Skip to content

Commit 80d139b

Browse files
vishal-chdhryJimBugwadiaeddycharlyrealshutingchipzoller
authored
Added fetchAttestations method to notaryV2 implimentation (#6800)
* moved to oras Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * linting error fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added error checking Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed errors Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added final build Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added predicate fetching Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added checks in statements Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed continuous checking if predicate is found Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * renamed notaryv2 to notary Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * changed notaryv2 to notary Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * run codegen all Signed-off-by: Jim Bugwadia <jim@nirmata.com> * changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * commented cert Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added variable support to certs Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * renamed notaryV2 to notary Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * deprecated predicate types Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * disallow keys and keyless under attestors if type is set to notary Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * gcr crane implementation init Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * types Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * using remote puller and pusher Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * implemented notation repository interface Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated notary implementation and fixed errors Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed oras Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * kuttl test init Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added image verify test Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * check image attestation notary Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added readme Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added tests for extract statements Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: remove status from policy webhooks (#6939) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: split chart values in readme per component (#6936) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: incorrect json patch validation (#6941) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add verbosity level in helm chart values (#6940) * feat: add verbosity level in helm chart values Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: match on ephemeral containers (#6963) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: refine event permissions in default roles (#6957) * remove the event delete permission Signed-off-by: ShutingZhao <shuting@nirmata.com> * add '- events.k8s.io/v1' Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add kuttl test for ephemeral containers (#6966) * Move Sam to Emeritus status Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add kuttl test for ephemeral containers Signed-off-by: Chip Zoller <chipzoller@gmail.com> --------- Signed-off-by: Chip Zoller <chipzoller@gmail.com> * refactor: restructure cli test command (#6942) * refactor: restructure cli test command Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add credential helpers flags (#6974) * feat: add credential helpers flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#6976) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.9.2 to 0.10.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@1f0aa58...e5f4313) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Support for Context vars in cleanup (#6084) * Added Context in CleanupPolicySpec Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added context.go file with loadVariable() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added loadAPIData() in context.go and called from handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added conditionals for not supported context variables Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted versions in CRDs Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted CRDs to v0.11.1 Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Imported fmt in handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added Context in CleanupPolicySpec Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added context.go file with loadVariable() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added loadAPIData() in context.go and called from handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added conditionals for not supported context variables Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted versions in CRDs Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted CRDs to v0.11.1 Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Imported fmt in handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Removed duplicate import Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * make verify-codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Updated kuttl test Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Fixed kuttl failure Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * moved policy check to validation Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reused functions Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added kuttl test Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added more configMap Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * removed unecessary check Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * auto codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * updated codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Renamed ApplyJMESPath() to applyJMESPath() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> --------- Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump actions/setup-python from 4.5.0 to 4.6.0 (#6981) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@d27e3f3...57ded4d) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump codecov/codecov-action from 3.1.2 to 3.1.3 (#6982) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.2 to 3.1.3. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@40a12dc...894ff02) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix background variables validation (#6978) Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: restrict default permissions (#6972) * restrict admission permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> * restrict background permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update install.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * kuttl README (#6984) * Added Context in CleanupPolicySpec Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added context.go file with loadVariable() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added loadAPIData() in context.go and called from handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added conditionals for not supported context variables Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted versions in CRDs Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted CRDs to v0.11.1 Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Imported fmt in handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added Context in CleanupPolicySpec Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added context.go file with loadVariable() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added loadAPIData() in context.go and called from handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added conditionals for not supported context variables Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted versions in CRDs Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted CRDs to v0.11.1 Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Imported fmt in handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Removed duplicate import Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * make verify-codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Updated kuttl test Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Fixed kuttl failure Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * moved policy check to validation Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reused functions Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added kuttl test Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added more configMap Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * removed unecessary check Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * auto codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * updated codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Renamed ApplyJMESPath() to applyJMESPath() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added Readme in context-cleanup-pod Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> --------- Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github/codeql-action from 2.2.12 to 2.3.0 (#6989) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.12 to 2.3.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7df0ce3...b2c19fb) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/notaryproject/notation-core-go (#6987) Bumps [github.com/notaryproject/notation-core-go](https://github.com/notaryproject/notation-core-go) from 1.0.0-rc.2 to 1.0.0-rc.3. - [Release notes](https://github.com/notaryproject/notation-core-go/releases) - [Commits](notaryproject/notation-core-go@v1.0.0-rc.2...v1.0.0-rc.3) --- updated-dependencies: - dependency-name: github.com/notaryproject/notation-core-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: new access checks for background policies (#6970) * switch to use sar for access checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * update helm config Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix username Signed-off-by: ShutingZhao <shuting@nirmata.com> * update msg Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix sa name Signed-off-by: ShutingZhao <shuting@nirmata.com> * update install.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: bump kind image to 1.27.1 (#6993) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: bump k8s deps to 1.27 (#6868) * feat: bump k8s deps to 1.27 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * bump k8s 1.27.1 Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> * fix: disable autogen in foreach mutation with json patches (#6996) * fix: disable autogen in foreach mutation with json patches Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: add server ip config to cleanup controller (#6999) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add features section in helm values (#6935) * feat: add features section in helm values Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * configs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * overrides Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add reports cleanup jobs to prevent outage (#6960) * feat: add reports cleanup jobs to prevent outage Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * security cotnext Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * feat: add registry credential helpers feature (#7002) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: improve instrumented clients (#7006) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: record configmap resource version to not reload when version didn't change (#7007) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump sigstore/cosign-installer from 3.0.2 to 3.0.3 (#7012) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.2 to 3.0.3. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@9e9de22...204a51a) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add Red Hat ACM to the Adopters list (#7016) Red Hat ACM is useful for distributed kyverno policies across a managed fleet of clusters. Adding to adopters file with a link that describes details of using the ACM policy generator with Kyverno. Signed-off-by: Gus Parvin <gparvin@redhat.com> * fix: helm template with metricsRefreshInterval (#7019) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add support for Kubernetes API server POST (#6948) * allow POST for Kubernetes API calls Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt and undo local changes Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix codegen and unit test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix unit test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests and extends docs Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> * feat: update built-in resource schemas (#7014) * feat: update built-in resource schemas Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix unit test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: use github.com/evanphx/json-patch/v5 (#7015) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github/codeql-action from 2.3.0 to 2.3.1 (#7025) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b2c19fb...8662eab) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add DE-CIX as adopter of kyverno (#7027) Signed-off-by: Raul Garcia Sanchez <info@raulgarcia.de> * refactor: engine patchers (#7030) * refactor: engine patchers Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github/codeql-action from 2.3.1 to 2.3.2 (#7033) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@8662eab...f3feb00) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add Saxo Bank and Velux as adopters (#7036) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * update development doc (#7037) Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix: generate policy validation to prevent endless loop (#7026) * refactor policy validation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add loop check for generate Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: remove deletionTimestamp checks (#7039) * remove deletionTimestamp check Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove deletionTimestamp check Signed-off-by: ShutingZhao <shuting@nirmata.com> * add back source check Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove deletionTimestamp check Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore(deps): bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#7055) Bumps [k8s.io/klog/v2](https://github.com/kubernetes/klog) from 2.90.1 to 2.100.1. - [Release notes](https://github.com/kubernetes/klog/releases) - [Changelog](https://github.com/kubernetes/klog/blob/main/RELEASE.md) - [Commits](kubernetes/klog@v2.90.1...v2.100.1) --- updated-dependencies: - dependency-name: k8s.io/klog/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: add background scan interval log (#7065) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: flaky github action (#7068) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: engine response policy (#7063) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add opt-in setting to deploy v3 chart (#7066) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * require generate.apiVersion (#7080) Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: remove excluded groups from matching (#7083) * fix: remove excluded groups from matching Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add config inclusions support (#7082) * feat: add config inclusions support Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: add makefile target for kwok (#7097) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github/codeql-action from 2.3.2 to 2.3.3 (#7099) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.2 to 2.3.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@f3feb00...29b1f65) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * validate target resource scope & namespace settings (#7098) Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: mutation code (#7095) * fix: mutation code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * lazy loading of context vars (#7071) * lazy loading of context vars Signed-off-by: Jim Bugwadia <jim@nirmata.com> * gofumpt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> * [Feature] Add kuttl tests with policy exceptions disabled (#7117) * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed redundant code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * typo fix and README changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> * Conditions message (#7113) * add message to conditions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * extend tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#7123) Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases) - [Commits](zgosalvez/github-actions-ensure-sha-pinned-actions@21991ce...555a30d) --- updated-dependencies: - dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.14.1 to 0.14.2 (#7121) Bumps [sigs.k8s.io/kustomize/kyaml](https://github.com/kubernetes-sigs/kustomize) from 0.14.1 to 0.14.2. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](kubernetes-sigs/kustomize@kyaml/v0.14.1...kyaml/v0.14.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/kyaml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump oras.land/oras-go/v2 from 2.0.2 to 2.1.0 (#7102) Bumps [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/oras-project/oras-go/releases) - [Commits](oras-project/oras-go@v2.0.2...v2.1.0) --- updated-dependencies: - dependency-name: oras.land/oras-go/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * add condition msg to v2beta1 (#7126) Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: print container flags and their values (#7127) * add condition msg to v2beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * print flags settings Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove the container flag genWorker from the admission controller (#7132) Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#7103) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.54.0...v1.55.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * remove the duplicate entry (#7125) Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.2 to 0.13.3 (#7120) Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.2 to 0.13.3. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](kubernetes-sigs/kustomize@api/v0.13.2...api/v0.13.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * fixed error Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * undo mistake Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod conflict fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * changes from review Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * NIT Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated image Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated checks Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed verifying wrong ref Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated cert in tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * added warning when predicate type is used Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: panic for policy variable validation (#7079) * fix panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * check errors Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: remove policy-reporter from dev lab (#7196) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: cleanup controller metrics name (#7198) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: http request metrics (#7197) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove unused code (#7203) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle Deny rules where conditions eval to true (#7204) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * [Bug] Enforce message wrong (#7208) * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> * chore(deps): bump codecov/codecov-action from 3.1.3 to 3.1.4 (#7207) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@894ff02...eaaf4be) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#7215) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@204a51a...03d0fec) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: panic in reports controller (#7220) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: mutate existing auth check (#7219) * fix auth check when using variables in ns Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: do not exclude kube-system service accounts by default (#7225) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * docs: add reports system design doc (#6949) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump k8s.io/apimachinery from 0.27.1 to 0.27.2 (#7227) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.27.1 to 0.27.2. - [Commits](kubernetes/apimachinery@v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump k8s.io/cli-runtime from 0.27.1 to 0.27.2 (#7228) Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.27.1 to 0.27.2. - [Commits](kubernetes/cli-runtime@v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#7229) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@03d0fec...dd6b2e2) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump k8s.io/pod-security-admission from 0.27.1 to 0.27.2 (#7232) Bumps [k8s.io/pod-security-admission](https://github.com/kubernetes/pod-security-admission) from 0.27.1 to 0.27.2. - [Commits](kubernetes/pod-security-admission@v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/pod-security-admission dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: match logic misbehave (#7218) * add rule name in ur for mutate existing Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix match logic Signed-off-by: ShutingZhao <shuting@nirmata.com> * linter fixes Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix the match logic to only apply to the new object, unless it's a delete request Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#7240) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#7239) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.27.6...v1.27.7) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump k8s.io/kube-aggregator from 0.27.1 to 0.27.2 (#7241) Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.1 to 0.27.2. - [Commits](kubernetes/kube-aggregator@v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/kube-aggregator dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump k8s.io/apiextensions-apiserver from 0.27.1 to 0.27.2 (#7242) Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.27.1 to 0.27.2. - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](kubernetes/apiextensions-apiserver@v0.27.1...v0.27.2) --- updated-dependencies: - dependency-name: k8s.io/apiextensions-apiserver dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * updated kuttl tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fixed mistake in assert Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * quote image in error (#7259) Signed-off-by: bakito <github@bakito.ch> * fix: auto update webhooks not configuring fail endpoint (#7261) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix latest version check (#7263) Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](svenstaro/upload-release-action@7319e47...58d5258) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.14.6...v0.15.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add yaml util to check empty document (#7276) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fixed api version in kuttl tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated kuttl tests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go sum update Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated admission controller assert Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated image Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * removed admission controller changes Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * go mod fix Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> Signed-off-by: Gus Parvin <gparvin@redhat.com> Signed-off-by: Raul Garcia Sanchez <info@raulgarcia.de> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: bakito <github@bakito.ch> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Md Sahil <85174511+MdSahil-oss@users.noreply.github.com> Co-authored-by: Gus Parvin <gparvin@redhat.com> Co-authored-by: Raúl Garcia Sanchez <info@raulgarcia.de> Co-authored-by: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com> Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Co-authored-by: Marc Brugger <github@bakito.ch>
1 parent d9359b7 commit 80d139b

37 files changed

+1235
-429
lines changed

Diff for: api/kyverno/v1/image_verification_types.go

+23-5
Original file line numberDiff line numberDiff line change
@@ -9,21 +9,21 @@ import (
99
)
1010

1111
// ImageVerificationType selects the type of verification algorithm
12-
// +kubebuilder:validation:Enum=Cosign;NotaryV2
12+
// +kubebuilder:validation:Enum=Cosign;Notary
1313
// +kubebuilder:default=Cosign
1414
type ImageVerificationType string
1515

1616
const (
17-
Cosign ImageVerificationType = "Cosign"
18-
NotaryV2 ImageVerificationType = "NotaryV2"
17+
Cosign ImageVerificationType = "Cosign"
18+
Notary ImageVerificationType = "Notary"
1919
)
2020

2121
// ImageVerification validates that images that match the specified pattern
2222
// are signed with the supplied public key. Once the image is verified it is
2323
// mutated to include the SHA digest retrieved during the registration.
2424
type ImageVerification struct {
2525
// Type specifies the method of signature validation. The allowed options
26-
// are Cosign and NotaryV2. By default Cosign is used if a type is not specified.
26+
// are Cosign and Notary. By default Cosign is used if a type is not specified.
2727
// +kubebuilder:validation:Optional
2828
Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
2929

@@ -236,9 +236,14 @@ type CTLog struct {
236236
// OCI registry and decodes them into a list of Statements.
237237
type Attestation struct {
238238
// PredicateType defines the type of Predicate contained within the Statement.
239-
// +kubebuilder:validation:Required
239+
// Deprecated in favour of 'Type', to be removed soon
240+
// +kubebuilder:validation:Optional
240241
PredicateType string `json:"predicateType" yaml:"predicateType"`
241242

243+
// Type defines the type of attestation contained within the Statement.
244+
// +kubebuilder:validation:Optional
245+
Type string `json:"type" yaml:"type"`
246+
242247
// Attestors specify the required attestors (i.e. authorities)
243248
// +kubebuilder:validation:Optional
244249
Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
@@ -281,6 +286,19 @@ func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Pat
281286
errs = append(errs, attestorErrors...)
282287
}
283288

289+
if iv.Type == Notary {
290+
for _, attestorSet := range iv.Attestors {
291+
for _, attestor := range attestorSet.Entries {
292+
if attestor.Keyless != nil {
293+
errs = append(errs, field.Invalid(attestorsPath, iv, "Keyless field is not allowed for type notary"))
294+
}
295+
if attestor.Keys != nil {
296+
errs = append(errs, field.Invalid(attestorsPath, iv, "Keys field is not allowed for type notary"))
297+
}
298+
}
299+
}
300+
}
301+
284302
return errs
285303
}
286304

Diff for: api/kyverno/v2beta1/image_verification_types.go

+17-4
Original file line numberDiff line numberDiff line change
@@ -6,21 +6,21 @@ import (
66
)
77

88
// ImageVerificationType selects the type of verification algorithm
9-
// +kubebuilder:validation:Enum=Cosign;NotaryV2
9+
// +kubebuilder:validation:Enum=Cosign;Notary
1010
// +kubebuilder:default=Cosign
1111
type ImageVerificationType string
1212

1313
const (
14-
Cosign ImageVerificationType = "Cosign"
15-
NotaryV2 ImageVerificationType = "NotaryV2"
14+
Cosign ImageVerificationType = "Cosign"
15+
Notary ImageVerificationType = "Notary"
1616
)
1717

1818
// ImageVerification validates that images that match the specified pattern
1919
// are signed with the supplied public key. Once the image is verified it is
2020
// mutated to include the SHA digest retrieved during the registration.
2121
type ImageVerification struct {
2222
// Type specifies the method of signature validation. The allowed options
23-
// are Cosign and NotaryV2. By default Cosign is used if a type is not specified.
23+
// are Cosign and Notary. By default Cosign is used if a type is not specified.
2424
// +kubebuilder:validation:Optional
2525
Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
2626

@@ -86,5 +86,18 @@ func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Pat
8686
errs = append(errs, attestorErrors...)
8787
}
8888

89+
if iv.Type == Notary {
90+
for _, attestorSet := range iv.Attestors {
91+
for _, attestor := range attestorSet.Entries {
92+
if attestor.Keyless != nil {
93+
errs = append(errs, field.Invalid(attestorsPath, iv, "Keyless field is not allowed for type notary"))
94+
}
95+
if attestor.Keys != nil {
96+
errs = append(errs, field.Invalid(attestorsPath, iv, "Keys field is not allowed for type notary"))
97+
}
98+
}
99+
}
100+
}
101+
89102
return errs
90103
}

Diff for: charts/kyverno/templates/crds/crds.yaml

+60-32
Original file line numberDiff line numberDiff line change
@@ -7248,10 +7248,13 @@ spec:
72487248
type: array
72497249
predicateType:
72507250
description: PredicateType defines the type of Predicate
7251+
contained within the Statement. Deprecated in
7252+
favour of 'Type', to be removed soon
7253+
type: string
7254+
type:
7255+
description: Type defines the type of attestation
72517256
contained within the Statement.
72527257
type: string
7253-
required:
7254-
- predicateType
72557258
type: object
72567259
type: array
72577260
attestors:
@@ -7499,11 +7502,11 @@ spec:
74997502
type: string
75007503
type:
75017504
description: Type specifies the method of signature validation.
7502-
The allowed options are Cosign and NotaryV2. By default
7505+
The allowed options are Cosign and Notary. By default
75037506
Cosign is used if a type is not specified.
75047507
enum:
75057508
- Cosign
7506-
- NotaryV2
7509+
- Notary
75077510
type: string
75087511
verifyDigest:
75097512
default: true
@@ -11153,9 +11156,13 @@ spec:
1115311156
predicateType:
1115411157
description: PredicateType defines the type
1115511158
of Predicate contained within the Statement.
11159+
Deprecated in favour of 'Type', to be removed
11160+
soon
11161+
type: string
11162+
type:
11163+
description: Type defines the type of attestation
11164+
contained within the Statement.
1115611165
type: string
11157-
required:
11158-
- predicateType
1115911166
type: object
1116011167
type: array
1116111168
attestors:
@@ -11412,11 +11419,11 @@ spec:
1141211419
type: string
1141311420
type:
1141411421
description: Type specifies the method of signature
11415-
validation. The allowed options are Cosign and NotaryV2.
11422+
validation. The allowed options are Cosign and Notary.
1141611423
By default Cosign is used if a type is not specified.
1141711424
enum:
1141811425
- Cosign
11419-
- NotaryV2
11426+
- Notary
1142011427
type: string
1142111428
verifyDigest:
1142211429
default: true
@@ -14748,10 +14755,13 @@ spec:
1474814755
type: array
1474914756
predicateType:
1475014757
description: PredicateType defines the type of Predicate
14758+
contained within the Statement. Deprecated in
14759+
favour of 'Type', to be removed soon
14760+
type: string
14761+
type:
14762+
description: Type defines the type of attestation
1475114763
contained within the Statement.
1475214764
type: string
14753-
required:
14754-
- predicateType
1475514765
type: object
1475614766
type: array
1475714767
attestors:
@@ -14974,11 +14984,11 @@ spec:
1497414984
type: boolean
1497514985
type:
1497614986
description: Type specifies the method of signature validation.
14977-
The allowed options are Cosign and NotaryV2. By default
14987+
The allowed options are Cosign and Notary. By default
1497814988
Cosign is used if a type is not specified.
1497914989
enum:
1498014990
- Cosign
14981-
- NotaryV2
14991+
- Notary
1498214992
type: string
1498314993
verifyDigest:
1498414994
default: true
@@ -18628,9 +18638,13 @@ spec:
1862818638
predicateType:
1862918639
description: PredicateType defines the type
1863018640
of Predicate contained within the Statement.
18641+
Deprecated in favour of 'Type', to be removed
18642+
soon
18643+
type: string
18644+
type:
18645+
description: Type defines the type of attestation
18646+
contained within the Statement.
1863118647
type: string
18632-
required:
18633-
- predicateType
1863418648
type: object
1863518649
type: array
1863618650
attestors:
@@ -18887,11 +18901,11 @@ spec:
1888718901
type: string
1888818902
type:
1888918903
description: Type specifies the method of signature
18890-
validation. The allowed options are Cosign and NotaryV2.
18904+
validation. The allowed options are Cosign and Notary.
1889118905
By default Cosign is used if a type is not specified.
1889218906
enum:
1889318907
- Cosign
18894-
- NotaryV2
18908+
- Notary
1889518909
type: string
1889618910
verifyDigest:
1889718911
default: true
@@ -22509,10 +22523,13 @@ spec:
2250922523
type: array
2251022524
predicateType:
2251122525
description: PredicateType defines the type of Predicate
22526+
contained within the Statement. Deprecated in
22527+
favour of 'Type', to be removed soon
22528+
type: string
22529+
type:
22530+
description: Type defines the type of attestation
2251222531
contained within the Statement.
2251322532
type: string
22514-
required:
22515-
- predicateType
2251622533
type: object
2251722534
type: array
2251822535
attestors:
@@ -22760,11 +22777,11 @@ spec:
2276022777
type: string
2276122778
type:
2276222779
description: Type specifies the method of signature validation.
22763-
The allowed options are Cosign and NotaryV2. By default
22780+
The allowed options are Cosign and Notary. By default
2276422781
Cosign is used if a type is not specified.
2276522782
enum:
2276622783
- Cosign
22767-
- NotaryV2
22784+
- Notary
2276822785
type: string
2276922786
verifyDigest:
2277022787
default: true
@@ -26415,9 +26432,13 @@ spec:
2641526432
predicateType:
2641626433
description: PredicateType defines the type
2641726434
of Predicate contained within the Statement.
26435+
Deprecated in favour of 'Type', to be removed
26436+
soon
26437+
type: string
26438+
type:
26439+
description: Type defines the type of attestation
26440+
contained within the Statement.
2641826441
type: string
26419-
required:
26420-
- predicateType
2642126442
type: object
2642226443
type: array
2642326444
attestors:
@@ -26674,11 +26695,11 @@ spec:
2667426695
type: string
2667526696
type:
2667626697
description: Type specifies the method of signature
26677-
validation. The allowed options are Cosign and NotaryV2.
26698+
validation. The allowed options are Cosign and Notary.
2667826699
By default Cosign is used if a type is not specified.
2667926700
enum:
2668026701
- Cosign
26681-
- NotaryV2
26702+
- Notary
2668226703
type: string
2668326704
verifyDigest:
2668426705
default: true
@@ -30011,10 +30032,13 @@ spec:
3001130032
type: array
3001230033
predicateType:
3001330034
description: PredicateType defines the type of Predicate
30035+
contained within the Statement. Deprecated in
30036+
favour of 'Type', to be removed soon
30037+
type: string
30038+
type:
30039+
description: Type defines the type of attestation
3001430040
contained within the Statement.
3001530041
type: string
30016-
required:
30017-
- predicateType
3001830042
type: object
3001930043
type: array
3002030044
attestors:
@@ -30237,11 +30261,11 @@ spec:
3023730261
type: boolean
3023830262
type:
3023930263
description: Type specifies the method of signature validation.
30240-
The allowed options are Cosign and NotaryV2. By default
30264+
The allowed options are Cosign and Notary. By default
3024130265
Cosign is used if a type is not specified.
3024230266
enum:
3024330267
- Cosign
30244-
- NotaryV2
30268+
- Notary
3024530269
type: string
3024630270
verifyDigest:
3024730271
default: true
@@ -33891,9 +33915,13 @@ spec:
3389133915
predicateType:
3389233916
description: PredicateType defines the type
3389333917
of Predicate contained within the Statement.
33918+
Deprecated in favour of 'Type', to be removed
33919+
soon
33920+
type: string
33921+
type:
33922+
description: Type defines the type of attestation
33923+
contained within the Statement.
3389433924
type: string
33895-
required:
33896-
- predicateType
3389733925
type: object
3389833926
type: array
3389933927
attestors:
@@ -34150,11 +34178,11 @@ spec:
3415034178
type: string
3415134179
type:
3415234180
description: Type specifies the method of signature
34153-
validation. The allowed options are Cosign and NotaryV2.
34181+
validation. The allowed options are Cosign and Notary.
3415434182
By default Cosign is used if a type is not specified.
3415534183
enum:
3415634184
- Cosign
34157-
- NotaryV2
34185+
- Notary
3415834186
type: string
3415934187
verifyDigest:
3416034188
default: true

0 commit comments

Comments
 (0)