mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
5e07ecc5f3
* add report in cli * policy report crd added * policy report added * configmap added * added jobs * added jobs * bug fixed * added logic for cli * common function added * sub command added for policy report * subcommand added for report * common package changed * configmap added * added logic for kyverno cli * added logic for jobs * added logic for jobs * added logic for jobs * added logic for cli * buf fix * cli changes * count bug fix * docs added for command * go fmt * refactor codebase * remove policy controller for policyreport * policy report removed * bug fixes * bug fixes * added job trigger if needed * job deletation logic added * build failed fix * fixed e2e test * remove hard coded variables * packages adde * improvment added in jobs sheduler * policy report yaml added * cronjob added * small fixes * remove background sync * documentation added for report command * remove extra log * small improvement * tested policy report * revert hardcoded changes * changes for demo * demo changes * resource aggrigation added * More changes * More changes * - resolve PR comments; - refactor jobs controller * set rbac for jobs * add clean up in job controller * add short names * remove application scope for policyreport * move job controller to policyreport * add report logic in command apply * - update policy report types; - upgrade k8s library; - update code gen * temporarily comment out code to pass CI build * generate / update policyreport to cluster * add unit test for CLI report * add test for apply - generate policy report * fix unit test * - remove job controller; - remove in-memory configmap; - clean up kustomize manifest * remove dependency * add reportRequest / clusterReportRequest * clean up policy report * generate report request * update crd clusterReportRequest * - update json tag of report summary; - update definition manifests; - fix dclient creation * aggregate reportRequest into policy report * fix unit tests * - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report * remove * generate reportRequest in kyverno namespace * update resource filter in helm chart * - rename reportRequest to reportChangeRequest; -rename clusterReportRequest to clusterReportChangeRequest * generate policy report in background scan * skip generating report change request if there's entry results * fix results entry removal when policy / rule gets deleted * rename apiversion from policy.kubernetes.io to policy.k8s.io * update summary.* to lower case * move reportChangeRequest to kyverno.io/v1alpha1 * remove policy report flag * fix report update * clean up policy violation CRD * remove violation CRD from manifest * clean up policy violation code - remove pvGenerator * change severity fields to lower case * update import library * set report category Co-authored-by: Yuvraj <yuvraj.yad001@gmail.com> Co-authored-by: Yuvraj <10830562+evalsocket@users.noreply.github.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
335 lines
16 KiB
YAML
335 lines
16 KiB
YAML
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.2.5
|
|
creationTimestamp: null
|
|
name: policyreports.policy.k8s.io
|
|
spec:
|
|
additionalPrinterColumns:
|
|
- JSONPath: .scope.kind
|
|
name: Kind
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .scope.name
|
|
name: Name
|
|
priority: 1
|
|
type: string
|
|
- JSONPath: .summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- JSONPath: .summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- JSONPath: .summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- JSONPath: .summary.error
|
|
name: Error
|
|
type: integer
|
|
- JSONPath: .summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- JSONPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
group: policy.k8s.io
|
|
names:
|
|
kind: PolicyReport
|
|
listKind: PolicyReportList
|
|
plural: policyreports
|
|
shortNames:
|
|
- polr
|
|
singular: policyreport
|
|
scope: Namespaced
|
|
subresources: {}
|
|
validation:
|
|
openAPIV3Schema:
|
|
description: PolicyReport is the Schema for the policyreports API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
data:
|
|
additionalProperties:
|
|
type: string
|
|
description: Data provides additional information for the policy rule
|
|
type: object
|
|
message:
|
|
description: Message is a short user friendly description of the policy
|
|
rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name of the policy
|
|
type: string
|
|
resourceSelector:
|
|
description: ResourceSelector is an optional selector for policy results
|
|
that apply to multiple resources. For example, a policy result may
|
|
apply to all pods that match a label. Either a Resource or a ResourceSelector
|
|
can be specified. If neither are provided, the result is assumed
|
|
to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that
|
|
contains values, a key, and an operator that relates the key
|
|
and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to
|
|
a set of values. Valid operators are In, NotIn, Exists
|
|
and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the
|
|
operator is In or NotIn, the values array must be non-empty.
|
|
If the operator is Exists or DoesNotExist, the values
|
|
array must be empty. This array is replaced during a strategic
|
|
merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single
|
|
{key,value} in the matchLabels map is equivalent to an element
|
|
of matchExpressions, whose key field is "key", the operator
|
|
is "In", and the values array contains only "value". The requirements
|
|
are ANDed.
|
|
type: object
|
|
type: object
|
|
resources:
|
|
description: Resources is an optional reference to the resource checked
|
|
by the policy and rule
|
|
items:
|
|
description: 'ObjectReference contains enough information to let
|
|
you inspect or modify the referred object. --- New uses of this
|
|
type are discouraged because of difficulty describing its usage
|
|
when embedded in APIs. 1. Ignored fields. It includes many fields
|
|
which are not generally honored. For instance, ResourceVersion
|
|
and FieldPath are both very rarely valid in actual usage. 2.
|
|
Invalid usage help. It is impossible to add specific help for
|
|
individual usage. In most embedded usages, there are particular restrictions
|
|
like, "must refer only to types A and B" or "UID not honored"
|
|
or "name must be restricted". Those cannot be well described
|
|
when embedded. 3. Inconsistent validation. Because the usages
|
|
are different, the validation rules are different by usage, which
|
|
makes it hard for users to predict what will happen. 4. The fields
|
|
are both imprecise and overly precise. Kind is not a precise
|
|
mapping to a URL. This can produce ambiguity during interpretation
|
|
and require a REST mapping. In most cases, the dependency is
|
|
on the group,resource tuple and the version of the actual
|
|
struct is irrelevant. 5. We cannot easily change it. Because
|
|
this type is embedded in many locations, updates to this type will
|
|
affect numerous schemas. Don''t make new APIs embed an underspecified
|
|
API type they do not control. Instead of using this type, create
|
|
a locally provided and used type that is well-focused on your
|
|
reference. For example, ServiceReferences for admission registration:
|
|
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
.'
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead of
|
|
an entire object, this string should contain a valid JSON/Go
|
|
field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container within
|
|
a pod, this would take on a value like: "spec.containers{name}"
|
|
(where "name" refers to the name of the container that triggered
|
|
the event) or if no container name is specified "spec.containers[2]"
|
|
(container with index 2 in this pod). This syntax is chosen
|
|
only to have some well-defined way of referencing a part of
|
|
an object. TODO: this design is not final and this field is
|
|
subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference
|
|
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
type: array
|
|
rule:
|
|
description: Rule is the name of the policy rule
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this policy rule is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy severity
|
|
enum:
|
|
- high
|
|
- low
|
|
- medium
|
|
type: string
|
|
status:
|
|
description: Status indicates the result of the policy rule check
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
scope:
|
|
description: Scope is an optional reference to the report scope (e.g. a
|
|
Deployment, Namespace, or Node)
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead of an entire
|
|
object, this string should contain a valid JSON/Go field access statement,
|
|
such as desiredState.manifest.containers[2]. For example, if the object
|
|
reference is to a container within a pod, this would take on a value
|
|
like: "spec.containers{name}" (where "name" refers to the name of
|
|
the container that triggered the event) or if no container name is
|
|
specified "spec.containers[2]" (container with index 2 in this pod).
|
|
This syntax is chosen only to have some well-defined way of referencing
|
|
a part of an object. TODO: this design is not final and this field
|
|
is subject to change in the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference is made,
|
|
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
scopeSelector:
|
|
description: ScopeSelector is an optional selector for multiple scopes (e.g.
|
|
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
|
|
should be specified.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains
|
|
values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a set
|
|
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator
|
|
is In or NotIn, the values array must be non-empty. If the operator
|
|
is Exists or DoesNotExist, the values array must be empty. This
|
|
array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single {key,value}
|
|
in the matchLabels map is equivalent to an element of matchExpressions,
|
|
whose key field is "key", the operator is "In", and the values array
|
|
contains only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not be
|
|
evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not selected
|
|
for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of unscored policies whose requirements
|
|
were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
version: v1alpha1
|
|
versions:
|
|
- name: v1alpha1
|
|
served: true
|
|
storage: true
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|