314 commits

Author	SHA1	Message	Date
Jim Bugwadia	838d02c475	Bugfix/659 support wildcards for namespaces (#871) ... * - support wildcards for namespaces * do not annotate resource, unless policy is an autogen policy * close HTTP body * improve messages * remove policy store Policy store was not fully implemented and simply provided a way to list all polices and get a policy by name, which can be done via standard client-go interfaces. We need to revisit and design a better PolicyStore that provides fast lookups for matching policies based on names, namespaces, etc. * handle wildcard namespaces in background processing * fix unit tests 1) remove platform dependent path usage 2) remove policy store * add test case for mutate with wildcard namespaces	2020-05-26 10:36:56 -07:00
Shuting Zhao	ea66d7a7b8	fix CI	2020-05-20 13:58:56 -07:00
shuting	5f20cdfb07	remove cpu limit in BP require_pod_requests_limits.yaml (#807) ... * remove cpu limit in BP require_pod_requests_limits.yaml * update test	2020-04-13 09:29:11 -07:00
shuting	a4a66a11cd	update test resource to a valid k8s obejct (#683)	2020-02-10 07:32:44 -08:00
Shivkumar Dudhani	8c1d79ab28	linter suggestions (#655) ... * cleanup phase 1 * linter fixes phase 2	2020-01-24 12:05:53 -08:00
Shivkumar Dudhani	af824f28b0	add annotation to ns (#621)	2020-01-13 17:43:13 -08:00
Shivkumar Dudhani	dabe592d46	fix the bugs and add pre-condition checks (#606) ... * fix the bugs and add pre-condition checks * add precondition documentation	2020-01-13 11:21:14 -08:00
shivkumar dudhani	eb34437f30	add annotation to variable	2020-01-11 11:14:47 -08:00
Shivkumar Dudhani	3cf9141f4d	593 feature (#594) ... * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test	2020-01-07 15:13:57 -08:00
Shivkumar Dudhani	ffd2179b03	538 (#587) ... * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs	2020-01-07 10:33:28 -08:00
Shuting Zhao	dd97cdd95f	Merge commit '337e0f7d1d6985b5683ddb7b7a42df0ef8130708' into 544_documentation	2019-12-13 16:16:45 -08:00
shivkumar dudhani	10fc1b47ba	Merge branch 'master' into v1.1.0	2019-12-12 16:54:42 -08:00
shivkumar dudhani	66e0181157	update tests	2019-12-10 10:26:04 -08:00
Shivkumar Dudhani	ffe3bdb677	remove newline from engine response strings (#537) ... * remove newline from engine response strings * add scenario file updates * cr: remove . in trailing msg string	2019-12-04 18:04:42 -08:00
Shuting Zhao	51642cbcf3	skip process mutate patches if conditon tag is not present	2019-11-27 19:40:47 -08:00
Shuting Zhao	261560eafb	mutate rule: do not ignore empty key in resource if overlay has nested anchor	2019-11-27 16:07:15 -08:00
shuting	ae53fa1bfc	Merge pull request #512 from nirmata/local_test ... Add generate rule for default limitrange	2019-11-18 17:33:43 -08:00
shivkumar dudhani	830e66f80c	update scenario file	2019-11-15 21:43:08 -08:00
Shuting Zhao	8343eaf0a8	add generate rule for default limitrange	2019-11-15 18:32:24 -08:00
Jim Bugwadia	eb24b7502b	update policy name	2019-11-13 23:31:04 -08:00
Shuting Zhao	79a7bde4ab	- fix test; - improve logging	2019-11-13 18:44:18 -08:00
Shuting Zhao	051eba058f	update api in samples/	2019-11-13 13:56:20 -08:00
Shuting Zhao	dcfe76acdc	fix test	2019-11-13 00:44:07 -08:00
Shuting Zhao	45dc0bd358	Merge commit 'da5c03f89df3007088b27fc84b08827170e16eda' into 345_support_usergroup_info ... # Conflicts: # test/scenarios/samples/best_practices/add_safe_to_evict2.yaml	2019-11-13 00:31:07 -08:00
Shuting Zhao	fb2cc2db9c	fix tests	2019-11-11 21:40:42 -08:00
Jim Bugwadia	87be5ca4b8	update policies and test cases	2019-11-11 17:55:54 -08:00
Jim Bugwadia	3ffb0cfa39	add disallow_sysctl and move policies	2019-11-11 17:17:09 -08:00
Jim Bugwadia	05503e4fd1	update other policies	2019-11-11 14:09:07 -08:00
Jim Bugwadia	dd4d091c23	update restrict_automount_sa_token	2019-11-10 21:57:20 -08:00
Jim Bugwadia	5b2fd96131	update LimitNodePort	2019-11-10 21:34:22 -08:00
Jim Bugwadia	5e8b6c4183	update add_networkPolicy	2019-11-10 21:27:50 -08:00
Jim Bugwadia	244909ebb3	update require_probes	2019-11-10 21:18:17 -08:00
Jim Bugwadia	c1be682a93	update require_pod_requests_limits	2019-11-10 21:06:49 -08:00
Jim Bugwadia	f668113904	update add_ns_quota	2019-11-10 20:58:57 -08:00
Jim Bugwadia	a6d5fb6e30	update restrict_image_registries	2019-11-10 18:13:01 -08:00
Jim Bugwadia	f31abbffab	update disallow_latest_tag	2019-11-10 17:54:38 -08:00
Jim Bugwadia	7f54e8e2e3	Merge branch '451_fix_disallow_host_net_port' into 452_make_sample_policy_rule_names_consistent ... # Conflicts: # samples/best_practices/disallow_host_network_hostport.yaml # test/scenarios/samples/best_practices/disallow_host_network_port.yaml	2019-11-10 17:35:43 -08:00
Jim Bugwadia	20736e5e81	update disallow_default_namespace and disallow_host_network_port and disallow_host_pid_ipc	2019-11-10 15:50:18 -08:00
Jim Bugwadia	170e2a5179	update disallow_docker_sock_mount and disallow_host_network_port	2019-11-10 12:53:48 -08:00
Jim Bugwadia	fd1a26db29	update DisallowBindMounts	2019-11-09 16:33:19 -08:00
Jim Bugwadia	fae8ac0325	update RequireReadOnlyRootFS	2019-11-09 16:18:33 -08:00
Jim Bugwadia	121b81a83b	update disallow new capabilities	2019-11-09 16:07:16 -08:00
Jim Bugwadia	cba79c69a2	update disallow_priviledged	2019-11-08 20:04:42 -08:00
Jim Bugwadia	5ce8fd7a9a	update disallow_root_user	2019-11-08 19:25:43 -08:00
Jim Bugwadia	6baa678e27	rename add_safe_to_evict	2019-11-08 19:02:49 -08:00
Jim Bugwadia	a0d3f728da	fix disallow_host_network_hostport policy	2019-11-08 18:26:58 -08:00
Jim Bugwadia	ab2e671df5	update test scenario and change rule to audit mode	2019-11-07 19:28:48 -08:00
Jim Bugwadia	4aac8f43a9	fix test	2019-11-07 19:19:33 -08:00
Shuting Zhao	ec331b8d17	remove resource info in the validation error	2019-11-07 12:30:58 -08:00
Shuting Zhao	59fb1c90cd	fix test	2019-11-07 12:13:35 -08:00