mirrors/kyverno: Cloud Native Policy Management

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

Cloud Native Policy Management

Find a file

ToLToL 1b9a2fca21 Extend Pod Security Admission (#4364 ) * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[].securityContext.capabilities.add Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>		2022-08-31 09:16:31 +00:00
.github	refactor: clearly separate makefile docker targets for build and publish (#4454 )	2022-08-31 12:22:46 +08:00
api	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
charts	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
cmd	refactor: make toggles easier to define and use (#4456 )	2022-08-31 06:41:14 +00:00
config	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
data	Restructure project to follow standards (#2632 )	2021-10-29 18:13:20 +02:00
docs	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
img	upload logo (#1560 )	2021-02-08 13:09:37 -08:00
litmuschaos	chore: enable gofmt and gofumpt linters (#3931 )	2022-05-17 06:19:03 +00:00
pkg	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
scripts	chore: remove godownloader and install-cli script (#4442 )	2022-08-29 17:19:13 +02:00
test	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
.codeclimate.yml	remove arm from goreleaser (#903 )	2020-06-04 11:45:37 -07:00
.directory	Implemented validation across same yaml	2019-06-20 18:21:55 +03:00
.gitignore	refactor: makefile (#4403 )	2022-08-25 16:59:24 +00:00
.golangci.yml	Add the metric "kyverno_client_queries_total" (#4359 )	2022-08-31 11:33:47 +05:30
.goreleaser.yml	feat: add linux/s390x builds (#3277 )	2022-02-22 23:40:46 +08:00
.ko.yaml	fix: make ldflags optional in .ko.yaml (#4419 )	2022-08-26 13:40:27 +00:00
.krew.yaml	Remove s390X (#4063 )	2022-06-03 08:11:12 +00:00
ADOPTERS.md	Add Techcombank to adopters (#4260 )	2022-07-23 01:53:41 +00:00
CHANGELOG.md	Cherry-pick #4233 (#4236 )	2022-07-20 22:22:15 +05:30
CODE_OF_CONDUCT.md	Fix typos (#2860 )	2021-12-18 20:03:16 +00:00
CODEOWNERS	Remove myself as codeowner (#4333 )	2022-08-12 07:38:45 -04:00
CONTRIBUTING.md	Resolve conflict introduced to contributing page (#4192 )	2022-07-07 18:02:57 +00:00
DEVELOPMENT.md	docs: add section for deploying a local build (#4458 )	2022-08-31 08:06:12 +00:00
go.mod	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
go.sum	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
LICENSE	Create LICENSE	2019-06-05 23:00:32 -04:00
MAINTAINERS.md	chore: update maintainers md (#4380 )	2022-08-23 14:44:37 +00:00
Makefile	Extend Pod Security Admission (#4364 )	2022-08-31 09:16:31 +00:00
OWNERS.md	Update OWNERS.md (#3371 )	2022-03-10 10:30:05 -08:00
README.md	Add `codecov` to CI (#3382 )	2022-03-14 16:21:27 +08:00
renovate.json	chore(deps): add renovate.json (#3471 )	2022-03-29 16:09:23 +08:00
SECURITY.md	feat: security.md	2021-09-19 09:50:26 +05:30

README.md

Kubernetes Native Policy Management 🎉

Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.