kyverno

mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

Author	SHA1	Message	Date
Charles-Edouard Brétéché	af787b9fe6	docs: separate dev and user docs (#5114 ) * docs: separate dev and user docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-21 14:51:15 +00:00
Charles-Edouard Brétéché	4b3a7b7da8	fix: add more infos in reports printers (#5027 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-10-18 09:56:14 +02:00
Pratik Shah	caab013a86	Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733 ) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>	2022-10-14 09:40:46 +00:00
Charles-Edouard Brétéché	064980bd9a	fix: admission reports printer (#4950 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-14 08:22:00 +00:00
Pratik Shah	8a0083105d	Added support to specify key signature algorithm in verifyImages (#4855 ) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io>	2022-10-14 05:39:57 +00:00
Charles-Edouard Brétéché	4aed9359cb	refactor: manage webhooks with webhook controller (#4846 ) * refactor: add config support to webhook controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: add client config to webhook controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * migrate verify webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * v1 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: move policy webhooks management in webhook controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * policy validating webhook config Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * watch policies Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: migrate resource webhook management in webhook controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * mutating webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * auto update Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * auto update and wildcard policies Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * policy readiness Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: can't use v1 admission Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * reduce reconcile Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * watchdog Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * health check Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * runtime utils Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * runtime utils Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * watchdog check Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove delete from mutating webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-10-12 06:52:42 +00:00
shuting	4d90b7b561	Update PSa images dsecription (#4840 ) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-10-07 08:09:31 +00:00
ShutingZhao	614c30788e	Fix PSa the control name validation Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-10-06 03:50:39 +08:00
Charles-Edouard Brétéché	51b07b7bf3	fix: validationFailureAction default value (#4822 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>	2022-10-05 18:09:21 +00:00
yinka	688b4fb8e3	add package logger in files (#4766 ) * add package logger in files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add package logger to initContainer and other files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helm default values Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-02 19:45:03 +00:00
shuting	1d83e86c12	Add PSa policy validations (#4735 ) * Validate PSa control names Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add validation checks for the PSa rule Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-29 12:03:13 +08:00
Prateek Pandey	38c252952d	feat: add matchlabel selector support with multiple clone (#4713 ) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-28 17:44:38 +02:00
Charles-Edouard Brétéché	e0ab72bb9a	feat: reports v2 implementation (#4608 ) This PR refactors the reports generation code. It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds. The new reports system is based on 4 controllers: Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace) Resources controller is responsible for watching reports that need background scan reports I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong. I also added a flag to split reports in chunks to avoid creating too large resources. Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-28 17:15:16 +05:30
shuting	34c6920129	Support PSa integration by `controlName` only (#4710 ) * Remove "restrictedField" and "values" from podSecurity.exclude Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove commented code Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add unit tests for restricted_runAsNonRoot Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add baseline unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add unit tests for restricted controls Signed-off-by: ShutingZhao <shuting@nirmata.com> * Removes PSa tests at the engine level Signed-off-by: ShutingZhao <shuting@nirmata.com> * - Update API docs; - Add unit tests for wildcard images Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove autogen conversion for PSa policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * copy pod with DeepCopy() Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-28 10:03:53 +00:00
Pradeep Lakshmi Narasimha	e305aea95c	fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671 ) Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-26 14:54:13 +00:00
Charles-Edouard Brétéché	fe8c5bbdf2	refactor: split policyreport api files (#4641 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-19 10:28:51 +00:00
Charles-Edouard Brétéché	47b3704848	fix: missing elements in v2beta1 api (#4654 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-19 09:55:04 +00:00
Charles-Edouard Brétéché	42a2df56c1	refactor: add a couple of constants in api (#4640 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-19 09:11:12 +00:00
Charles-Edouard Brétéché	634dff5639	feat: introduce RCR interface (#4642 ) * feat: introduce RCR interface Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix codegen Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-19 08:42:11 +00:00
Charles-Edouard Brétéché	530a584f76	fix: background printer column (#4617 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-14 06:54:56 +00:00
Charles-Edouard Brétéché	dfb566a458	fix: typo (#4582 ) * fix: typo Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: typo Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-10 16:11:38 +00:00
Vyankatesh Kudtarkar	aa6abd99f2	Support V2beta1 Version (#4514 ) introduce new version V2beta1 which remove deprecated CRD types from version v1. Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>	2022-09-08 11:19:16 +00:00
Prateek Pandey	1cacd0173d	feat: allow cloning multiple resource from a namespace (#4384 )	2022-09-08 04:47:09 +00:00
Abhishek Kumar	5681a2a2dc	Improve printer column name for validationFailureAction (#4488 ) Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-02 05:33:33 +00:00
shuting	c1b1cbb7da	Add PodSecurity description (#4475 ) Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-09-01 09:03:41 +00:00
Charles-Edouard Brétéché	599a68e896	feat: enable autogen from makefile (#4467 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-01 14:14:56 +08:00
ToLToL	1b9a2fca21	Extend Pod Security Admission (#4364 ) * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[].securityContext.capabilities.add Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-08-31 09:16:31 +00:00
Riko Kudo	5f5cda9fee	Yaml signing and verification (#4235 ) * enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché	fc1a4601a7	refactor: introduce wildcard utils package (#4406 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-25 05:23:01 +00:00
Charles-Edouard Brétéché	91373e1329	fix: goimports check not working in ci job (#4387 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-08-24 13:38:49 +00:00
Charles-Edouard Brétéché	144985ee5a	chore: fix golangcilint timeout (#4388 ) * chore: fix golangcilint timeout Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix commit sha Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add .gitattributes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-24 21:08:24 +08:00
George	648511383c	Update wgpolicyk8s.io CRDs (#4355 ) * Update policyreport api Signed-off-by: George Sedky <george@devopzilla.com> * Run codegen to generate CRDs Signed-off-by: George Sedky <george@devopzilla.com> Signed-off-by: George Sedky <george@devopzilla.com> Co-authored-by: George Sedky <george@devopzilla.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-08-22 07:18:33 +00:00
Jim Bugwadia	943c3a1929	use failurePolicy to block or allow requests, on policy errors (#4183 ) * use failurePolicy to block or allow requests, on policy errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add warnings Signed-off-by: Jim Bugwadia <jim@nirmata.com> * codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add unit tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle network errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix title conversion Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix path in generated file Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fake metrics Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add check for klog flag initialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for flag reinitialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for flag reinitialization Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix spelling Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix flag init Signed-off-by: Jim Bugwadia <jim@nirmata.com>	2022-08-02 20:24:02 +05:30
Jim Bugwadia	4aa0767728	add applyRules to control whether one or all rules are applied (#4196 ) * add ruleSelector Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix selector logic for skipped rules Signed-off-by: Jim Bugwadia <jim@nirmata.com> * change names Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix generated paths Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add image variable to context when rule processing starts Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix messages Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update generate rules Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-07-29 15:02:26 +08:00
Anutosh Bhat	dafa27e928	Corrected description for UpdateRequest struct (#4215 ) * Corrected description for UpdateRequest struct Signed-off-by: anutosh491 <andersonbhat491@gmail.com> * Added changes for docs Signed-off-by: anutosh491 <andersonbhat491@gmail.com> * Added diff shown in verify generate tests Signed-off-by: anutosh491 <andersonbhat491@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-07-19 12:16:50 +00:00
Charles-Edouard Brétéché	210a709bb3	feat: policy status for autogen rules (#4173 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-07-03 15:09:18 -07:00
Jim Bugwadia	bc1b051b90	fix imageVerify validation checks and conversion logic (#4038 ) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-06-15 17:13:36 -07:00
Charles-Edouard Brétéché	1786cb8bc8	fix: bool fields in image verification types (#4053 ) * refactor: add policy event listener in ur controller (#4012) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> (cherry picked from commit `cd1fa030ee`) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: bool fields in image verification types Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-06-02 12:05:23 -07:00
Charles-Edouard Brétéché	dae3dad027	refactor: used typed admission request in ur (#4022 ) * refactor: add policy event listener in ur controller (#4012) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> (cherry picked from commit `cd1fa030ee`) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: used typed admission request in ur Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: used typed admission request in ur Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * Handle the error properly Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-05-29 07:27:14 +00:00
Charles-Edouard Brétéché	1712dfa947	refactor: move label helper utils from policy package to background package (#3996 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-24 13:11:12 +05:30
Charles-Edouard Brétéché	5aaf2d8770	chore: make kyverno api import aliases consistent (#3939 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 13:12:43 +02:00
Charles-Edouard Brétéché	0099ef54ad	chore: enable gofmt and gofumpt linters (#3931 ) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 06:19:03 +00:00
Charles-Edouard Brétéché	70954b9995	refactor: policy cache (#3919 ) * refactor: simplify policy cache Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: policy cache Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * remove update and add policies map Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: review comments Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-16 07:56:16 +00:00
Prateek Pandey	4d4f805d68	fix: undo length validation check for generate rule resource name (#3865 ) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-05-11 05:08:27 +00:00
Prateek Pandey	8b6d3d1f6a	feat: trigger generate on existing matched resource (#3819 ) * feat: trigger generate on existing matched resource Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor the triggers and fix review comments Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * add trigger for other matching kinds Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * implement match exclude using dynamic client Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor generate trigger Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * increase sleep timeout Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * optimize unstructured list Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * fix review comments Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * log refactor and clean debug comments Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-05-09 07:13:11 +00:00
shuting	b4f2b63f53	Load `mutate.targets` via dclient (#3797 ) * Load mutate.targets via dclient Signed-off-by: ShutingZhao <shuting@nirmata.com> * Do not fail on namespace cleanup for e2e generate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix wildcard name listing for a certain namespace Signed-off-by: ShutingZhao <shuting@nirmata.com> * Rename onPolicyUpdate to mutateExistingOnPolicyUpdate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Enable "mutateExistingOnPolicyUpdate" on policy events Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-05-06 05:46:36 +00:00
Jim Bugwadia	db3502656d	Cert attestor (#3809 ) * add certificates attestor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle duplicate images; use container name as key Signed-off-by: Jim Bugwadia <jim@nirmata.com> * use OldObject for modify requests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * use unique image names Signed-off-by: Jim Bugwadia <jim@nirmata.com> * merge main Signed-off-by: Jim Bugwadia <jim@nirmata.com> * create a single annotation patch across rules and images Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt and change annotation key name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * split certs from keys Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add Rekor and fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-05 21:57:20 -07:00
Charles-Edouard Brétéché	5d2e2faf72	fix: autogen rules in status (#3728 ) * refactor: autogen package logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: add rules to status only when necessary Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-05-05 15:11:26 +00:00
Vyankatesh Kudtarkar	13d8a96f92	Policy Validation check for onPolicyUpdate flag (#3814 ) * policy validation check for OnPolicyUpdate flag * add validation check for onupdatepolicy flag	2022-05-05 21:04:49 +08:00
shuting	8a9a98d8b5	Add `handler` to `UR.status` (#3791 ) * - Add "handler" to "ur.status" - Mark / Unmark handler upon UR reconciliation Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add field onPolicyUpdate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Update API docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add delay in generate e2e tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove duplicate logic for cleaning up the cloned resource Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-05-05 16:26:27 +05:30

1 2 3

135 commits