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* - update dev images tag; - update chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update to use dev tag when setting up e2e tests infra
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* default chart test image tag for busybox to latest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set image tag to latest for chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* correct tag
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test tag in e2e.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Enable cloud provider registry keychains
It's desirable that Kyverno supports using workload identity and other
cloud provider metadata services for registry credentials.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Always initialize registry keychain
This supports using docker configuration on disk and credentials from
cloud providers without having to specify image pull secrets.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Get pull secrets from kyverno service account
It was previously using 'default'. I think it makes more sense to use
the service account that Kyverno actually runs with.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't split empty pull secrets list
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Add KYVERNO_SVC_ACCOUNT to config manifests
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't retrieve secrets from service account
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Reduce scope of keychain changes
Just enable cloud provider keychains.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* initial commit
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* adding docker-buildx-builder to makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* reverting git describe in makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* uploading sbom for each kyverno image
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* small nits
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* scanning image before pushing and removed cosign.pub
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* update roles and rolebindings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert label and fix perms
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* restrict role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix whitespace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests and roles
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove ingress extensions/v1beta1
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix chart
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* tighten and clarify Kyverno roles and permissions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fake commit to trigger workflows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert tests and update test role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add newlines
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove invalid param
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cleanup roles in Helm templates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove `mutate` cluster role binding
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Added test-e2e-local in the Makefile
* Added a proper Indentation
* Added 3 more fields
* Added getPolicyResourceFullPath function
* Updating the patchedResource path to full path
* Converts Namespaced policy to ClusterPolicy
* Added GetPatchedResourceFromPath function
* Added GetPatchedResource function
* Checks for namespaced-policy from policy name provided bu user
* Generalizing resultKey for both validate and mutate. Also added kind field to this key
* Added Type field to PolicySpec
* To handle mutate case when resource and patchedResource are equal
* fetch patchResource from path provided by user and compare it with engine patchedResource
* generating result by comparing patchedResource
* Added kind to resultKey
* Handles namespaced policy results
* Skip is required
* Added []*response.EngineResponse return type in ApplyPolicyOnResource function
* namespaced policy only surpasses resources having same namespace as policy
* apply command will print the patchedResource whereas test will not
* passing engineResponse instead of validateEngineResponse because it supports results for both validate and mutate case
* default namespace will printed in the output table if no namespace is being provided by the user
* Added e2e test for mutate policy and also examples for both type of policies
* Created a separate function to get resultKey
* Changes in the resultKey for validate case
* Added help description for test command in the cli
* fixes code for more test cases
* fixes code to support more cases and also added resources for e2e-test
* some small changes like adding brackets, clubbing 2 if cond into one, changing variable name, etc.
* Rearrange GetPatchedResourceFromPath function to get rid from repetion of same thing twice.
* Added kind in the result section of test.yaml for all test-cases
* engineResponse will handle different types of response
* GetPatchedResource() uses GetResource function to fetch patched resource
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
