mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 18:06:55 +00:00
Code Activity
4810 commits 18 branches 550 tags 293 MiB
Commit graph

67 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
1509fa6251
refactor: non leader controllers management (#4831) 2022-10-06 18:38:35 +08:00
ansalamdaniel
27de93a3d2
fix: add policy validation for ValidationFailureActionOverride field (#4784) 
Signed-off-by: ansalamdaniel <ansalam.daniel@infracloud.io>
 2022-10-06 06:16:12 +00:00
yinka
688b4fb8e3
add package logger in files (#4766) 
* add package logger in files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* add package logger to initContainer and other files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* helm docs

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* helm default values

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* release notes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-10-02 19:45:03 +00:00
Charles-Edouard Brétéché
e0ab72bb9a
feat: reports v2 implementation (#4608) 
This PR refactors the reports generation code.
It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds.

The new reports system is based on 4 controllers:

Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation
Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes
Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace)
Resources controller is responsible for watching reports that need background scan reports
I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong.

I also added a flag to split reports in chunks to avoid creating too large resources.

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-09-28 17:15:16 +05:30
shuting
34c6920129
Support PSa integration by controlName only (#4710) 
* Remove "restrictedField" and "values" from podSecurity.exclude

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove commented code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add unit tests for restricted_runAsNonRoot

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add baseline unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add unit tests for restricted controls

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Removes PSa tests at the engine level

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - Update API docs; - Add unit tests for wildcard images

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove autogen conversion for PSa policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* copy pod with DeepCopy()

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-09-28 10:03:53 +00:00
shuting
99f6dedb20
fix logger format (#4474) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-09-01 07:33:36 +00:00
shuting
3bf3dcc1af
Add the metric "kyverno_client_queries_total" (#4359) 
* Add metric "kyverno_kube_client_queries_total"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* publish metric for missing queries

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Refactor the way Kyverno registers QPS metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Move clientsets to a dedicated folder

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Wrap Kyverno client and policyreport client to register client query metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Switch to use wrapper clients

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-08-31 11:33:47 +05:30
Charles-Edouard Brétéché
fc1a4601a7
refactor: introduce wildcard utils package (#4406) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-25 05:23:01 +00:00
Charles-Edouard Brétéché
144985ee5a
chore: fix golangcilint timeout (#4388) 
* chore: fix golangcilint timeout

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix commit sha

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* add .gitattributes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-24 21:08:24 +08:00
Anutosh Bhat
d92e16526f
Added appropriate logging levels to log.Info() calls wherever necessary (#4341) 
* Added appropriate logging levels to log.Info() calls wherever necessary

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

* Changed logging levels to 2

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-08-18 13:24:59 +00:00
Vyankatesh Kudtarkar
12693e1a9c
fix external.metrics.k8s.io/v1beta1 issue (#4139) 
* fix external.metrics.k8s.io/v1beta1 issue

* update find resource discovery method

* revert validate.go

* revert chnages

* update discovery method

* fix error handler issue

* add logger support
 2022-07-01 03:00:05 +00:00
Charles-Edouard Brétéché
5243763674
chore: make dclient import aliases consistent (#3951) 
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make dclient api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 14:40:51 +00:00
Charles-Edouard Brétéché
5aaf2d8770
chore: make kyverno api import aliases consistent (#3939) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 13:12:43 +02:00
Charles-Edouard Brétéché
0099ef54ad
chore: enable gofmt and gofumpt linters (#3931) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 06:19:03 +00:00
Charles-Edouard Brétéché
c12f94d6d4
chore: enble gci linter (#3930) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-17 07:56:48 +02:00
Charles-Edouard Brétéché
97e5e64fd4
chore: enable whitespace linter (#3864) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-05-10 17:01:29 +00:00
Charles-Edouard Brétéché
0a783bdc7d
chore: remove useless util NewKubeClient (#3795) 2022-05-04 13:14:17 +01:00
Charles-Edouard Brétéché
a6924a11ab
refactor: use typed k8s client in tls package (#3678) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-26 20:18:14 +00:00
Charles-Edouard Brétéché
06c2b2bb79
refactor: switch to admission v1 (#3526) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-04-06 20:43:07 +00:00
Charles-Edouard Brétéché
29d7010e25
refactor: move common utils (#3553) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-04-05 13:02:43 +00:00
Charles-Edouard Brétéché
857cd1209c
refactor: separate kube utils package (#3527) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-04-01 08:34:25 +00:00
shuting
d1bf3d4742
clean up dependencies (#3469) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-03-25 08:40:25 +00:00
Vyankatesh Kudtarkar
b3a53f0658
fix PodExecOptions issue (#3373) 
* fix PodExecOptions issue

* add note

* update comment
 2022-03-11 15:09:32 +05:30
Vyankatesh Kudtarkar
e8bf16a00b
Fix label mutation while updating the secret (#3273) 
* Fix label mutation while updating the secret

* Update util.go

* fix converter issue

* code indentation
 2022-02-22 19:49:03 +08:00
Abhinav Sinha
2cd988a153
Added validation for Condition Operators (#2864) 
* Added validation for Condition Operators

Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>

* Updated description of `Condition.Operator` with all current valid condition operators`

Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>

* Added `ConditionOperators` map and updated existing `ConditionOperator` type references

Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
 2021-12-28 15:12:31 +00:00
Jose Armesto
831a9826d1
Restructure project to follow standards (#2632) 
Signed-off-by: Jose Armesto <github@armesto.net>
 2021-10-29 18:13:20 +02:00
Marcus Noble
1966c82c6d
Fix various go lint issues (#2639) 
* Fix various go lint issues

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Fix if mistake

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Simplified returns

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
 2021-10-29 17:06:03 +02:00
Liu Shaohui
c90df17356
Fix: kyverno-pre panic when checking kubernetes version (#2614) 
Signed-off-by: Shaohui Liu <liushaohui@xiaomi.com>
 2021-10-28 23:04:03 -07:00
Bricktop
3f15ec5a1e
Remove dead code and unused variables (#2537) 
* Remove dead code and unused variables

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Remove unnecessary definitions

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-10-13 22:45:23 +02:00
Vyankatesh Kudtarkar
05a0737184
Fix Autogen issue for any/all block and new rule foreach (#2471) 
* Fix Autogen issue for any/all block and Support gvk in match kind block

* remove log and fix test

* Fix issues

* Fix cronjob issue

* Fix autogen for Foreach

* Fix autogen for For each

* Fix for each issue

* adding missing assignements

* Update autogen for foreach rule
 2021-10-06 16:19:55 -07:00
Arsh Sharma
7e9be24d90
updating minio verison (#1956) 2021-06-09 19:16:26 -07:00
Yashvardhan Kukreja
69c3418ca9
added: a pre-flight validation check for ensuring that only 'any'/'all' fields are present under conditions (#1791) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-04-16 17:23:01 -07:00
Shuting Zhao
741f230272 add unit tests 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-05 14:41:30 -07:00
Shuting Zhao
4b8b8cbfa6 remove namespace field on kind Namespace 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-05 13:05:47 -07:00
shuting
9a99cc3a33
fix Namespace scope (#1718) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-17 10:28:44 -07:00
Yashvardhan Kukreja
10c714d5ba
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-03-01 20:31:06 -08:00
Shuting Zhao
17c72c1578 substitute variables in context.configMap 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 16:27:20 -08:00
Jim Bugwadia
05da4190f8
handle discovery errors for metrics API group (#1494) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-01-24 11:34:02 -08:00
shuting
5f70f5feec
fixes #1399 (#1400) 2020-12-15 15:21:39 -08:00
shuting
630a9cc94c
Fix Kyverno crash when CRD is not installed (#1353) 
* ignore Kyverno CRDs existence check when server is not available

* clean up cluster / reportChangeRequest

* resolve PR comments
 2020-12-03 19:19:36 -08:00
shuting
2ec5a0fa42
1319 fix throttling (#1348) 
* fix policy status and generate controller issues

* shorten ACTION column name

* update logs

* improve naming

* add temp logs for troubleshooting

* cleanup logs

* apply generate policy to old & new resource in webhook

* cleanup log messages

* cleanup log messages

* cleanup log messages

* fix clean up of policy report in init container

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2020-12-01 12:30:08 -08:00
Shuting Zhao
b9fb926ddb fixes for golint ./... 2020-11-17 13:07:30 -08:00
shuting
5e07ecc5f3
Add Policy Report (#1229) 
* add report in cli

* policy report crd added

* policy report added

* configmap added

* added jobs

* added jobs

* bug fixed

* added logic for cli

* common function added

* sub command added for policy report

* subcommand added for report

* common package changed

* configmap added

* added logic for kyverno cli

* added logic for jobs

* added logic for jobs

* added logic for jobs

* added logic for cli

* buf fix

* cli changes

* count bug fix

* docs added for command

* go fmt

* refactor codebase

* remove policy controller for policyreport

* policy report removed

* bug fixes

* bug fixes

* added job trigger if needed

* job deletation logic added

* build failed fix

* fixed e2e test

* remove hard coded variables

* packages adde

* improvment added in jobs sheduler

* policy report yaml added

* cronjob added

* small fixes

* remove background sync

* documentation added for report command

* remove extra log

* small improvement

* tested policy report

* revert hardcoded changes

* changes for demo

* demo changes

* resource aggrigation added

* More changes

* More changes

* - resolve PR comments; - refactor jobs controller

* set rbac for jobs

* add clean up in job controller

* add short names

* remove application scope for policyreport

* move job controller to policyreport

* add report logic in command apply

* - update policy report types;  - upgrade k8s library; - update code gen

* temporarily comment out code to pass CI build

* generate / update policyreport to cluster

* add unit test for CLI report

* add test for apply - generate policy report

* fix unit test

* - remove job controller; - remove in-memory configmap; - clean up kustomize manifest

* remove dependency

* add reportRequest / clusterReportRequest

* clean up policy report

* generate report request

* update crd clusterReportRequest

* - update json tag of report summary; - update definition manifests; -  fix dclient creation

* aggregate reportRequest into policy report

* fix unit tests

* - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report

* remove

* generate reportRequest in kyverno namespace

* update resource filter in helm chart

* - rename reportRequest to reportChangeRequest; -rename clusterReportRequest to clusterReportChangeRequest

* generate policy report in background scan

* skip generating report change request if there's entry results

* fix results entry removal when policy / rule gets deleted

* rename apiversion from policy.kubernetes.io to policy.k8s.io

* update summary.* to lower case

* move reportChangeRequest to kyverno.io/v1alpha1

* remove policy report flag

* fix report update

* clean up policy violation CRD

* remove violation CRD from manifest

* clean up policy violation code - remove pvGenerator

* change severity fields to lower case

* update import library

* set report category

Co-authored-by: Yuvraj <yuvraj.yad001@gmail.com>
Co-authored-by: Yuvraj <10830562+evalsocket@users.noreply.github.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2020-11-09 11:26:12 -08:00
Jim Bugwadia
48b98bd17b
allow text after patch versions (#1230) 2020-11-02 22:14:36 -08:00
Shuting Zhao
cdc5190c56 update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00
NoSkillGirl
b61412ca7a minor validation changes 2020-08-31 18:18:10 +05:30
Mohan B E
a14828246d
Feature/api version 852 (#1028) 
* apiVersion support for generate

* added apiVersion to crds
 2020-08-07 09:47:33 +05:30
Shuting Zhao
34d05c58c2 PR fixes 2020-05-19 13:04:06 -07:00
Shuting Zhao
962b8f9865 Fix bug 2020-05-18 18:30:39 -07:00
Shuting Zhao
416f5ecc00 Merge branch 'master' into 744_deny_requests 
# Conflicts:
#	pkg/utils/util.go
#	pkg/webhooks/server.go
 2020-05-18 18:05:22 -07:00