346 commits

Author	SHA1	Message	Date
Charles-Edouard Brétéché	5a496ca212	refactor: simplify variables regex (#5075) ... * feat: add simple conformance tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * gh action Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * separate workflow Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix the bug Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cli test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * improvements Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * improvements Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: variables regex Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-10-21 11:51:14 +08:00
Prateek Pandey	2078f0dfd2	fix: allow delete of target resource with synchronize false (#5081) ... Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-10-20 19:41:57 +00:00
Charles-Edouard Brétéché	35491d248e	test: add best practices policies in conformance tests (#5082) ... Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-10-20 16:05:11 +00:00
Charles-Edouard Brétéché	ad2cbd3b33	feat: add simple conformance tests (#5073) ... * feat: add simple conformance tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-10-20 12:17:33 +00:00
Pratik Shah	caab013a86	Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733) ... Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Vyankatesh <vyankateshkd@gmail.com>	2022-10-14 09:40:46 +00:00
Pratik Shah	8a0083105d	Added support to specify key signature algorithm in verifyImages (#4855) ... Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io>	2022-10-14 05:39:57 +00:00
Sachin Maurya	bec5632344	e2e test for mutate policy (#3383) ... Signed-off-by: slayer321 <sachin.maurya7666@gmail.com> Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>	2022-10-08 10:57:41 -04:00
yinka	688b4fb8e3	add package logger in files (#4766) ... * add package logger in files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add package logger to initContainer and other files Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helm default values Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * release notes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-10-02 19:45:03 +00:00
Abhinav Sinha	a1182859ad	Added x509_decode JMESPath function (#4664) ... * Added `x509_decode` JMESPath function Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Use `crypto/x509` stdlib Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Return result as `map[string]interface{}` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Made minor fixes Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Fixed error with unmarshalling decoded certificate Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Added e2e test for decoding X.509 certs Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Reverted to using `smallstep/zcrypto` for X.509 Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Minor fix Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Addressed reviews Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> * Removed redundant dependency on `pkg/errors` Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Signed-off-by: Abhinav Sinha <abhinav@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-09-28 18:15:39 +00:00
shuting	34c6920129	Support PSa integration by controlName only (#4710) ... * Remove "restrictedField" and "values" from podSecurity.exclude Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove commented code Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add unit tests for restricted_runAsNonRoot Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add baseline unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add unit tests for restricted controls Signed-off-by: ShutingZhao <shuting@nirmata.com> * Removes PSa tests at the engine level Signed-off-by: ShutingZhao <shuting@nirmata.com> * - Update API docs; - Add unit tests for wildcard images Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove autogen conversion for PSa policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * copy pod with DeepCopy() Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-09-28 10:03:53 +00:00
Prateek Pandey	9cc1e6b2b3	fix: handle auth permission for cloneList validation (#4684) ... Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>	2022-09-26 13:23:00 +05:30
Charles-Edouard Brétéché	4d7e1281de	fix: namespaced policy not validated in engine (#4653) ... * fix: namespaced policy not validated in engine Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix test Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-09-26 12:47:37 +08:00
Prateek Pandey	1cacd0173d	feat: allow cloning multiple resource from a namespace (#4384)	2022-09-08 04:47:09 +00:00
ToLToL	1b9a2fca21	Extend Pod Security Admission (#4364) ... * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add * Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>	2022-08-31 09:16:31 +00:00
Riko Kudo	5f5cda9fee	Yaml signing and verification (#4235) ... * enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>	2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché	4864be14f1	fix: make ldflags optional in .ko.yaml (#4419) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-26 13:40:27 +00:00
Charles-Edouard Brétéché	144985ee5a	chore: fix golangcilint timeout (#4388) ... * chore: fix golangcilint timeout Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix commit sha Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add .gitattributes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-08-24 21:08:24 +08:00
vivek kumar sahu	17052436cb	Treat normal and precondition variable equally (#4217) ... * When the value of the variables not present will assigned as nil Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added cli test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * fixed failing test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * remove extra line Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-08-18 04:34:36 +00:00
vivek kumar sahu	c95bb74992	Context vars substitution in CLI (#4290) ... * context variables substitution will be independent of sequence Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-08-09 05:48:57 +00:00
vivek kumar sahu	f6c131cfcc	precondition failure will skip rule independent of audit or enforce mode (#4163) ... * precondition fails will skip rule independent of audit or enforce mode Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added cli-test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * small fix Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-07-14 09:35:27 +05:30
vivek kumar sahu	a37901425f	return helpful error message on invalid patched resources. (#4129) ... Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-07-06 13:24:28 +05:30
Charles-Edouard Brétéché	24e96884c5	refactor: finish refactoring generate e2e tests (#4090) ... * refactor: generate e2e GeneratePolicyDeletionforCloneTests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: generate e2e test GenerateNetworkPolicyOnNamespaceWithoutLabelTests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore: cleanup Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * finish refactoring tests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: is not found Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor expectations part 1 Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: repeat update on conflict Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-07-05 23:34:09 +08:00
Charles-Edouard Brétéché	27e5772986	fix: add more verify images e2e test for bool fields (#4172) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-06-30 21:36:28 +02:00
Tathagata Paul	16f8620993	added resource lists for test cli (#4082) ... Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>	2022-06-20 06:38:13 +00:00
Charles-Edouard Brétéché	e1db7c9814	feat: add e2e framework and verify image new test (#4094) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-06-09 21:58:07 +08:00
Charles-Edouard Brétéché	e3c39f1da1	refactor: generate e2e GeneratePolicyDeletionforCloneTests (#4071) ... * refactor: generate e2e GeneratePolicyDeletionforCloneTests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: unit test Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore: remove resourceExpectation type Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-06-07 23:35:44 +08:00
Charles-Edouard Brétéché	0b7b2458eb	refactor: generate e2e tests (#4068) ... * refactor: use t.Cleanup in e2e tests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: generate e2e tests Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * helpers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-06-03 21:08:27 +02:00
Charles-Edouard Brétéché	fe3c12628c	refactor: use t.Cleanup in e2e tests (#4067) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-06-03 19:08:33 +05:30
Vyankatesh Kudtarkar	18ae9c7d6d	fix policy typo (#4039)	2022-05-31 06:28:02 +00:00
Shubham Nazare	165c5d9fc3	feat: Extend CLI to cover generate policies (#3456) ... - Change in namespace for test-generate example - Change cloneResource to cloneSourceResource - Add support for namespaced Policy and fix log messages - Add test-generate in Makefile and an example of namespaced Policy - Fix namespaced policy issue and add comments - Refactor according to new generate controller - Add json tag to GeneratedResource field of RuleResponse struct Signed-off-by: Shubham Nazare <shubham4443@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-25 14:26:22 +00:00
vivek kumar sahu	fbbe57f5e1	Request operation value by default to CREATE (#3894) ... * set by default request.operation to CREATE Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-25 13:59:53 +00:00
Charles-Edouard Brétéché	1936d86623	fix: move ur controller filtering in reconciler (#3964) ... * fix: move ur controller filtering in reconciler Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: mark ur retry on conflict Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: test data Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: add filter back in update ur handler Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: added some logs about attempts and increased backoff Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: reconciliation logic Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: Test_Generate_Synchronize_Flag Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: small nits Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-20 00:06:56 +08:00
Charles-Edouard Brétéché	0099ef54ad	chore: enable gofmt and gofumpt linters (#3931) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-17 06:19:03 +00:00
Dhaval Shah	fce35b91d2	[Bugbash] Kceu22 bugbash/fix staticcheck warnings (#3917) ... * cleanup: error string formating Fixes Staticcheck ST1005 KubeCon EU 2022 BugBash Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * cleanup: merge var declaration with assignment Fixes staticcheck S1021 Kubecon EU 2022 Bugbash Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * cleanup normalize yoda condition to simple compare fixes staticcheck ST1017 Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * cleanup: remove extraneous err param on executeTest err is not used anywhere except to throw Fatal inside execureTest() fix staticcheck SA4009 Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * fix: match validation error message to actual errors Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * cleanup: more of normalize validation error messages Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> * cleanup: additional error message formatting fixes Signed-off-by: Dhaval Shah <30974879+dhavalgshah@users.noreply.github.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>	2022-05-14 22:04:35 +01:00
Vyankatesh Kudtarkar	31928c9507	Fix subject match selector issue in cli (#3887) ... * Fix subject match selector issue in cli * remove space * code refactoring	2022-05-11 15:21:13 +00:00
Charles-Edouard Brétéché	747f4128ef	chore: enable noctx linter (#3888) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-11 17:34:40 +05:30
Charles-Edouard Brétéché	f508e9a0b8	chore: add unconvert linter (#3867) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>	2022-05-10 20:28:45 +01:00
Charles-Edouard Brétéché	97e5e64fd4	chore: enable whitespace linter (#3864) ... Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>	2022-05-10 17:01:29 +00:00
Jim Bugwadia	bc07943c81	handle subresources (#3841) ... * handle subresources Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix logger name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix webhook and logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>	2022-05-09 18:50:50 -07:00
Sambhav Kothari	2dc54e5c1b	Allow variables of any kind to be defined (#3828) ... Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-05-07 20:30:11 +00:00
Afzal Ansari	3845225db1	refactor: imported pkg redeclared and a few other unused func (#3827) ... * Removes paths redeclared Signed-off-by: afzal442 <afzal442@gmail.com> * fixes v1 redeclared Signed-off-by: afzal442 <afzal442@gmail.com> * fixes mergeSucceededResults func never used Signed-off-by: afzal442 <afzal442@gmail.com> * fixes func unused Signed-off-by: afzal442 <afzal442@gmail.com> * refactors unused func Signed-off-by: afzal442 <afzal442@gmail.com> * refactors unused func Signed-off-by: afzal442 <afzal442@gmail.com> * refactors getNamespacesForRule unused Signed-off-by: afzal442 <afzal442@gmail.com> * refactors policyNamespace unused Signed-off-by: afzal442 <afzal442@gmail.com> * refactors replacing loop with ... Signed-off-by: afzal442 <afzal442@gmail.com> * refactors func buildPolicyLabel unused Signed-off-by: afzal442 <afzal442@gmail.com> * removes unused func Signed-off-by: afzal442 <afzal442@gmail.com> * removes unused comment Signed-off-by: afzal442 <afzal442@gmail.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>	2022-05-07 16:44:57 +00:00
Moritz Johner	4d2ec26c90	CLI should respect scored annotation for warnings (#3821) ... Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-05-07 13:33:50 +00:00
Sambhav Kothari	c3604c1170	Add an object_from_lists function (#3824)	2022-05-07 12:05:04 +00:00
Sambhav Kothari	e55bf0bf6f	Relax JMESPath variable validation (#3826)	2022-05-07 16:40:53 +05:30
shuting	b4f2b63f53	Load mutate.targets via dclient (#3797) ... * Load mutate.targets via dclient Signed-off-by: ShutingZhao <shuting@nirmata.com> * Do not fail on namespace cleanup for e2e generate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix wildcard name listing for a certain namespace Signed-off-by: ShutingZhao <shuting@nirmata.com> * Rename onPolicyUpdate to mutateExistingOnPolicyUpdate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Enable "mutateExistingOnPolicyUpdate" on policy events Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>	2022-05-06 05:46:36 +00:00
Jim Bugwadia	db3502656d	Cert attestor (#3809) ... * add certificates attestor Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle duplicate images; use container name as key Signed-off-by: Jim Bugwadia <jim@nirmata.com> * use OldObject for modify requests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * use unique image names Signed-off-by: Jim Bugwadia <jim@nirmata.com> * merge main Signed-off-by: Jim Bugwadia <jim@nirmata.com> * create a single annotation patch across rules and images Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt and change annotation key name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * split certs from keys Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add Rekor and fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>	2022-05-05 21:57:20 -07:00
shuting	8a9a98d8b5	Add handler to UR.status (#3791) ... * - Add "handler" to "ur.status" - Mark / Unmark handler upon UR reconciliation Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add field onPolicyUpdate Signed-off-by: ShutingZhao <shuting@nirmata.com> * Update API docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add delay in generate e2e tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Remove duplicate logic for cleaning up the cloned resource Signed-off-by: ShutingZhao <shuting@nirmata.com>	2022-05-05 16:26:27 +05:30
Sambhav Kothari	6e48fdf4ce	Fix issue with image registry when decoding OCI descriptors with out of spec keys (#3799)	2022-05-04 13:38:56 -04:00
gsweene2	af51ceb4ff	Add JMESPath Function items (#3777) ... Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-05-04 10:33:24 +00:00
Vyankatesh Kudtarkar	fca068d0f6	Fix Cli test for image verification (#3760) ... * fix Cli test for image verification	2022-05-04 04:11:59 +00:00