As part of tighten and clarify Kyverno roles and
permissions, PR #2799 we missed to update the charts
templates events clusterroles.
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Fix variable substitution when inline jmespath objects are defined
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add additional test cases which use brackets
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Removes the need to specify an image pull secret to make use of cloud
provider credentials. As I understand it, this should be fine outside of
cloud provider contexts.
As part of this, I've switched to using authn/kubernetes, which I believe
is preferable to k8schain.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* add nodeAffinity for kyverno helm chart
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* quite better and more open solution for affinity in helm chart. it assist all kinds of other affinitys
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix typo in parameter
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* make affinity selection easier - return to antiAffinity for less change
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* return to antiAffinity to make change easier
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* add documentation for new values and helm functions
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* simplified again the use of new affinities. Dont need to extra enable if
you insert affinities
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix "if" of the affinity block
Co-authored-by: treydock <treydock@gmail.com>
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* Now finaly renamed values to avoid braking change; adjust readme for the
parameter names
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* alphabetic order readme
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
Co-authored-by: Kevin Welter <kevin.welter@digital-nx.com>
Co-authored-by: treydock <treydock@gmail.com>
* update cosign to 1.5.0 and add checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix subject and issuer checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Enable cloud provider registry keychains
It's desirable that Kyverno supports using workload identity and other
cloud provider metadata services for registry credentials.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Always initialize registry keychain
This supports using docker configuration on disk and credentials from
cloud providers without having to specify image pull secrets.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Get pull secrets from kyverno service account
It was previously using 'default'. I think it makes more sense to use
the service account that Kyverno actually runs with.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't split empty pull secrets list
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Add KYVERNO_SVC_ACCOUNT to config manifests
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't retrieve secrets from service account
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Reduce scope of keychain changes
Just enable cloud provider keychains.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate preprocessing for anchors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* remove resoureCache from the event controller
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* create rcr using typed client to reduce PUT throttling request
Signed-off-by: ShutingZhao <shuting@nirmata.com>
All of the jobs in this workflow use the same set of permissions and this workflow is only run on pushes to master. Adding the appropriate permissions to read repository contents, publish packages and ID token for cosign.
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* initial commit
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* adding docker-buildx-builder to makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* reverting git describe in makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* uploading sbom for each kyverno image
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* small nits
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* scanning image before pushing and removed cosign.pub
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
