mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
86fc31f63b
* add validations for generate immutable fields Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore(deps): bump github.com/onsi/gomega from 1.26.0 to 1.27.0 (#6334) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.26.0 to 1.27.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.26.0...v1.27.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Jmespath typo fix (#6342) Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> * chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#6341) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#6348) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.0.5 to 2.1.0. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](bd2868d14a...b9ddf6a515) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/onsi/gomega from 1.27.0 to 1.27.1 (#6347) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.0 to 1.27.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.27.0...v1.27.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: dump admission response (#6349) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: use labels.Everything in userinfo clusterroles matching (#6351) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update k8s.gcr.io to registry.k8s.io (#6340) Signed-off-by: Rayan Das <rayandas91@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * Notary v2 (#6011) * fix make debug-deploy Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve log messages Signed-off-by: Jim Bugwadia <jim@nirmata.com> * initial update Signed-off-by: Jim Bugwadia <jim@nirmata.com> * initial update Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update registry credentials handling order Signed-off-by: Jim Bugwadia <jim@nirmata.com> * comment out ACR helper - breaks anonymous image pull Signed-off-by: Jim Bugwadia <jim@nirmata.com> * merge main and refactor verifiers Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix opt init Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove local address Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update to NotaryV2 RC Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update deps Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format imports Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove env and no-op statement Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix merge issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issue Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused field Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * renable ACR credential helper Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update .vscode/launch.json Signed-off-by: shuting <shutting06@gmail.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com> * chore(deps): bump fluxcd/flux2 from 0.39.0 to 0.40.0 (#6362) Bumps [fluxcd/flux2](https://github.com/fluxcd/flux2) from 0.39.0 to 0.40.0. - [Release notes](https://github.com/fluxcd/flux2/releases) - [Changelog](https://github.com/fluxcd/flux2/blob/main/.goreleaser.yml) - [Commits](978cc0c5b8...2cac6ce281) --- updated-dependencies: - dependency-name: fluxcd/flux2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * oldObject translation solved in autogen (#6305) * OldObject translation solved in autogen Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> * CronJob fixed in autogen Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> * tests added Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> --------- Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: logger key value in wrong order (#6365) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: missing metrics for policies in audit mode (#6363) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github.com/notaryproject/notation-go (#6361) Bumps [github.com/notaryproject/notation-go](https://github.com/notaryproject/notation-go) from 1.0.0-rc.1 to 1.0.0-rc.3. - [Release notes](https://github.com/notaryproject/notation-go/releases) - [Commits](https://github.com/notaryproject/notation-go/compare/v1.0.0-rc.1...v1.0.0-rc.3) --- updated-dependencies: - dependency-name: github.com/notaryproject/notation-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: role matching from authentication infos (#6358) * fix: role matching from authentication infos Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: delete certificate secret if type is not TLS (#6368) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: user/groups exclusions (#6357) * refactor: user/groups exclusions Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * wildcard Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add labels to downstream and source resources (#6322) Signed-off-by: ShutingZhao <shuting@nirmata.com> * update generate validation checks Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Abhishek Kumar <abhishek22512@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Rayan Das <rayandas91@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: shuting <shutting06@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Abhishek Kumar <76171953+octonawish-akcodes@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Rayan Das <rayandas91@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
91 lines
3.2 KiB
Go
91 lines
3.2 KiB
Go
package oci
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/google/go-containerregistry/pkg/name"
|
|
"github.com/google/go-containerregistry/pkg/v1/empty"
|
|
"github.com/google/go-containerregistry/pkg/v1/mutate"
|
|
"github.com/google/go-containerregistry/pkg/v1/remote"
|
|
"github.com/google/go-containerregistry/pkg/v1/static"
|
|
"github.com/google/go-containerregistry/pkg/v1/types"
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
|
|
"github.com/kyverno/kyverno/pkg/openapi"
|
|
policyvalidation "github.com/kyverno/kyverno/pkg/policy"
|
|
policyutils "github.com/kyverno/kyverno/pkg/utils/policy"
|
|
"github.com/spf13/cobra"
|
|
"go.uber.org/multierr"
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
|
)
|
|
|
|
var policyRef string
|
|
|
|
func ociPushCommand() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "push",
|
|
Long: "This command is one of the supported experimental commands in Kyverno CLI, and its behaviour might be changed any time.",
|
|
Short: "push policie(s) that are included in an OCI image to OCI registry",
|
|
Example: `# push policy to an OCI image from a given policy file
|
|
kyverno oci push -p policy.yaml -i <imgref>
|
|
|
|
# push multiple policies to an OCI image from a given directory that includes policies
|
|
kyverno oci push -p policies. -i <imgref>`,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
if imageRef == "" {
|
|
return errors.New("image reference is required")
|
|
}
|
|
|
|
policies, errs := common.GetPolicies([]string{policyRef})
|
|
if len(errs) != 0 {
|
|
return fmt.Errorf("unable to read policy file or directory %s: %w", policyRef, multierr.Combine(errs...))
|
|
}
|
|
|
|
openApiManager, err := openapi.NewManager(log.Log)
|
|
if err != nil {
|
|
return fmt.Errorf("creating openapi manager: %v", err)
|
|
}
|
|
for _, policy := range policies {
|
|
if _, err := policyvalidation.Validate(policy, nil, nil, true, openApiManager); err != nil {
|
|
return fmt.Errorf("validating policy %s: %v", policy.GetName(), err)
|
|
}
|
|
}
|
|
|
|
img := mutate.MediaType(empty.Image, types.OCIManifestSchema1)
|
|
img = mutate.ConfigMediaType(img, policyConfigMediaType)
|
|
ref, err := name.ParseReference(imageRef)
|
|
if err != nil {
|
|
return fmt.Errorf("parsing image reference: %v", err)
|
|
}
|
|
|
|
for _, policy := range policies {
|
|
if policy.IsNamespaced() {
|
|
fmt.Fprintf(os.Stderr, "Adding policy [%s]\n", policy.GetName())
|
|
} else {
|
|
fmt.Fprintf(os.Stderr, "Adding cluster policy [%s]\n", policy.GetName())
|
|
}
|
|
policyBytes, err := policyutils.ToYaml(policy)
|
|
if err != nil {
|
|
return fmt.Errorf("converting policy to yaml: %v", err)
|
|
}
|
|
policyLayer := static.NewLayer(policyBytes, policyLayerMediaType)
|
|
img, err = mutate.Append(img, mutate.Addendum{
|
|
Layer: policyLayer,
|
|
Annotations: annotations(policy),
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("mutating image: %v", err)
|
|
}
|
|
}
|
|
fmt.Fprintf(os.Stderr, "Uploading [%s]...\n", ref.Name())
|
|
if err = remote.Write(ref, img, remote.WithContext(cmd.Context()), remote.WithAuthFromKeychain(keychain)); err != nil {
|
|
return fmt.Errorf("writing image: %v", err)
|
|
}
|
|
fmt.Fprintf(os.Stderr, "Done.")
|
|
return nil
|
|
},
|
|
}
|
|
cmd.Flags().StringVarP(&policyRef, "policy", "p", "", "path to policie(s)")
|
|
return cmd
|
|
}
|