mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00
Code Activity
4328 commits 17 branches 550 tags 289 MiB
Commit graph

2496 commits

Author SHA1 Message Date
shuting
cc10feb906
fix webhook configuration issue when auto update is disabled (#3417) 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-03-18 10:05:00 +00:00
Aidan Delaney
def19d2ec0
Ignore test files that do not end in test.yaml (#3402) 
Some editors create backup files when editing.  So users will
edit kyverno-test.yaml and end up with both kyverno-test.yaml
and kyverno-test.yaml~ (or some variant).  This change ignores
backup files that append a character to the string `test.yaml`

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Signed-off-by: Aidan Delaney <adelaney21@bloomberg.net>

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
 2022-03-18 09:31:01 +00:00
Charles-Edouard Brétéché
4ce5c972ee
refactor: Policy name validation (#3409) 
* refactor: UserInfo validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Rule type validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Rule names validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Policy name validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-18 01:02:35 +08:00
Abhinav Sinha
17caa561ec
Replace ToUnstructured() with Marshal/Unmarshal (#3150) 
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-17 14:20:24 +00:00
Christian Kotzbauer
860253d6aa
[ImageVerify] Verify additional certificate-extensions (#3404) 
* feat: add additionalExtensions to keyless imageVerify

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* feat: regenerate code

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
 2022-03-17 08:42:12 +00:00
Charles-Edouard Brétéché
cc212ac766
refactor: Rule names validation (#3406) 
* refactor: UserInfo validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Rule type validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Rule names validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-03-17 11:36:21 +08:00
Charles-Edouard Brétéché
adcb71f1d6
refactor: Rule type validation (#3400) 
* refactor: UserInfo validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Rule type validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-16 21:57:31 +00:00
Charles-Edouard Brétéché
5541189c6c
refactor: UserInfo validation (#3399) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-16 16:15:46 +00:00
shuting
69518b7c9c
Fix webhook re-creation error (#3403) 
* fix webhook re-creation issue

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook monitor blocking call

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-03-16 15:23:46 +00:00
Thomas Hartland
36f532840d
Only queue one retry if webhook update fails (#3353) 
Queueing two retries can lead to exponential growth.

Adding a delay before the retry should reduce the number
of failed attempts to update webhooks.

Signed-off-by: Thomas Hartland <thomas.hartland@diamond.ac.uk>

Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-16 12:08:03 +00:00
Abhi Kapoor
ac8dea1cba
Return warning on admission response when mutating pods (#3272) 
- Return the warning as part of the validate response
- Warn when autogen annotation is being used to exclude pod controllers
- Reutrn admission response based on the autogen annotation value
- Update the existing log message to align with admission response warning

Co-authored-by: abhinav454 <43758739+abhinav454@users.noreply.github.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
 2022-03-16 04:50:33 +00:00
Sambhav Kothari
6498425937
Add a registry flag to allow direct access to container registries in the CLI (#3396) 
* Add a registry flag to allow direct access to container registries in the CLI

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-03-16 09:56:47 +05:30
Charles-Edouard Brétéché
9e623bbf6e
feat: add rules to status (#3376) 
* fix: configmap resource filters generated by helm does not account for namespace

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add rules to status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-15 14:49:16 +00:00
Charles-Edouard Brétéché
8602e63f23
refactor: ImageVerification validation (#3372) 
* fix: configmap resource filters generated by helm does not account for namespace

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: ImageVerification validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-15 08:48:58 +00:00
Vyankatesh Kudtarkar
68093cd44c
Cli Apply command support Dir as resources (#3391) 
* apply command support dir as resources

* fix issue
 2022-03-15 16:00:59 +08:00
Charles-Edouard Brétéché
5de83edafa
fix: metrics config defaults (#3387) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-14 22:21:50 +08:00
Vyankatesh Kudtarkar
154cea21c3
fix for gvk not working for existing resources policy (#3384) 2022-03-14 16:03:13 +05:30
Christian Kotzbauer
851a81845c
Update cosign to v1.6.0 (#3341) 
Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

fix ecr-helper creation

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-03-11 11:25:10 -08:00
Vyankatesh Kudtarkar
b3a53f0658
fix PodExecOptions issue (#3373) 
* fix PodExecOptions issue

* add note

* update comment
 2022-03-11 15:09:32 +05:30
Charles-Edouard Brétéché
8d08250e07
feat: add autogen controllers to policy status (#3332) 
* feat: add autogen controllers to policy status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add autogen controllers to policy status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-03-10 23:51:29 +08:00
Charles-Edouard Brétéché
ce5f648f30
refactor: introduce rules getters and setters (#3350) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
 2022-03-09 15:28:31 +00:00
Charles-Edouard Brétéché
ea977b259c
refactor: move controller autogen annotation in api package (#3364) 
* fix: configmap resource filters generated by helm does not account for namespace

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refator: move controller autogen annotation in api package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-09 21:48:04 +08:00
Shubham Nazare
4c1a8336b0
Add new test-case-selector flag to test command (#3183) 
* added new test-case flag to test command
Signed-off-by: Shubham Nazare <shubham4443@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
 2022-03-09 07:40:53 +00:00
Ivan Wallis
deda7a5336
support RSA, ECDSA and EDDSA public key verification (#3362) 
Signed-off-by: Ivan Wallis <iwallis@gmail.com>
 2022-03-08 21:58:14 -08:00
Vyankatesh Kudtarkar
148a892277
Fix any_all wildcard issue (#3352) 2022-03-08 12:59:33 +00:00
Charles-Edouard Brétéché
90d0badda4
fix: CRD generation (#3334) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-06 11:07:51 -08:00
Charles-Edouard Brétéché
1293ef4691
refactor: reduce usage of reflect.DeepEqual (#3328) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-02 17:20:27 +00:00
Charles-Edouard Brétéché
8cc883becc
fix: naming typos (#3327) 
fix: naming typos

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-03-02 07:29:33 +00:00
Charles-Edouard Brétéché
7232de45c6
refactor: introduce autogen package (#3316) 
* refactor: pass only spec instead of whole policy when possible

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: introduce autogen package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-03-01 23:19:31 +00:00
Charles-Edouard Brétéché
1154612489
refactor: pass only spec instead of whole policy when possible (#3315) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-03-01 22:42:19 +00:00
Sambhav Kothari
c4075af3d1
Improve CLI test times by instantiating openapi controller once (#3297) 
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-02-24 23:34:12 +08:00
Emin AKTAS
388b160840
Fix namespace typo (#3298) 
Signed-off-by: Emin Aktas <emin.aktas@trendyol.com>
Signed-off-by: eminaktas <eminaktas34@gmail.com>
 2022-02-24 13:39:22 +00:00
Prateek Pandey
66969d35ea
validate and block policy based on the matched kind cache (#3283) 
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
 2022-02-23 22:27:18 +05:30
Sambhav Kothari
147fc6db56 Shallow clone git repositories for kyverno test command 
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-02-23 23:12:34 +08:00
Vyankatesh Kudtarkar
e8bf16a00b
Fix label mutation while updating the secret (#3273) 
* Fix label mutation while updating the secret

* Update util.go

* fix converter issue

* code indentation
 2022-02-22 19:49:03 +08:00
Afzal Ansari
9f8d2aef8e
Added kyverno test subcommand for test manifest file (#3264) 
* Adds `kyverno test` subcommand for test manifest file

Signed-off-by: afzal442 <afzal442@gmail.com>

Adds sub cmd

Signed-off-by: afzal442 <afzal442@gmail.com>

Adds usage

Signed-off-by: afzal442 <afzal442@gmail.com>

* Refactors the help command

Signed-off-by: afzal442 <afzal442@gmail.com>

Refactors help cmd

Signed-off-by: afzal442 <afzal442@gmail.com>

* Modifies manifest desc and removes the unused test manifest

Signed-off-by: afzal442 <afzal442@gmail.com>

Adds changes

Signed-off-by: afzal442 <afzal442@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-02-21 05:23:29 +00:00
Vyankatesh Kudtarkar
04e5f50cde
fix mutate wildcard issue (#3193) 
Co-authored-by: shuting <shuting@nirmata.com>
 2022-02-18 10:32:10 +00:00
Vyankatesh Kudtarkar
0a5aad39cf
Fix foreach validations precondition issue (#3228) 
* fix foreach validations precondition issue

* added test-cases
 2022-02-18 09:11:41 +00:00
shuting
a30493e550
Fix policy report OwnerReference (#3249) 
* add namespaces/finalizers to clusterrole kyverno:generate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* set policy report's owner to Kyverno namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove BlockOwnerDeletion

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove namespaces/finalizers permission

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-02-18 00:50:18 -08:00
Jim Bugwadia
421a81ce63
Fix old object validation check (#3248) 
* fix validation check on UPDATE

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* prevent policy bypass using preconditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* separate replace

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add error handling

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
 2022-02-17 09:18:49 -08:00
Tathagata Paul
b91ff5a7f2
Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229) 
* fixed bug where negation of kernel version caused cpolr to fail

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* small fix in function validateString

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* Added necessary tests

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Added one more test

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* Add more tests and added a policy to the test folder

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* added policy for test cli

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-02-17 09:33:30 +05:30
shuting
2eefe3a544
Skip updating webhook configs if namespaceSelector is nil (#3237) 
* skip updating webhook configs if namespaceSelector is nil

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comment for mutating webhook

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update logs

Signed-off-by: ShutingZhao <shuting@nirmata.com>
 2022-02-16 17:07:09 +05:30
Mritunjay Kumar Sharma
5a541567de
Fix image parsing for image referenced as digests (#3196) 
* fixes image break with sha256

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes priority to digest

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-02-15 08:35:53 +00:00
Jim Bugwadia
bd1a145678
Fix keyless attest (#3219) 
* allow root cert for keyless attestations checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add logs and improve var names

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle err in sig loading

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
 2022-02-13 20:35:11 -08:00
vivek kumar sahu
0293368504
fixing bug to handle two different types of rules (#2954) 
* fixing bug for the info variable

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-02-09 10:33:54 +00:00
Ramanand Thakur
7f1530c66e
Indentation fix (#3179) 
Removed unnecessary indentation on line 107 to avoid confusion.
 2022-02-08 01:00:01 +08:00
Sambhav Kothari
4445780c7c
Add a kyverno jp command to test jmespath expressions (#3169) 
* Add a kyverno jp command to test jmespath expressions

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>

* Auto-generate custom function docs

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2022-02-04 05:23:12 +00:00
Vyankatesh Kudtarkar
373f421b07
Fix panic for provides a set to the key of a precondition and deny condition (#3162) 2022-02-03 14:46:58 +00:00
Abhinav Sinha
ed3811ea5a
Bump up verbosity for patched resource mismatch (#3127) 
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
 2022-02-03 11:24:00 +00:00
Prateek Pandey
286b0427d0
fix filtered and sort patches index (#3146) 
added missing start index value for the
patches slice

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
 2022-02-01 13:16:08 -08:00