mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-09 09:26:54 +00:00
Code Activity
4545 commits 17 branches 550 tags 290 MiB
Commit graph

67 commits

Author SHA1 Message Date
shuting
c1b1cbb7da
Add PodSecurity description (#4475) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-09-01 09:03:41 +00:00
ToLToL
1b9a2fca21
Extend Pod Security Admission (#4364) 
* init commit for pss

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add test for Volume Type control

* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()

* remove unused code, still a JMESPATH problem with app armor ExemptProfile()

* test for Host Process / Host Namespaces controls

* test for Privileged containers controls

* test for HostPathVolume control

* test for HostPorts control

* test for HostPorts control

* test for SELinux control

* test for Proc mount type control

* Set to baseline

* test for Seccomp control

* test for Sysctl control

* test for Privilege escalation control

* test for Run as non root control

* test for Restricted Seccomp control

* Add problems to address

* add solutions to problems

* Add validate rule for PSA

* api.Version --> string. latest by default

* Exclude all values for a restrictedField

* add tests for kyverno engine

* code to be used to match kyverno rule's namespace

* Refacto pkg/pss

* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:

* EvaluatePod

* Use EvaluatePod in kyverno engine

* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add

* Check if PSSCheckResult matched at least one exclude value

* add tests for engine

* fix engine validation test

* config

* update go.mod and go.sum

* crds

* Check validate value: add PodSecurity

* exclude all restrictedFields when we only specify the controlName

* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path

* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)

* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go

* add all controls with containers in restrictedFields as comments

* add tests for capabilities and privileged containers and fix some errors

* add tests for host ports control

* add tests for proc mount control

* add tests for privilege escalation control

* add tests for capabilities control

* remove comments

* new algo

* refacto algo, working. Add test for hostProcess control

* remove unused code

* fix getPodWithNotMatchingContainers(), add tests for host namespaces control

* refacto ExemptProfile()

* get values for a specific container. add test for SELinuxOptions control

* fix allowedValues for SELinuxOptions

* add tests for seccompProfile_baseline control

* refacto checkContainers(), add test for seccomp control

* add test for running as non root control

* add some tests for runAsUser control, have to update current PSA version

* add sysctls control

* add allowed values for restrictedVolumes control

* add some tests for appArmor, volume types controls

* add tests for volume types control

* add tests for hostPath volume control

* finish merge conflicts and add tests for runAsUser

* update charts and crds

* exclude.images optional

* change volume types control exclude values

* add appAmor control

* fix: did not match any exclude value for pod-level restrictedFields

* create autogen for validate.PodSecurity

* clean code, remove logs

* fix sonatype lift errors

* fix sonatype lift errors: duplication

* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests

* beginning of autogen implement for validate.exclude

* Autogen for validation.PodSecurity

* working autogen with simple tests

* change validate.PodSecurity failure response format

* make codegen

* fix lint errors, remove debug prints

* fix tags

* fix tags

* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request

* Changes requested

* Changes requested 2

* Changes requested 3

* Changes requested 4

* Changes requested and make codegen

* fix host namespaces control

* fix lint

* fix codegen error

* update docs/crd/v1/index.html

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix path

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update crd schema

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update charts/kyverno/templates/crds.yaml

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
 2022-08-31 09:16:31 +00:00
Riko Kudo
5f5cda9fee
Yaml signing and verification (#4235) 
* enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix log message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

change default value of dryrun option

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

support gpg signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

set cosign experimental env when keyless verification

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* improve default ignoreFields

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* add unit-test for k8smanifest

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update install yaml

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add unit-test for k8smanifest multi-signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and resolve conflict

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* remove generic name

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix sonatype-lift issue and unit-test error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update manifest rule to use attestor

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* remove unused value

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve conflict

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix install.yaml

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix to set COSIGN_EXPERIMENTAL env variable when keyless verification

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix misspell

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable kyverno cli in validate.manifests rule (#3)

* enable kyverno cli in validate.manifests rule

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and improve error handling for better result output

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update crds and deepcopy

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update unit test

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* change to use spec.rules.exclude.subjects instead of skipUsers (#4)

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore (#5)

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* add a comment for dryrun option field

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable to include ClusterPolicy/Policy in match resource

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style and env variable settings

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* simplify manifest verify func

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix func name

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix sonatype warning

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix default ignoreFields

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore rbac (#6)

* fix dryrun rbac to have minimal permissions

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix lint error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix unit-test error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated CRD documentation

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve go.mod conflicts

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated helm stuff

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché
cf0ee93de8
feat: enable autogen internals by default (#4381) 
* feat: enable autogen internals by default

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* change e2e tests

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* change e2e tests matrix

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-25 23:01:43 +08:00
Charles-Edouard Brétéché
2882a4fb13
fix: missing aggregated role for UR (#4378) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-08-23 12:07:44 +00:00
George
648511383c
Update wgpolicyk8s.io CRDs (#4355) 
* Update policyreport api

Signed-off-by: George Sedky <george@devopzilla.com>

* Run codegen to generate CRDs

Signed-off-by: George Sedky <george@devopzilla.com>

Signed-off-by: George Sedky <george@devopzilla.com>
Co-authored-by: George Sedky <george@devopzilla.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-08-22 07:18:33 +00:00
Jim Bugwadia
943c3a1929
use failurePolicy to block or allow requests, on policy errors (#4183) 
* use failurePolicy to block or allow requests, on policy errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add warnings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle network errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix title conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix path in generated file

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fake metrics

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for klog flag initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix spelling

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix flag init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-08-02 20:24:02 +05:30
Jim Bugwadia
4aa0767728
add applyRules to control whether one or all rules are applied (#4196) 
* add ruleSelector

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix selector logic for skipped rules

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* change names

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix generated paths

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add image variable to context when rule processing starts

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix messages

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update generate rules

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-07-29 15:02:26 +08:00
Anutosh Bhat
dafa27e928
Corrected description for UpdateRequest struct (#4215) 
* Corrected description for UpdateRequest struct

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

* Added changes for docs

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

* Added diff shown in verify generate tests

Signed-off-by: anutosh491 <andersonbhat491@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-07-19 12:16:50 +00:00
Charles-Edouard Brétéché
210a709bb3
feat: policy status for autogen rules (#4173) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-07-03 15:09:18 -07:00
Charles-Edouard Brétéché
b29207f585
fix: use official controller-gen (#4171) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-07-01 15:25:59 +00:00
shuting
008b9ab48e
sync release versions (#4133) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-06-17 09:30:06 +00:00
Charles-Edouard Brétéché
9e9e119f83
feat: add aggregated cluster role support (#3845) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-06-01 13:05:52 +00:00
Charles-Edouard Brétéché
dae3dad027
refactor: used typed admission request in ur (#4022) 
* refactor: add policy event listener in ur controller (#4012)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
(cherry picked from commit cd1fa030ee)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: used typed admission request in ur

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: used typed admission request in ur

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* Handle the error properly

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
 2022-05-29 07:27:14 +00:00
Prateek Pandey
4d4f805d68
fix: undo length validation check for generate rule resource name (#3865) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-11 05:08:27 +00:00
Prateek Pandey
8b6d3d1f6a
feat: trigger generate on existing matched resource (#3819) 
* feat: trigger generate on existing matched resource

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor the triggers and fix review comments

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* add trigger for other matching kinds

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* implement match exclude using dynamic client

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor generate trigger

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* increase sleep timeout

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* optimize unstructured list

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* fix review comments

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* log refactor and clean debug comments

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-05-09 07:13:11 +00:00
shuting
b4f2b63f53
Load mutate.targets via dclient (#3797) 
* Load mutate.targets via dclient

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Do not fail on namespace cleanup for e2e generate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix wildcard name listing for a certain namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Rename onPolicyUpdate to mutateExistingOnPolicyUpdate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Enable "mutateExistingOnPolicyUpdate" on policy events

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-05-06 05:46:36 +00:00
Jim Bugwadia
db3502656d
Cert attestor (#3809) 
* add certificates attestor

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle duplicate images; use container name as key

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* use OldObject for modify requests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* use unique image names

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* merge main

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* create a single annotation patch across rules and images

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt and change annotation key name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* split certs from keys

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add Rekor and fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-05-05 21:57:20 -07:00
Charles-Edouard Brétéché
5d2e2faf72
fix: autogen rules in status (#3728) 
* refactor: autogen package logger

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: add rules to status only when necessary

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-05-05 15:11:26 +00:00
shuting
8a9a98d8b5
Add handler to UR.status (#3791) 
* - Add "handler" to "ur.status"
- Mark / Unmark handler upon UR reconciliation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add field onPolicyUpdate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Update API docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add delay in generate e2e tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove duplicate logic for cleaning up the cloned resource

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-05-05 16:26:27 +05:30
Charles-Edouard Brétéché
2b6549fd5b
chore: remove config flags (#3786) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-03 17:52:10 +00:00
Jim Bugwadia
0771ffd474
Add error handling and log for image extractor errors (#3724) 
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-05-01 23:44:51 +00:00
shuting
a4815f77c4
Convert GenerateRequest to UpdateRequest for backward compatibility (#3730) 
- Remove GenerateRequest Informer
 - Rename GenerateRequest to UpdateRequest in logs and vars
 - Fix initContainer leader election
 - Convert GenerateRequest to UpdateRequest in initContainer
 - Remove unused methods
 - Add printer column ruleType to UR


Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-04-29 16:35:49 +05:30
shuting
e248308cb3
Create UR for both mutate and generate policies (#3717) 
* remove mutateExisting field

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update policy controller to create UR for generate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove debug log

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - Update api docs
- Ignore e2e tests cleanup failure

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add back index to helm template

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-04-29 11:01:02 +05:30
Charles-Edouard Brétéché
7fca026678
fix: remove supported from autogen status (#3714) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-28 16:14:48 -07:00
Charles-Edouard Brétéché
75e300799a
fix: remove unused type TargetMutation (#3706) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-04-28 06:05:13 +00:00
Jim Bugwadia
ab5171cee5
Verify digest (#3679) 
* add verifyDigest to check all tags are converted to digests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add required to check for image verification annotation

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* generate CRD

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* adding imageverify true/false patch

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* patch addition logic

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* image verify CLI tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fixes and unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix digest mutate

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix policy cache

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: anushkamittal20 <anumittal4641@gmail.com>
 2022-04-27 15:09:52 +00:00
shuting
2a656f6de0
feat: mutate existing resources (#3669) 
* feat: mutate existing, replace GR by UR in webhook server (#3601)

* add attributes for post mutation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR informer to webhook server

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace gr by ur across entire packages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add YAMLs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs & fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR deletion handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add api docs for v1beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix clientset method

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix v1beta1 client registration

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing - generates UR for admission requests (#3623)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace with UR in policy controller generate rules (#3635)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* - enable mutate engine to process mutateExisting rules; - add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* implemented ur background reconciliation for mutateExisting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook update error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* temporary comment out new unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing, replace GR by UR in webhook server (#3601)

* add attributes for post mutation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR informer to webhook server

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace gr by ur across entire packages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix missing policy.kyverno.io/policy-name label (#3599)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor cli code from pkg to cmd (#3591)

* refactor cli code from pkg to cmd

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes in imports

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes tests

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixed conflicts

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* moved non-commands to utils

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>

* add YAMLs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs & fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR deletion handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add api docs for v1beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix clientset method

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add-kms-libraries for cosign (#3603)

* add-kms-libraries

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* Shifted providers to cosign package

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add support for custom image extractors (#3596)

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>

* Update vulnerable dependencies (#3577)

Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix v1beta1 client registration

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing - generates UR for admission requests (#3623)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* updating version in Chart.yaml (#3618)

* updatimg version in Chart.yaml

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

* changes from, make gen-helm

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Allow kyverno-policies to have preconditions defined (#3606)

* Allow kyverno-policies to have preconditions defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix docs

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace with UR in policy controller generate rules (#3635)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - enable mutate engine to process mutateExisting rules; - add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* implemented ur background reconciliation for mutateExisting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook update error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* temporary comment out new unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Image verify attestors (#3614)

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* support multiple attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rm CLI tests (not currently supported)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* apply attestor repo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix entryError assignment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add intermediary certs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Allow defining imagePullSecrets (#3633)

* Allow defining imagePullSecrets

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use dict for imagePullSecrets

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Simplify how imagePullSecrets is defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix race condition in pCache (#3632)

* fix race condition in pCache

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refact: remove unused Run function from generate (#3638)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* Remove helm mode setting (#3628)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refactor: image utils (#3630)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* -resolve lift comments; -fix informer sync issue

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refact the update request cleanup controller

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* - fix delete request for mutateExisting; - fix context variable substitution; - improve logging

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - enable events; - add last applied annotation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* enable mutate existing on policy creation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update autogen code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* merge main

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address list comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix "Implicit memory aliasing in for loop"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove unused definitions

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-25 12:20:40 +00:00
Sambhav Kothari
44b5bf0b57
Allow definition of inline variables in context (#3658) 
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
 2022-04-25 19:06:07 +08:00
Prateek Pandey
c2107a2946
fix: add char length validation for generate rule resource name (#3640) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-04-25 17:23:16 +08:00
Naman Lakhwani
9f3fc941ef
[imageVerify]: adding digestMutate to simplify tag-to-digest mutation (#3531) 
* added digestMutate

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* rebase

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* setting always to true

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* small nit

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* make codegen

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* crds & failing rule if mutation fails

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* adding new func to fetch digest and changing naming to mutateDigest

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* small nits

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* generating crds

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* minor nit

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* correcting error format
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-04-22 01:08:49 -07:00
Jim Bugwadia
9fde4fd6a1
Multiple keys (#3636) 
* fix autogen check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* allow multiple keys and fix root/intermediate certs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make issuer/subject optional

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* enable CTLog options

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix split

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rename CTLog -> Rekor

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* api/kyverno/v1/image_verification_test.go

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-04-22 07:10:02 +00:00
Jim Bugwadia
3b1a1acd9a
Image verify attestors (#3614) 
* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* support multiple attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rm CLI tests (not currently supported)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* apply attestor repo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix entryError assignment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add intermediary certs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-04-19 08:35:12 -07:00
Sambhav Kothari
ec4e4ba452
Add support for custom image extractors (#3596) 
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
 2022-04-14 09:08:30 -07:00
Jim Bugwadia
f11cec73a8
fix imageVerify rule conversion (#3583) 2022-04-12 10:03:34 +08:00
Jim Bugwadia
0f186afb3e
update imageVerify schema (#3574) 
* update imageVerify schema

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add optional

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* change nested/recursive types to apiextv1.JSON

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-04-11 16:47:27 +01:00
Jim Bugwadia
9834feea74
update image pull policy for YAML install which uses :latest (#3565) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-04-07 21:31:14 +00:00
Charles-Edouard Brétéché
20069c13c3
feat: stop mutating rules (#3410) 
* feat: stop adding autogen annotation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: stop mutating rules

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: stop mutating rules

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: use toggle

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: review comments

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-28 22:01:27 +08:00
Charles-Edouard Brétéché
f34d3c342d
refactor: add ValidationFailureAction to the api (#3451) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
 2022-03-23 08:59:41 +00:00
Abhi Kapoor
1b10f18086
Drop v1alpha1 PolicyReport CRD (#3437) 
* Drop v1alpha1 PolicyReport CRD

Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>

* Drop v1alpha1 kyverno package

Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>

* Update Makefile to remove references for v1alpha1

Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>

* Update helm manifests

Signed-off-by: abhi-kapoor <43758739+abhi-kapoor@users.noreply.github.com>
 2022-03-22 17:08:25 +00:00
Charles-Edouard Brétéché
11bbb4f83e
refactor: replace ExcludeResources by MatchResources (#3444) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-22 14:24:40 +00:00
Charles-Edouard Brétéché
30261b5235
feat: add conditions support (#3378) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-18 22:00:01 +08:00
Christian Kotzbauer
860253d6aa
[ImageVerify] Verify additional certificate-extensions (#3404) 
* feat: add additionalExtensions to keyless imageVerify

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* feat: regenerate code

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
 2022-03-17 08:42:12 +00:00
Charles-Edouard Brétéché
9e623bbf6e
feat: add rules to status (#3376) 
* fix: configmap resource filters generated by helm does not account for namespace

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add rules to status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-15 14:49:16 +00:00
Charles-Edouard Brétéché
8d08250e07
feat: add autogen controllers to policy status (#3332) 
* feat: add autogen controllers to policy status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add autogen controllers to policy status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-10 23:51:29 +08:00
Naman Lakhwani
126742ad57
adding emptyDir vol for keyless signing (#3366) 
* adding emptyDir vol

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>

* adding env TUF_ROOT

Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
 2022-03-10 08:09:22 +00:00
Prateek Nandle
666130bf6c
updated description field of foreach (#3157) 
Signed-off-by: Prateeknandle <prateeknandle@gmail.com>
 2022-03-07 19:26:19 +05:30
Gasmi Christophe
e0503088ec
Update generate clusterrole (#3336) 
- Update clusterrole.yaml
- Fix apigroup for resourcequota and limitrange

Signed-off-by: Christophe Gasmi <rekcah78@gmail.com>
 2022-03-07 12:57:57 +05:30
Ryan White
c13aeca7fa
Modify capabilities for compatibility with Pod Security (#3274) 
Kyverno manifests are incompatible with the restricted Pod Security
Standards included with Kubernetes 1.22 and 1.23 because the Pod
Security admission controller looks for "ALL" in securityContext.capabilities.drop,
but does not accept "all".

1b741f89aa/policy/check_capabilities_restricted.go (L88)

Signed-off-by: Ryan White <ryan@alzabo.io>
 2022-02-22 08:14:17 +00:00
shuting
1566d0d5fd
add aggregated role for generaterequest (#3240) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-02-15 16:15:10 +00:00