1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Commit graph

108 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
fffd6aa9a0
chore: upgrade golang to 1.18 (#4505)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-05 09:32:45 +05:30
ToLToL
1b9a2fca21
Extend Pod Security Admission (#4364)
* init commit for pss

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add test for Volume Type control

* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()

* remove unused code, still a JMESPATH problem with app armor ExemptProfile()

* test for Host Process / Host Namespaces controls

* test for Privileged containers controls

* test for HostPathVolume control

* test for HostPorts control

* test for HostPorts control

* test for SELinux control

* test for Proc mount type control

* Set to baseline

* test for Seccomp control

* test for Sysctl control

* test for Privilege escalation control

* test for Run as non root control

* test for Restricted Seccomp control

* Add problems to address

* add solutions to problems

* Add validate rule for PSA

* api.Version --> string. latest by default

* Exclude all values for a restrictedField

* add tests for kyverno engine

* code to be used to match kyverno rule's namespace

* Refacto pkg/pss

* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:

* EvaluatePod

* Use EvaluatePod in kyverno engine

* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add

* Check if PSSCheckResult matched at least one exclude value

* add tests for engine

* fix engine validation test

* config

* update go.mod and go.sum

* crds

* Check validate value: add PodSecurity

* exclude all restrictedFields when we only specify the controlName

* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path

* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)

* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go

* add all controls with containers in restrictedFields as comments

* add tests for capabilities and privileged containers and fix some errors

* add tests for host ports control

* add tests for proc mount control

* add tests for privilege escalation control

* add tests for capabilities control

* remove comments

* new algo

* refacto algo, working. Add test for hostProcess control

* remove unused code

* fix getPodWithNotMatchingContainers(), add tests for host namespaces control

* refacto ExemptProfile()

* get values for a specific container. add test for SELinuxOptions control

* fix allowedValues for SELinuxOptions

* add tests for seccompProfile_baseline control

* refacto checkContainers(), add test for seccomp control

* add test for running as non root control

* add some tests for runAsUser control, have to update current PSA version

* add sysctls control

* add allowed values for restrictedVolumes control

* add some tests for appArmor, volume types controls

* add tests for volume types control

* add tests for hostPath volume control

* finish merge conflicts and add tests for runAsUser

* update charts and crds

* exclude.images optional

* change volume types control exclude values

* add appAmor control

* fix: did not match any exclude value for pod-level restrictedFields

* create autogen for validate.PodSecurity

* clean code, remove logs

* fix sonatype lift errors

* fix sonatype lift errors: duplication

* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests

* beginning of autogen implement for validate.exclude

* Autogen for validation.PodSecurity

* working autogen with simple tests

* change validate.PodSecurity failure response format

* make codegen

* fix lint errors, remove debug prints

* fix tags

* fix tags

* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request

* Changes requested

* Changes requested 2

* Changes requested 3

* Changes requested 4

* Changes requested and make codegen

* fix host namespaces control

* fix lint

* fix codegen error

* update docs/crd/v1/index.html

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix path

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update crd schema

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update charts/kyverno/templates/crds.yaml

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 09:16:31 +00:00
Riko Kudo
5f5cda9fee
Yaml signing and verification (#4235)
* enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix log message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

change default value of dryrun option

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

support gpg signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

set cosign experimental env when keyless verification

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* improve default ignoreFields

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* add unit-test for k8smanifest

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update install yaml

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add unit-test for k8smanifest multi-signature

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and resolve conflict

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

enable YAML verification using k8s-manifest-sigstore

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

comment out role and rolebinding for dryrun

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix pubkey setting

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

upgrade manifest sigstore version and support multi sigs

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix validate.manifest rule

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update crd and add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

update k8s-manifest-sigstore version and support one or more signatures

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix verifyManifest result message

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

fix manifest verify policy and move dryrun rbac to dryrun dir

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

add small fix

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* remove generic name

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix sonatype-lift issue and unit-test error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>

* update manifest rule to use attestor

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* remove unused value

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve conflict

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix install.yaml

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix to set COSIGN_EXPERIMENTAL env variable when keyless verification

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix misspell

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable kyverno cli in validate.manifests rule (#3)

* enable kyverno cli in validate.manifests rule

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version and improve error handling for better result output

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update crds and deepcopy

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update unit test

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* change to use spec.rules.exclude.subjects instead of skipUsers (#4)

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore (#5)

* update k8s-manifest-sigstore version

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* add a comment for dryrun option field

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* enable to include ClusterPolicy/Policy in match resource

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style and env variable settings

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* simplify manifest verify func

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix func name

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix sonatype warning

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix default ignoreFields

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix yaml signing sigstore rbac (#6)

* fix dryrun rbac to have minimal permissions

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix lint error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix unit-test error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix gofumpt error

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* fix log style

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated CRD documentation

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* resolve go.mod conflicts

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* updated helm stuff

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Ruriko Kudo <rurikudo@ibm.com>
Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-08-30 10:14:54 -07:00
Charles-Edouard Brétéché
888689df54
fix: update go-wildcard to v1.5.0 (#4444)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-08-29 17:10:01 +00:00
Prateek Pandey
34fe6c9058
bump cosign deps version to 1.11.1 (#4408)
* bump cosign deps version to 1.11.1

to accommodate latest attestation verification fixes

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* bump github action go version to 1.18

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-08-25 08:24:49 +00:00
dependabot[bot]
0bb575442d
chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328)
Bumps [github.com/sigstore/cosign](https://github.com/sigstore/cosign) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v1.10.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-08-11 12:38:27 +08:00
Jim Bugwadia
943c3a1929
use failurePolicy to block or allow requests, on policy errors (#4183)
* use failurePolicy to block or allow requests, on policy errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add warnings

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* handle network errors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix title conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix path in generated file

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix fake metrics

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add check for klog flag initialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* check for flag reinitialization

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix spelling

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix flag init

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-08-02 20:24:02 +05:30
Guilhem Lettron
b03e461f25
feat: auto optimize GOMAXPROCS (#4277)
Signed-off-by: Guilhem Lettron <guilhem@barpilot.io>
2022-07-29 23:59:47 +08:00
Tathagata Paul
3e2894b6fa
feat: Opentelemetry support for metrics and traces (#3910)
* integrating opentelemetry

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* fix multiple imports

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* fixed cli help statement

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

* added init file for metrics

Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
2022-07-11 17:49:47 +00:00
Furkan Türkal
af3da5e19a
bump cosign to 1.9.1 to fix fulcio panic (#4117)
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>

Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-06-16 16:03:22 +00:00
Vyankatesh Kudtarkar
7245c92dcf
fix vulnerable (#4027) 2022-05-26 04:19:00 +00:00
Vyankatesh Kudtarkar
bea0b794d5
add validation check to ensure the annotations quoted (#3976) 2022-05-24 12:45:23 +00:00
Prateek Pandey
c79dc82eaa
fix: cleanup old dependencies from go.sum and go.mod (#3806)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-05-05 08:56:22 +00:00
Prateek Pandey
3e2c9b25c9
Bump cosign and sigstore version (#3771)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-05-02 20:20:08 +01:00
Sambhav Kothari
05c5f1b340
Allow kyverno jp to take yaml files as inputs (#3768) 2022-05-02 17:03:45 +00:00
shuting
2a656f6de0
feat: mutate existing resources (#3669)
* feat: mutate existing, replace GR by UR in webhook server (#3601)

* add attributes for post mutation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR informer to webhook server

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace gr by ur across entire packages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add YAMLs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs & fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR deletion handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add api docs for v1beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix clientset method

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix v1beta1 client registration

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing - generates UR for admission requests (#3623)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace with UR in policy controller generate rules (#3635)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* - enable mutate engine to process mutateExisting rules; - add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* implemented ur background reconciliation for mutateExisting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook update error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* temporary comment out new unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing, replace GR by UR in webhook server (#3601)

* add attributes for post mutation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR informer to webhook server

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - replace gr with ur in the webhook server; - create ur for mutateExsiting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace gr by ur across entire packages

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix missing policy.kyverno.io/policy-name label (#3599)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* refactor cli code from pkg to cmd (#3591)

* refactor cli code from pkg to cmd

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes in imports

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes tests

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixed conflicts

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* moved non-commands to utils

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>

* add YAMLs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs & fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add UR deletion handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add api docs for v1beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix clientset method

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add-kms-libraries for cosign (#3603)

* add-kms-libraries

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* Shifted providers to cosign package

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Add support for custom image extractors (#3596)

Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>

* Update vulnerable dependencies (#3577)

Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix v1beta1 client registration

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: mutate existing - generates UR for admission requests (#3623)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* updating version in Chart.yaml (#3618)

* updatimg version in Chart.yaml

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

* changes from, make gen-helm

Signed-off-by: Prateeknandle <prateeknandle@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Allow kyverno-policies to have preconditions defined (#3606)

* Allow kyverno-policies to have preconditions defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Fix docs

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* replace with UR in policy controller generate rules (#3635)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - enable mutate engine to process mutateExisting rules; - add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* implemented ur background reconciliation for mutateExisting policies

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix webhook update error

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* temporary comment out new unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Image verify attestors (#3614)

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix logs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* support multiple attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* rm CLI tests (not currently supported)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* apply attestor repo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix entryError assignment

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* format

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add intermediary certs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Allow defining imagePullSecrets (#3633)

* Allow defining imagePullSecrets

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Use dict for imagePullSecrets

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Simplify how imagePullSecrets is defined

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix race condition in pCache (#3632)

* fix race condition in pCache

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refact: remove unused Run function from generate (#3638)

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* Remove helm mode setting (#3628)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refactor: image utils (#3630)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>

* -resolve lift comments; -fix informer sync issue

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* refact the update request cleanup controller

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

* - fix delete request for mutateExisting; - fix context variable substitution; - improve logging

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - enable events; - add last applied annotation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* enable mutate existing on policy creation

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update autogen code

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* merge main

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address list comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix "Implicit memory aliasing in for loop"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* remove unused definitions

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-25 12:20:40 +00:00
Shubham Gupta
3cbb8db72e
Update vulnerable dependencies (#3577)
Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-04-14 20:39:55 +00:00
Anushka Mittal
1714a328b6
add-kms-libraries for cosign (#3603)
* add-kms-libraries

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>

* Shifted providers to cosign package

Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
2022-04-14 15:24:34 +00:00
Anushka Mittal
746d8efde9
Update to cosign 1.7.1 (#3587)
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
2022-04-12 09:29:26 -07:00
shuting
d1bf3d4742
clean up dependencies (#3469)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2022-03-25 08:40:25 +00:00
Charles-Edouard Brétéché
9ac35f9698
chore: add more codegen target and verifications (#3393)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
2022-03-16 15:01:35 +05:30
Christian Kotzbauer
851a81845c
Update cosign to v1.6.0 (#3341)
Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

fix ecr-helper creation

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-03-11 11:25:10 -08:00
Prateek Pandey
66969d35ea
validate and block policy based on the matched kind cache (#3283)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-02-23 22:27:18 +05:30
Jim Bugwadia
14111aaa05
update dependencies (#3221)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-02-13 11:20:24 +00:00
Rob Best
851ebe3e65
Add cloud provider keychains to DefaultKeychain (#3116)
Removes the need to specify an image pull secret to make use of cloud
provider credentials. As I understand it, this should be fine outside of
cloud provider contexts.

As part of this, I've switched to using authn/kubernetes, which I believe
is preferable to k8schain.

Signed-off-by: Rob Best <robertbest89@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-01-28 11:33:27 -08:00
Jim Bugwadia
7cf1dd2b15
update cosign to 1.5.0 and fix issuer and subject for keyless (#3089)
* update cosign to 1.5.0 and add checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix subject and issuer checks

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2022-01-27 21:13:23 -08:00
Sambhav Kothari
2eb8f5f285
Fix memory leak when updating ggcr keychain (#3088)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
2022-01-26 12:45:05 -08:00
Jim Bugwadia
bb06901119
fix mutate preprocessing for anchors (#3052)
* fix mutate preprocessing for anchors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: shuting <shutting06@gmail.com>
2022-01-23 13:54:22 +00:00
Abhinav Sinha
bd50291848
Bump go version from 1.16 to 1.17 (#3048)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
2022-01-23 17:41:44 +05:30
Mritunjay Kumar Sharma
cdedf11a1c
bumps k8s libraries for k8s v1.23 upgrade for kyverno (#3043)
* bumps k8s libraries for k8s v1.23 upgrade for kyverno

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* fixes kustomize version

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* updates golang to v1.17 to test fails

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* updates logr package to 1.2.2

Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>

* Fixed tests for `pkg/cosign` and `pkg/webhooks/generation`

Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>

* fix go-logr deps version issue

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>

* fix kube-openapi commit hash

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>

Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: prateekpandey14 <prateekpandey14@gmail.com>
2022-01-22 20:26:53 +08:00
Prateek Pandey
f6e40b5dd1
feat(validation): support for ephemeral containers (#2875)
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
2021-12-28 14:22:52 +00:00
Naman Lakhwani
898520b7cf
add semver_compare JMESPath function (#2846)
* add semver_compare JMESPath function

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* adding tests for semver_compare

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* enabling version compaision via regular operators

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* adding tests for version compaision via regular operators

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

* removing unnecessary switch cases

Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-12-21 08:12:35 -08:00
Danny Kulchinsky
f6982760fc
truncate custom jmespath function (#2836)
* [feature] custom jmespath truncate function

Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>

* formatting

Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>

* simplify naming a bit

Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>

Co-authored-by: shuting <shutting06@gmail.com>
2021-12-17 15:52:52 +08:00
Kumar Mallikarjuna
a667a69812
JMESPath arithmetic function units (#2753)
* MAS arithmetic functions

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Adding Divide() and Modulo()

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added tests

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Tidy go.mod

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Fix lift issues

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Set division scale to maximum of operands

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Precision for Add()/Subtract()

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Set duration precision

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

* Added comment for duration diff calculation

Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>

Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
2021-12-07 15:44:46 +00:00
Shubham Palriwala
ea3529f2d0
Trivy now scans local images (#2744)
* fix: trivy now scans entire container

Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>

* update github.com/docker/cli package for vulnerabilities

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix go.mod vulnerabilities

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-11-22 20:57:51 +08:00
Jim Bugwadia
189c6f8cda
fix dependabot issue and remove stale entries in go.mod (#2741)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-19 16:11:38 +08:00
shuting
0f0c070072
Fix memory issue - RCR conversion (#2678) 2021-11-08 15:53:21 -08:00
Jim Bugwadia
50cb1859c3
add keyless verification (#2677)
* add keyless verification

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* run make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter warning

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* wrap error with details

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-11-04 23:26:22 -07:00
Batuhan Apaydın
4eab46fb7d
feat: support other key methods (#2607)
* feat: support other key methods

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>

* feat: support fetch attestations from repository

Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Signed-off-by: Furkan <furkan.turkal@trendyol.com>

* fix: parameter type

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

* fix error check

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Furkan Turkal <furkan.turkal@trendyol.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-11-03 00:45:35 -07:00
Jose Armesto
831a9826d1
Restructure project to follow standards (#2632)
Signed-off-by: Jose Armesto <github@armesto.net>
2021-10-29 18:13:20 +02:00
Jim Bugwadia
e0b1f08a28
fix check for CREATE request (#2551)
* fix check for CREATE request

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add unit test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-18 09:34:07 -07:00
Jim Bugwadia
90edc69dcf merge and update
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-05 22:42:42 -07:00
Jim Bugwadia
0dbe7ea675 start attestation support
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-01 11:10:36 -07:00
Shubham Palriwala
5b01dd53a7
remove minio/minio and update minio/pkg (#2440)
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
2021-09-28 12:19:26 -07:00
Bricktop
4b71a031ab
Openapi validation should not fail if patchesJson6902 appends to list (#2340)
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2021-09-16 12:40:56 -07:00
Max Goncharenko
a0ff8bbd0b
Implement global anchor (#2311)
* implement global anchor for patch strategic merge

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* fixed unit tests for mutation global anchor

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* added global anchor in validation

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* fix some global anchor issues found during testing

Signed-off-by: Max Goncharenko <kacejot@fex.net>

* run go tidy

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fixed tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* fixed some tests

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* finish implementing global anchor

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* WIP: lower global anchor strictness

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* Revert "WIP: lower global anchor strictness"

This reverts commit 08e176a042.

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* global anchor for mutation

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
2021-09-13 08:59:28 -07:00
Yashvardhan Kukreja
5fcd9b83d9
added: support for metrics configuration, periodic metrics cleanup and selective namespace whitelisting and blacklisting for metrics (#2288)
Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2021-09-10 14:39:12 -07:00
Jim Bugwadia
511db4372b
update cosign (#2369)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-09-07 21:29:20 -07:00
Max Goncharenko
ab24da9707
Added 2241 test case (#2255)
* added 2241 test case

Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>

* update the log level for not resolved variables

Signed-off-by: Max Goncharenko <kacejot@fex.net>
2021-08-20 14:44:19 -07:00
Jim Bugwadia
8af814c7af
update cosign to v1.0.0 (#2221)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-08-02 13:51:36 -07:00