Kyverno manifests are incompatible with the restricted Pod Security
Standards included with Kubernetes 1.22 and 1.23 because the Pod
Security admission controller looks for "ALL" in securityContext.capabilities.drop,
but does not accept "all".
1b741f89aa/policy/check_capabilities_restricted.go (L88)
Signed-off-by: Ryan White <ryan@alzabo.io>
* Update kyverno-policies chart with latest pod-security policies
Fixes#3063Fixes#2277
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README to have better example
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use chart testing during e2e to test against ci values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix e2e tests for Helm chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix Kyverno chart testing to actually test values, and fix networkpolicy template
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README for exclusion
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Allow adding 'other' policies via Helm
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update Chart.yaml for kyverno-policies
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump minimum Kubernetes version in charts
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update kyverno-policies chart readme
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases (part 2)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use same logic to get git tag by using Makefile target for updating Helm values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* - update dev images tag; - update chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update to use dev tag when setting up e2e tests infra
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* default chart test image tag for busybox to latest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set image tag to latest for chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* correct tag
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test tag in e2e.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
As part of tighten and clarify Kyverno roles and
permissions, PR #2799 we missed to update the charts
templates events clusterroles.
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* add nodeAffinity for kyverno helm chart
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* quite better and more open solution for affinity in helm chart. it assist all kinds of other affinitys
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix typo in parameter
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* make affinity selection easier - return to antiAffinity for less change
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* return to antiAffinity to make change easier
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* add documentation for new values and helm functions
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* simplified again the use of new affinities. Dont need to extra enable if
you insert affinities
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix "if" of the affinity block
Co-authored-by: treydock <treydock@gmail.com>
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* Now finaly renamed values to avoid braking change; adjust readme for the
parameter names
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* alphabetic order readme
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
Co-authored-by: Kevin Welter <kevin.welter@digital-nx.com>
Co-authored-by: treydock <treydock@gmail.com>
* updates for foreach and mutate
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* allow tests to pass on Windows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add elementIndex variable
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix jsonResult usage
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add mutate validation and fix error in validate.foreach
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* do not skip validation for all array entries when one is skipped
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add foreach tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove unused declarations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert namespaceWithLabelYaml
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate of element list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update CRDs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Update api/kyverno/v1/policy_types.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/custom-functions/policy.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/foreach/policies.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* accept review comments and format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add comments to strategicMergePatch buffer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* load context and evaluate preconditions foreach element
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add test for foreach mutate context and precondition
* precondition testcase
* address review comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* remove app.kubernetes.io/managed-by label from crds
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
* removed app.kubernetes.io/manged-by from config/bundle/labels.yaml
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
* removed internal.config.kubernetes.io/index in crds.yaml
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
* update roles and rolebindings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert label and fix perms
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* restrict role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix whitespace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests and roles
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove ingress extensions/v1beta1
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix chart
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* tighten and clarify Kyverno roles and permissions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fake commit to trigger workflows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert tests and update test role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add newlines
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove invalid param
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cleanup roles in Helm templates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove `mutate` cluster role binding
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
`.Capabilities.APIVersions.Has` function has limitations when running with
`helm template`, which is common step in multiple CD tools. In order to
properly resolve `Capabilities.APIVersions` `helm template` has to run
with `--validate` option and connect to cluster that has Prom Operator
CRDs installed.
As this template is opt-in and user has to set value to enable this,
apiVersion check doesn't provide much value and can be removed.
Signed-off-by: Ihor Urazov <iurazov@healthjoy.com>
* add keyless verification
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* run make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter warning
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* wrap error with details
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
