mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
7914 commits 15 branches 540 tags 276 MiB
Commit graph

302 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
90d0badda4
fix: CRD generation (#3334) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-06 11:07:51 -08:00
Jim Bugwadia
421a81ce63
Fix old object validation check (#3248) 
* fix validation check on UPDATE

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* prevent policy bypass using preconditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* separate replace

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add error handling

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-02-17 09:18:49 -08:00
Jim Bugwadia
bb06901119
fix mutate preprocessing for anchors (#3052) 
* fix mutate preprocessing for anchors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: shuting <shutting06@gmail.com>
 2022-01-23 13:54:22 +00:00
Kumar Mallikarjuna
5ad0d15240
Namespace Specific ValidationFailureAction (#2794) 
* Implement ValidationFailureActionOverride

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Update CRDs

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Update getEnforceFailureErrorMsg()

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Allow validate policies to be checked

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Fix linting issues

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added tests for ValidationFailureActionOverrides

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added schema validation

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added description for ValidationFailureActionOverrides

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Policy validation

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Update CRDs

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Replace literals with constants

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Updated Policy Cache

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Refactor

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

Co-authored-by: shuting <shutting06@gmail.com>
 2022-01-21 12:36:44 +00:00
shuting
b6447e0649
Remove resourceCache from engine (#3013) 
* update log messages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove resourceCache from the background controller when:
- register resource scope
- list resources per namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - use client call for configmap lookup;
- remove resourceCache from policy controller, webhook server and generate controller

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-01-18 12:59:35 +00:00
Jim Bugwadia
a9fef256c7
updates for foreach and mutate (#2891) 
* updates for foreach and mutate

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* allow tests to pass on Windows

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add elementIndex variable

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix jsonResult usage

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add mutate validation and fix error in validate.foreach

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* do not skip validation for all array entries when one is skipped

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add foreach tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix format errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unused declarations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert namespaceWithLabelYaml

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix mutate of element list

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update CRDs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Update api/kyverno/v1/policy_types.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/forceMutate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/mutation.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/validate/validate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update pkg/engine/validate/validate.go

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update test/cli/test/custom-functions/policy.yaml

Co-authored-by: Steven E. Harris <seh@panix.com>

* Update test/cli/test/foreach/policies.yaml

Co-authored-by: Steven E. Harris <seh@panix.com>

* accept review comments and format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add comments to strategicMergePatch buffer

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* load context and evaluate preconditions foreach element

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add test for foreach mutate context and precondition

* precondition testcase

* address review comments

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-01-05 09:36:33 +08:00
shuting
2c9319ea87
don't generate policy report on managed pod/job (#2889) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2021-12-30 00:34:43 +08:00
Jim Bugwadia
e701b7aceb
re-apply policies to managed pods (#2648) 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-11-01 11:08:24 -07:00
Jose Armesto
831a9826d1
Restructure project to follow standards (#2632) 
Signed-off-by: Jose Armesto <github@armesto.net>
 2021-10-29 18:13:20 +02:00
Marcus Noble
1966c82c6d
Fix various go lint issues (#2639) 
* Fix various go lint issues

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Fix if mistake

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>

* Simplified returns

Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
 2021-10-29 17:06:03 +02:00
Vyankatesh Kudtarkar
27cac66b87 fix comment 2021-10-19 22:08:55 +05:30
Vyankatesh Kudtarkar
b31b343910 Fix foreach issue 2021-10-19 15:34:53 +05:30
Jim Bugwadia
e0b1f08a28
fix check for CREATE request (#2551) 
* fix check for CREATE request

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-18 09:34:07 -07:00
Vyankatesh Kudtarkar
2798287497
support list foreach (#2522) 
* support list foreach

* fix testcase for each

* fix mutate issue

* Fix mutate patch issue

* fix yaml

* fix e2e test foreach validate list

* code indentation

* fix comments

* delete unwanted files
 2021-10-14 00:20:52 -07:00
Jim Bugwadia
b9d4ee6876 fix tests 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-06 18:31:20 -07:00
NoSkillGirl
0614c2db1f fixed rule pointer 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-10-05 12:39:58 +05:30
NoSkillGirl
5ca33ce902 Merge branch 'main' of github.com:kyverno/kyverno into feat/support_mutate_in_cli 2021-10-05 12:23:34 +05:30
vivek kumar sahu
ae6f6c327f Added Code to support the test command for mutate policy (#2279) 
* Added test-e2e-local in the Makefile
* Added a proper Indentation
* Added 3 more fields
* Added getPolicyResourceFullPath function
* Updating the patchedResource path to full path
* Converts Namespaced policy to ClusterPolicy
* Added GetPatchedResourceFromPath function
* Added GetPatchedResource function
* Checks for namespaced-policy from policy name provided bu user
* Generalizing resultKey for both validate and mutate. Also added kind field to this key
* Added Type field to PolicySpec
* To handle mutate case when resource and patchedResource are equal
* fetch patchResource from path provided by user and compare it with engine patchedResource
* generating result by comparing patchedResource
* Added kind to resultKey
* Handles namespaced policy results
* Skip is required
* Added []*response.EngineResponse return type in ApplyPolicyOnResource function
* namespaced policy only surpasses resources having same namespace as policy
* apply command will print the patchedResource whereas test will not
* passing engineResponse instead of validateEngineResponse because it supports results for both validate and mutate case
* default namespace will printed in the output table if no namespace is being provided by the user
* Added e2e test for mutate policy and also examples for both type of policies
* Created a separate function to get resultKey
* Changes in the resultKey for validate case
* Added help description for test command in the cli
* fixes code for more test cases
* fixes code to support more cases and also added resources for e2e-test
* some small changes like adding brackets, clubbing 2 if cond into one, changing variable name, etc.
* Rearrange GetPatchedResourceFromPath function to get rid from repetion of same thing twice.
* Added kind in the result section of test.yaml for all test-cases
* engineResponse will handle different types of response
* GetPatchedResource() uses GetResource function to fetch patched resource

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
 2021-10-05 11:11:54 +05:30
Jim Bugwadia
6cf9fdd502 fix compile errors 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-03 23:23:45 -07:00
Jim Bugwadia
ee6aafa7bb fix linter issues 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-03 23:07:40 -07:00
Jim Bugwadia
731ffde0e7 fix messages and tests 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-03 03:15:22 -07:00
Jim Bugwadia
89d1e4afab format 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-02 16:57:40 -07:00
Jim Bugwadia
e0e6074afc add validation; add 'element' to context 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-10-02 16:53:02 -07:00
Jim Bugwadia
1ebd2c99f2 add messages and set rule to skip when pattern does not match 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-30 23:34:04 -07:00
Jim Bugwadia
3957a1400e fix deny check and fmt 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-27 23:40:05 -07:00
Jim Bugwadia
a905a61581 fix deny rules 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-27 14:28:55 -07:00
Jim Bugwadia
67660647d9 update tests 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-26 18:30:53 -07:00
Jim Bugwadia
39061d91c4 implement validate.foreach 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-09-26 02:12:31 -07:00
Max Goncharenko
922840b344
added deep copy for rule; changed rule deep copy logic (#2216) 
* added deep copy for rule; changed rule deep copy logic

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fixed linter error

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
 2021-07-30 12:07:01 -07:00
Max Goncharenko
903963c26d
add special variable substitution logic for preconditions (#1930) 
* add special variable substitution logic for preconditions

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* handle NotFoundVariable error in proper way

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* remove excess log; fix grammar

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* removed isPrecondition flag; added test case for empty deny string; fixed related issue

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fix test case

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fix go lint

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fix tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
 2021-07-28 09:54:50 -07:00
Max Goncharenko
0fdd349849
Changed error to info for NotFoundError in jsonContext (#2140) 
* changed error to info for NotFoundError in jsonContext

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* raise log level for NotFoundError in jsonContext

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
 2021-07-14 14:50:28 -07:00
Jim Bugwadia
13caaed8b7
Feature/cosign (#2078) 
* add image verification

* inline policy list

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* cosign version and dependencies updates

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add registry initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add build tag to exclude k8schain for cloud providers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add build tag to exclude k8schain for cloud providers

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* generate deep copy and other fixtures

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix deep copy issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* mutate images to add digest

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add certificates to Kyverno container for HTTPS lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align flag syntax

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update docs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update dependencies

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update dependencies

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* patch image with digest and fix checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* hardcode image for demos

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add default registry (docker.io) before calling reference.Parse

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix definition

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* increase webhook timeout

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix args

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* run gofmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rename for clarity

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix HasImageVerify check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* align make test commands

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter error

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle API conflict and retry

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix reviewdog issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix make for unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* improve error message

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix durations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle errors in tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* print policy name

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add retries and duration to error log

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix time check in tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* round creation times in test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix retry loop

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove timing check for policy creation

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix e2e error - policy not found

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update string comparison method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test Generate_Namespace_Label_Actions

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add debug info for e2e tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix error

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix generate bug

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for update operations

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* increase time for deleteing a resource

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Shuting Zhao <shutting06@gmail.com>
 2021-07-09 18:01:46 -07:00
Vineeth Reddy
eeb4e4ff0f
turn preconditions error to info log (#1926) 
* turn preconditions error to info log

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* minor change

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* further changes

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* resolve conflicts

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* add precondition flag

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* NotFoundError -> Info

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>
 2021-07-07 17:37:44 +05:30
Valentin Velkov
63f4c9a884
Configurable success events on policies & resources. Generating failure events on policies by default. (#1939) 
* Remove unused event.Reason const

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate failure events on policies

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Generate success events on policy

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Introduce 'generateSuccessEvents' flag

Signed-off-by: Velkov <valentin.velkov@sap.com>

* Unit tests & chart fix

Signed-off-by: Velkov <valentin.velkov@sap.com>
 2021-06-29 14:43:11 -07:00
Yashvardhan Kukreja
43a138a12b feat: added kyverno_policy_rule_results_info metric 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-05-24 08:05:14 +05:30
Pooja Singh
1e4c950104
Feature/1515 - handle configmap and api variable cli (#1789) 
* added store package

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added changes to handle api and configmap variables in cli

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* removed comments

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* refactoring code

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added test case for mutation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added test case for validation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* code improvement

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-04-29 10:09:44 -07:00
shuting
f515bc5dbf
skip rule application if referred path not exist (#1806) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-04-15 17:33:34 -07:00
Max Goncharenko
8050c4e77b
moved variable substitution to higher level to avoid unhandled cases (#1785) 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-04-13 11:44:43 -07:00
Max Goncharenko
24c4f06ecd Fix #1506; Resolve path reference in entire rule instead of just pattern/overlay 
Signed-off-by: Max Goncharenko <kacejot@fex.net>
 2021-03-16 13:45:40 +02:00
Yashvardhan Kukreja
10c714d5ba
feat: [preconditions, conditions] added backwards-compatible support for logical operators (#1604) 
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
 2021-03-01 20:31:06 -08:00
shuting
267be0815f
Bug fixes - policy validation, auto-generated rules, apiCall support in mutate and generate (#1629) 
* Fix invalid policy reports generated for blocked resource

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1464 - copy context and preconditions to auto-gen rules

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1628 - add policy validations

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix 1593 - support apiCall in mutate and generate

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-02-22 12:08:26 -08:00
Pooja Singh
32522e7827
namespace selector (#1532) 
* updated crd with namespace selector

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for validate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added condition in utils for namespace labels

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added function for extracting namespace label using lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added logic for generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added lister in generate

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* commented generate controller changes

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns lister

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in apply.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in generation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label in mutation.go

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* added ns label for validation

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* using dynaminc informer

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
 2021-02-03 13:09:42 -08:00
Jim Bugwadia
2bb812aa2d redo changes reverted by merge 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2021-02-01 23:22:19 -08:00
Jim Bugwadia
e8e3b93a5f
api server lookups (#1514) 
* initial commit for api server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initial commit for API server lookups

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Adding non-root commands to docker images and enhanced the dockerfiles

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing base image to scratch

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* Minor typo fix

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* changing dockerfiles to use /etc/passwd to use non-root user'

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>

* minor typo

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert cli image name (#1507)

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Refactor resourceCache; Reduce throttling requests (background controller) (#1500)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix bug - namespace is not returned properly

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* reduce throttling - list resource using lister

* refactor resource cache

* fix test

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix label selector

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix build failure

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix merge issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add nil check for API client

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
 2021-02-01 12:59:13 -08:00
shuting
d82f19be4e
Feature/fix dev mode execution (#1477) 
* add serverIP to X.509 certificate SANs

* disable webhook monitor in debug mode

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2021-01-20 15:25:27 -08:00
Jim Bugwadia
3a4592ca3b handle anchors for wildcard annotations 2021-01-07 11:24:38 -08:00
Jim Bugwadia
68474a9dd2 skip validation patterns for delete requests 2021-01-02 01:10:14 -08:00
Jim Bugwadia
d3a65a0b2a fix patch resource in response 2020-12-23 18:51:07 -08:00
Jim Bugwadia
204c1f79fb fix validate response 2020-12-23 18:46:12 -08:00
Jim Bugwadia
e2f10c6f83 update validation logic 2020-12-23 15:10:07 -08:00
Shuting Zhao
75313b7462 update message 2020-12-09 14:41:20 -08:00
Jim Bugwadia
b7cecd04ed
Merge pull request #1375 from kyverno/1292_match_namespace 
match/exclude ns resource name
 2020-12-08 23:05:42 -08:00
shuting
ab5f2274f9
1314 validate rule (#1368) 
* fixes 1314

* fix panic
 2020-12-08 22:52:37 -08:00
Jim Bugwadia
d4327aeaeb match/exclude ns resource name 2020-12-08 22:17:53 -08:00
Jim Bugwadia
6afd2e6f3a
ignore non-policy files in CLI and improve validation messages (#1362) 
* improve validation message

* improve error behaviors

* fix tests

* fix tests
 2020-12-07 11:26:04 -08:00
Jim Bugwadia
a64915128b Revert "ignore non-policy files while loading" 
This reverts commit c766512485.
 2020-12-06 11:12:54 -08:00
Jim Bugwadia
c80ac553f8 update validation messages 2020-12-06 10:54:10 -08:00
Jim Bugwadia
13a9a4721a
wildcard label and annotation keys validate patterns (#1360) 2020-12-04 12:05:24 -08:00
shuting
624b481df3
Fix 1351 - policy report (#1359) 
* ignore Kyverno CRDs existence check when server is not available

* clean up cluster / reportChangeRequest

* resolve PR comments

* - fixes #1351; - clean up code

* fo fmt
 2020-12-04 10:04:46 -08:00
Jim Bugwadia
125faaf4e3 fix variable substitution 2020-11-25 00:21:51 -08:00
Shuting Zhao
e985ee4031 correct misspelled words 2020-11-17 12:01:01 -08:00
Shuting Zhao
943935ee1b properly deserialize anyPattern 2020-11-13 16:25:51 -08:00
Shuting Zhao
d8d5160bce fix #1192 2020-11-03 15:31:58 -08:00
Shuting Zhao
cdc5190c56 update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00
Mohan B E
51ac382c6c
Feature/configmaps var 724 (#1118) 
* added configmap data substitution for foreground mutate and validate

* added configmap data substitution for foreground mutate and validate fmt

* added configmap lookup for background

* added comments to resource cache

* added configmap data lookup in preConditions

* added parse strings in In operator and configmap lookup docs

* added configmap lookup docs

* modified configmap lookup docs
 2020-09-22 14:11:49 -07:00
shuting
e0f617b383
810 support cronJob for auto-gen (#1089) 
* add watch policy to clusterrole kyverno:customresources

* - improve auto-gen policy application logic - remove unused code

* move method to common util

* auto-gen rule for cronJob

* update doc

* set CronJob as default auto-gen pod controller

* - update doc; - fix test

* remove unused code
 2020-09-01 09:11:20 -07:00
shuting
d6062fdd47
Add go fmt (#1055) 
* remove empty flag

* format code

* revert change in install.yaml
 2020-08-14 12:21:06 -07:00
Yuvraj
73840e3c5f
configrable rules added (#1017) 
* configrable rules added

* fix exclude group logic from code

* flag added in yaml

* exclude username added

* exclude username added

* config interface implimented

* configure exclude username

* get role ref

* test case fixed

* panic fix

* move from interface to slice

* exclude added in mutate

* trim strings

* configmap changes added

* kustomize changes for configmap

* k8s resources added
 2020-08-07 17:09:24 -07:00
shuting
67f7ed0ed3
Bug fix: perform OR across types in UserInfo (#992) 
* remove policy name cache entry on policy DELETE

* buugfix: perform OR in userInfo match

* add function description
 2020-07-14 20:23:30 -07:00
shuting
87fa77fbcc
965 add validate audit handler (#967) 
* store policy names cache to reduce lookup time

* add validate audit handler

* fix #958, remove auto-gen annotation on Pod

* formatting code

* update processTime to readable format

* #586, add back unit test

* update logging info

* remove unused interface

* handle generate policy in a single thread in weboook

* resolve pr comments
 2020-07-09 11:48:34 -07:00
Jim Bugwadia
65193feccb
update logging, naming, and event retry (#959) 
* update logging and naming

* check per policy patch count
 2020-06-30 11:53:27 -07:00
shuting
7ffeb6efca
skip generate violation on pre-exist pod (#952) 2020-06-25 09:52:54 -07:00
shuting
da943325fe
Ignore auto-gen annotation on Pod when processing DENY rule (#944) 
* ignore auto-gen annotation on Pod when processing DENY rule

* remove unused code
 2020-06-24 10:26:04 -07:00
Jim Bugwadia
838d02c475
Bugfix/659 support wildcards for namespaces (#871) 
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* remove policy store

Policy store was not fully implemented and simply provided a way
to list all polices and get a policy by name, which can be done via
standard client-go interfaces.

We need to revisit and design a better PolicyStore that provides fast
lookups for matching policies based on names, namespaces, etc.

* handle wildcard namespaces in background processing

* fix unit tests 1) remove platform dependent path usage 2) remove policy store

* add test case for mutate with wildcard namespaces
 2020-05-26 10:36:56 -07:00
Shuting Zhao
bda81f0b93 - fix variable scope - debug log 2020-05-20 13:43:12 -07:00
Shuting Zhao
34d05c58c2 PR fixes 2020-05-19 13:04:06 -07:00
Shuting Zhao
9eb2534d63 - fix pending delete for denying deletion rule - revert timeoutHandler - update log level 2020-05-19 00:14:23 -07:00
Shuting Zhao
7348eda222 Fix convert resource with DELETION request 2020-05-18 17:11:08 -07:00
shravan
717e42dd0b 744 ignoring resources with deletionTimestamp 2020-05-07 23:04:15 +05:30
shravan
ba0de32454 744 fixing previous commit implementation 2020-05-07 14:38:15 +05:30
shravan
6f01bb4d59 744 only user requests will be denied 2020-05-07 14:18:42 +05:30
shravan
6b1498b770 744 fixing policy validation and removing allRequests field 2020-05-06 19:46:32 +05:30
shravan
717e8e7245 744 fixed error messages 2020-05-05 23:52:52 +05:30
shravan
d3311500af 744 tested version 2020-05-05 20:58:02 +05:30
shravan
b0c7cdbc81 744 save commit 2020-05-05 19:19:47 +05:30
shravan
7dc7420ad9 744 policy validation skip 2020-04-23 01:05:00 +05:30
shravan
7a3f0012a9 744 untested prototype 2020-04-22 20:15:16 +05:30
shravan
93fa54bf79 744 deny all requests 2020-04-18 18:26:09 +05:30
shravan
11580e8ba5 744 save commit 2020-04-14 20:47:12 +05:30
shivkumar dudhani
4320111c5c fix logs api 2020-03-20 11:43:21 -07:00
Shivkumar Dudhani
2638e1002a
Merge branch 'master' into access_check 2020-03-20 10:07:47 -07:00
shivkumar dudhani
d327309d72 refactor logging 2020-03-17 16:25:34 -07:00
shivkumar dudhani
1b1ab78f77 logs & access 2020-03-17 11:05:20 -07:00
shravan
8dda9cc413 725 error response now returns rule message if it exists 2020-03-16 14:08:13 +05:30
shravan
ffd3487ace 725 changed returned error 2020-03-06 17:11:33 +05:30
shivkumar dudhani
03ee46e1d9 support nested variable resolution 2020-02-26 16:41:48 -08:00
shravan
bc84413f35 644 resolving merge conflicts 2020-02-19 10:44:14 +05:30
shivkumar dudhani
4f830acb65 refactor 2020-02-14 12:05:13 -08:00
shivkumar dudhani
5cee543755 refactor variable substitution 2020-02-14 11:59:28 -08:00
shravan
819ba3fb1b 644 returning detailed error from function in question, changes currently untested 2020-02-07 14:45:43 +05:30
shivkumar dudhani
f608d4db18 variable substitution on copy and retry generate resource creation 2020-02-04 12:13:41 -08:00
shravan
0d4b256d13 644 updating changes with revised understanding of issue, also removed alot of deadcode to make changes 2020-02-03 18:51:18 +05:30
shravan
3b37a61f5d Revert "644 untested prototype changes" 
This reverts commit 4021453760.
 2020-02-01 20:48:06 +05:30
shravan
4021453760 644 untested prototype changes 2020-01-30 16:12:26 +05:30
Shivkumar Dudhani
8c1d79ab28
linter suggestions (#655) 
* cleanup phase 1

* linter fixes phase 2
 2020-01-24 12:05:53 -08:00
Shuting Zhao
ba8030bec0 change to use validationFailureAction for the mutation failure action 2020-01-16 11:57:28 -08:00
Shuting Zhao
434ed20857 report violation in generate when path not present 2020-01-10 11:59:05 -08:00
Shuting Zhao
5a44ab3e16 generate violation in validate when substitute path not present 2020-01-09 17:44:11 -08:00
Shuting Zhao
472fa29fce move mutation to subpackage pkg/engine/mutate 2020-01-07 17:06:17 -08:00
Shivkumar Dudhani
3cf9141f4d
593 feature (#594) 
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* initial commit

* fix trailing quote in patch

* remove comments

* initial condition (equal & notequal)

* initial support for conditions

* initial support fo conditions in generate

* support precondition checks

* cleanup

* re-evaluate GR on namespace update using dynamic informers

* add status for generated resources

* display loaded variable SA

* support delete cleanup of generate request main resources

* fix log

* remove namespace from SA username

* support multiple variables per statement for scalar values

* fix fail variables

* add check for userInfo

* validation checks for conditions

* update policy

* refactor logs

* code review

* add openapispec for clusterpolicy preconditions

* Update documentation

* CR fixes

* documentation

* CR fixes

* update variable

* fix logs

* update policy

* pre-defined variables (serviceAccountName & serviceAccountNamespace)

* update test
 2020-01-07 15:13:57 -08:00
Shivkumar Dudhani
ffd2179b03
538 (#587) 
* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* add Generate Request CR

* generate Request Generator Initial

* test generate request CR generation

* initial commit gr generator

* generate controller initial framework

* add crd for generate request

* gr cleanup controller initial commit

* cleanup controller initial

* generate mid-commit

* generate rule processing

* create PV on generate error

* embed resource type

* testing phase 1- generate resources with variable substitution

* fix tests

* comment broken test #586

* add printer column for state

* return if existing resource for clone

* set resync time to 2 mins & remove resource version check in update handler for gr

* generate events for reporting

* fix logs

* cleanup

* CR fixes

* fix logs
 2020-01-07 10:33:28 -08:00
Shivkumar Dudhani
5b8ab3842b
Support variable substitution (#549) 
* initial commit

* variable substitution

* update tests

* update test

* refactor engine packages for validate & generate

* update vendor

* update toml

* support variable substitution in overlay mutation

* missing update

* fix indentation in logs

* store context values as single JSON document using merge patches.

* remove duplicate functions

* fix message string

* Handle processing of policies in background (#569)

* remove condition check while generating mutation patch as conditions are verified in the first iteration

* initial commit

* background policy validation

* correct message

* skip non-background policy process for add/update

* fix order to correct policy registration

* update comment

Co-authored-by: shuting <shutting06@gmail.com>

* refactor

Co-authored-by: shuting <shutting06@gmail.com>
 2019-12-30 17:08:50 -08:00
Shivkumar Dudhani
ffe3bdb677
remove newline from engine response strings (#537) 
* remove newline from engine response strings

* add scenario file updates

* cr: remove . in trailing msg string
 2019-12-04 18:04:42 -08:00
shuting
ded0183aa2
Merge pull request #478 from nirmata/472_update_apiversion 
472 update apiversion
 2019-11-13 15:19:27 -08:00
Shivkumar Dudhani
23ba517fef
add patched resource + correct register handlers (#482) 2019-11-13 15:16:46 -08:00
Shuting Zhao
b67577994a update apiversion to v1 in code 2019-11-13 13:41:08 -08:00
Shivkumar Dudhani
7a12e12cb5
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00
Shuting Zhao
fc35a52ad8 Merge branch 'master' into 455_namespace_pv 
# Conflicts:
#	definitions/install_debug.yaml
#	main.go
#	pkg/webhooks/mutation.go
#	pkg/webhooks/server.go
#	pkg/webhooks/validation.go
 2019-11-13 11:46:46 -08:00
shivkumar dudhani
d8bf7fa284 clean up fixes 2019-11-12 16:49:05 -08:00
Shuting Zhao
2a14c1f5dc - add profiling; - fix CLI 2019-11-11 21:23:26 -08:00
Shuting Zhao
546a25d025 add missing file 2019-11-11 21:06:09 -08:00
Shuting Zhao
5a3ed62b13 Merge branch 'master' into 345_support_usergroup_info 
# Conflicts:
#	pkg/engine/validation_test.go
#	pkg/webhooks/annotations.go
#	pkg/webhooks/annotations_test.go
#	pkg/webhooks/mutation.go
#	pkg/webhooks/server.go
#	pkg/webhooks/validation.go
 2019-11-11 19:19:08 -08:00
Shuting Zhao
6048d59949 change engine interface to take policyContext struct 2019-11-08 18:57:27 -08:00
Shuting Zhao
ec331b8d17 remove resource info in the validation error 2019-11-07 12:30:58 -08:00
Shuting Zhao
a30b8a604d update format 2019-11-07 12:13:35 -08:00
Shuting Zhao
15895d3852 - aggregate resource info per rule; - remove resource info in each success message; 2019-11-07 12:13:35 -08:00
Shuting Zhao
de9ebd899b improve validation error message; update scenario files 2019-11-07 12:13:34 -08:00
shivkumar dudhani
a191bd67f4 update message string 2019-11-01 15:21:23 -07:00
Shuting Zhao
f820cb4c83 implement #387 Generate clusterpolicyviolation when policy action set to "enforce" 2019-10-21 15:55:20 -07:00
shivkumar dudhani
3fa8834b4a policy validation: refactoring 2019-10-21 14:22:31 -07:00
shivkumar dudhani
70ff2fa177 update engineResponse Name 2019-10-08 10:57:24 -07:00
shivkumar dudhani
c4e263564f CR: uncomment deadcode 2019-10-01 16:59:26 -07:00
shivkumar dudhani
17d80a08c0 introduce equality anchor 2019-10-01 12:35:14 -07:00
shivkumar dudhani
56b2d2990b clean up 2019-09-28 14:20:39 -07:00
shivkumar dudhani
808cccb421 update validation logic 2019-09-28 14:09:46 -07:00
shivkumar dudhani
087efffd96 support existance on list type 2019-09-25 21:01:45 -07:00
shivkumar dudhani
c65f12b97b initial commit 2019-09-25 15:12:33 -07:00
shivkumar dudhani
f56603e4d4 update message to show resource path of failure for validation + print custom message on failure + anyPattern to return on first success validation + update scenarios for test runner 2019-09-05 12:44:38 -07:00
shivkumar dudhani
6228b8343e refactor engine api 2019-09-03 15:48:13 -07:00
shivkumar dudhani
fa53519e2a change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
shivkumar dudhani
07d86cb769 add success tests for validation & mutation 2019-08-29 18:48:58 -07:00
shivkumar dudhani
5b80da32ba replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00
shivkumar dudhani
b062d70e29 initial redesign 2019-08-23 18:34:23 -07:00
Shuting Zhao
fcaa495790 remove commented code 2019-08-21 17:23:51 -07:00
Shuting Zhao
ead99660f0 Merge commit '042bc645497ce6713bfca286f8bacd73ef7387b6' into 285_allow_OR_across_overlay_patterns 
# Conflicts:
#	pkg/engine/validation.go
 2019-08-21 14:13:22 -07:00
Shuting Zhao
97335270cd add anyPattern in validate rule 2019-08-21 12:38:15 -07:00
shivkumar dudhani
e507fb6422 recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00
shivkumar dudhani
0b5cc03b2d engineResponse to contain stats 2019-08-19 18:57:19 -07:00
shivkumar dudhani
61d7ea276a rebase 2019-08-19 17:26:52 -07:00
shivkumar dudhani
8b1066be29 initial commit 2019-08-19 16:40:10 -07:00