218877dc03
The original logic for evaluating pod security standards took two steps for each defined check: 1. If the policy author requested the latest version of the standard, find the newest version of the check and evaluate the pod against it, adding any failure to the final results. 2. Otherwise, evaluate the pod against *each version of the check* whose minimum version is below the requested version, adding any failures to the final results. This second step can be problematic, as new PSS versions may permit a broader range of values for a restricted field compared to old versions. As a concrete example, versioned podSecurity rules don't permit some of the newer sysctls allowed by Kubernetes v1.27 and v1.29, since Kyverno still evaluates v1.0 of the check. With this change, Kyverno identifies the highest version of the check that the podSecurity rule allows, and only executes that version of the check against the pod. Since the "latest" version is special-cased to compare newer than all non-latest versions, no special logic is required in that case. I've added unit tests for several combinations of sysctl and policy version, especially to check that policy v1.27 permits the new sysctl allowed in v1.27 but not the sysctls allowed in v1.29. I've also taken the liberty of changing `assert.Assert` to `assert.Check`, to collect multiple failures from a single unit test run. Signed-off-by: Alex Hamlin <alexanderh@qualtrics.com> |
||
|---|---|---|
| .devcontainer | ||
| .github | ||
| .vscode | ||
| api | ||
| charts | ||
| cmd | ||
| config | ||
| data | ||
| docs | ||
| ext | ||
| hack | ||
| img | ||
| litmuschaos | ||
| pkg | ||
| scripts | ||
| test | ||
| .chainsaw.yaml | ||
| .codeclimate.yml | ||
| .directory | ||
| .gitignore | ||
| .golangci.yml | ||
| .goreleaser.yml | ||
| .ko.yaml | ||
| .krew.yaml | ||
| .nancy-ignore | ||
| ADOPTERS.md | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT.md | ||
| CODEOWNERS | ||
| CONTRIBUTING.md | ||
| CONTRIBUTORS.md | ||
| DEVELOPMENT.md | ||
| go.mod | ||
| go.sum | ||
| GOVERNANCE.md | ||
| LICENSE | ||
| MAINTAINERS.md | ||
| Makefile | ||
| OWNERS.md | ||
| README.md | ||
| ROADMAP.md | ||
| SECURITY-INSIGHTS.yml | ||
| SECURITY.md | ||
| sonar-project.properties | ||
Kyverno 
Cloud Native Policy Management 🎉
Kyverno is a policy engine designed for cloud native platform engineering teams. It enables security, automation, compliance, and governance using policy-as-code. Kyverno can validate, mutate, generate, and cleanup configurations using Kubernetes admission controls, background scans, and source code respository scans. Kyverno policies can also be used to verify OCI images, for software supply chain security. Kyverno policies can be managed as Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
📙 Documentation
Kyverno installation and reference documents are available at [kyverno.io] (https://kyverno.io).
🙋♂️ Getting Help
We are here to help!
👉 For feature requests and bugs, file an issue.
👉 For discussions or questions, join the Kyverno Slack channel.
👉 For community meeting access, see mailing list.
👉 To get follow updates ⭐️ star this repository.
➕ Contributing
Thanks for your interest in contributing to Kyverno! Here are some steps to help get you started:
✔ Read and agree to the Contribution Guidelines.
✔ Browse through the GitHub discussions.
✔ Read Kyverno design and development details on the GitHub Wiki.
✔ Check out the good first issues list. Add a comment with /assign to request assignment of the issue.
✔ Check out the Kyverno Community page for other ways to get involved.
Software Bill of Materials
All Kyverno images include a Software Bill of Materials (SBOM) in CycloneDX JSON format. SBOMs for Kyverno images are stored in a separate repository at ghcr.io/kyverno/sbom. More information on this is available at Fetching the SBOM for Kyverno.
Contributors
Kyverno is built and maintained by our growing community of contributors!
Made with contributors-img.
License
Copyright 2024, the Kyverno project. All rights reserved. Kyverno is licensed under the Apache License 2.0.
Kyverno is a Cloud Native Computing Foundation (CNCF) Incubating project and was contributed by Nirmata.