Wildcard values #2692
Merged
Wildcard values #2692
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
realshuting
previously requested changes
Nov 8, 2021
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
|
There are conflicts that must be resolved. @MarcelMue would you mind helping to review this especially in context of the now-merged #2704 ? |
MarcelMue
reviewed
Nov 12, 2021
MarcelMue
reviewed
Nov 12, 2021
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
MarcelMue
approved these changes
Nov 15, 2021
There was a problem hiding this comment.
This is now LGTM - @chipzoller is there some testing you want to do here?
Yeah, once it lands in main and gets built, I want to put it through its paces. |
stone-z
added a commit
to giantswarm/kyverno-upstream
that referenced
this pull request
Feb 23, 2022
* Wildcard values (#2692)
* wildcard-support
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* Added unit tests
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* improvements in anyin and allin
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* Update CHANGELOG (#2727)
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Fix: Hard-coded ClusterRoleName in OwnerRef breaks (#2718)
* fix hardcoded clusterrole name
* Fix label
* Allow use of "pods/binding" subresource (#2721)
For cases where a policy matches the "Bindings" kind in the "core/v1"
API group and version, adjust the pertinent Webhook configuration rule
to use the "pods/binding" subresource.
Doing so allows observing and reacting to the Kubernetes
scheduler (and its "extenders") assigning pods to nodes, before any
other system actors observe that assignment. This is an opportune
moment in between the pod' creation and a kubelet starting it running.
Signed-off-by: Steven E. Harris <seh@panix.com>
* Do not log error when resource is not namespaced (#2730)
Signed-off-by: Jose Armesto <github@armesto.net>
* Added time_since() custom JMESPath function (#2680)
* Added time_since() custom JMESPath function
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Remove time.Layout (not supported in Go 1.16)
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Modify time_since() for 3 arguments
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Add tests for functions_test.go
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Timestamp literals and tabulated tests
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Remove layout map and default to RFC3339
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* set default value of "request.operation" to "CREATE" (#2688)
* set default value of "request.operation" equals to "CREATE"
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* handles the value of "request.operation" as "CREATE" in the CLI
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* fixed the failing e2e test case
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added logs
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* Added test case
Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
* fix dependabot issue and remove stale entries in go.mod (#2741)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix signature (#2740)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Trivy now scans local images (#2744)
* fix: trivy now scans entire container
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
* update github.com/docker/cli package for vulnerabilities
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix go.mod vulnerabilities
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* fix crd sync issue (#2634)
* handle missing predicate type (#2743)
* handle missing predicate type
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update github.com/docker/cli package for vulnerabilities
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix go.mod vulnerabilities
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Don't check for Prom Operator apiVersion (#2723)
`.Capabilities.APIVersions.Has` function has limitations when running with
`helm template`, which is common step in multiple CD tools. In order to
properly resolve `Capabilities.APIVersions` `helm template` has to run
with `--validate` option and connect to cluster that has Prom Operator
CRDs installed.
As this template is opt-in and user has to set value to enable this,
apiVersion check doesn't provide much value and can be removed.
Signed-off-by: Ihor Urazov <iurazov@healthjoy.com>
* change matchGVK logic (#2736)
* change matchGVK logic
* fix issue
* add testcases
* add testcase core
* format code
* fix comment
* Add `pattern_match` custom JMESPath function analogous to `regex_match` (#2717)
* Add `pattern_match` custom JMESPath function analogous to `regex_match`
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* Add CLI test for the custom `pattern_match` function
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* improved the contributing guidelines. (#2766)
Signed-off-by: Anita-ihuman <charlesanita403@gmail.com>
* Add VSHN as adopter with APPUiO Cloud (#2773)
Signed-off-by: Tobias Brunner <tobias.brunner@vshn.ch>
* Only report on intended errors when checking JSONPatch path for variables (#2710)
* Only report on intended errors
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
* Change error text to be more fitting
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
* Replace vars for checks
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
* Remove more checks for testing
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
* Disable schema validation
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
* Remove unneeded fmt prints
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
* change cluster role labels (#2776)
* change cluster role labels
* change cluster role label value
* fix cluster role label issue
* fix comment
* Add `path_canonicalize` custom JMESPath function (#2787)
* Add path_canonicalize custom JMESPath function
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
* Add CLI test for the custom path_canonicalize function
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
* remove the extra parameter
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
Co-authored-by: weiwei.danny <weiwei.danny@bytedance.com>
* fix: update registry credentials on verify (#2798)
Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
* JMESPath arithmetic function units (#2753)
* MAS arithmetic functions
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Adding Divide() and Modulo()
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Added tests
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Tidy go.mod
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Fix lift issues
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Set division scale to maximum of operands
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Precision for Add()/Subtract()
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Set duration precision
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Added comment for duration diff calculation
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
* Add command-line flags to allow setting client rate limits (QPS/Burst) (#2797)
* Add `-clientRateLimitQPS` and `-clientRateLimitBurst` flags to allow controlling client rate limits.
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* Return error if QPS is higher than max value of float32
Signed-off-by: Sebastian Widmer <sebastian.widmer@vshn.net>
* fix: add Windows testcases for path_canonicalize (#2803)
Signed-off-by: weiwei.danny <weiwei.danny@bytedance.com>
Co-authored-by: weiwei.danny <weiwei.danny@bytedance.com>
Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
* [docs]: sync api docs with latest api changes (#2808)
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* tighten and clarify Kyverno roles and permissions (#2799)
* update roles and rolebindings
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert label and fix perms
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* restrict role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix whitespace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests and roles
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove ingress extensions/v1beta1
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix chart
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* tighten and clarify Kyverno roles and permissions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fake commit to trigger workflows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert tests and update test role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add newlines
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove update role
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove invalid param
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* cleanup roles in Helm templates
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove `mutate` cluster role binding
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* added issuer check (#2804)
* added issuer check
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* switch to using SimpleContainerImage
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* added subject check and required test cases
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* small nits
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* correcting tests
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* add permissions for Kyverno deployment update (#2830)
* add permissions for Kyverno deployment update
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove quotes
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Ensure Helm chart networkpolicy is valid by default (#2827)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shutting06@gmail.com>
* adding support for Cosign key-value annotations (#2824)
* adding annotation check
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* adding tests
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* updating manifests
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* changing map val type to string form interface{}
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* passing args to opts
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Update labels to fetch cluster role (#2842)
* Test publishing dev-test images (#2848)
* publish dev-* images
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add LD_FLAGS_DEV
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add IMAGE_TAG_LATEST_DEV
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test statement
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add SelectorLabel to (Cluster)PolicyReporter resources (#2841)
Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Kyverno CLI test default manifest should use a less generic name (#2715)
* Kyverno CLI test default manifest should use a less generic name
* fix Note
Co-authored-by: shuting <shutting06@gmail.com>
* truncate custom jmespath function (#2836)
* [feature] custom jmespath truncate function
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
* formatting
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
* simplify naming a bit
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Fix typos (#2860)
* fix typo in README
Signed-off-by: Kushal Beniwal <kbeniwal2305@gmail.com>
* fix typo in CODE_OF_CONDUCT
Signed-off-by: Kushal Beniwal <kbeniwal2305@gmail.com>
* fix typo in CONTRIBUTING
Signed-off-by: Kushal Beniwal <kbeniwal2305@gmail.com>
* fix typo in comment
Signed-off-by: Kushal Beniwal <kbeniwal2305@gmail.com>
* fix typo in comment
Signed-off-by: Kushal Beniwal <kbeniwal2305@gmail.com>
* added support for --git-branch flag and directory in git path for kyverno test cmd (#2763)
* added support for --git-branch flag and directory in git path for kyverno test cmd
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* added cli tests
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* replaced hard-coded Makefile test-cmd branch names with var GIT_BRANCH
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* moved `test-cmd` job from Makefile to github workflow
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* added `release*` branch to `e2e` workflow
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* jmespath truncate - handle negative input value (#2856)
Signed-off-by: Danny Kulchinsky <dkulchinsky@fastly.com>
* added priorityClassName to helm values.yaml (#2855)
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
Co-authored-by: shuting <shutting06@gmail.com>
* Increase Kyverno memory request and limit (#2862)
* bump memory request and limit
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove quotes
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove app.kubernetes.io/managed-by label from crds (#2852)
* remove app.kubernetes.io/managed-by label from crds
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
* removed app.kubernetes.io/manged-by from config/bundle/labels.yaml
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
* removed internal.config.kubernetes.io/index in crds.yaml
Signed-off-by: Franz Nemeth <franz.nemeth@fnemeth.net>
* Fix foreach jmespath issue (#2867)
* add `semver_compare` JMESPath function (#2846)
* add semver_compare JMESPath function
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* adding tests for semver_compare
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* enabling version compaision via regular operators
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* adding tests for version compaision via regular operators
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* removing unnecessary switch cases
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fix foreach precondition isssue (#2871)
* fix report permissions (#2874)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* 2460: Add wildcard support for match label selector (#2832)
* add wildcard support for match label selector
* fix comment
* update cluster role label
* fix comment
* fix comment
* add support for key label selector
* update method name
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* feat(validation): support for ephemeral containers (#2875)
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Added validation for Condition Operators (#2864)
* Added validation for Condition Operators
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* Updated description of `Condition.Operator` with all current valid condition operators`
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* Added `ConditionOperators` map and updated existing `ConditionOperator` type references
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
* Rules length check (#2884)
* len check
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* explicitly adding RuleStatusSkip
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* added log message
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* don't generate policy report on managed pod/job (#2889)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix buildversion for local build (#2887)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Don't create ReportChangeRequest on managed pods/jobs deletion (#2890)
* don't generate policy report on managed pod/job
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - don't generate rcr for managed pods/jobs; - add debug info
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address linter issues
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Updated the list of adopters (#2828)
* improved the contributing guidelines.
Signed-off-by: Anita-ihuman <charlesanita403@gmail.com>
* added more adopters and the success stories
Signed-off-by: Anita-ihuman <charlesanita403@gmail.com>
* updating maintainers.md file
Signed-off-by: Anita-ihuman <charlesanita403@gmail.com>
* keyless signing kyverno images with digest (#2896)
* signing with digest
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* keyless signing
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* adding annotations
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* keyless image signing with digest in release workflow
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* Extend new operators (#2788)
* extending new operators
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* Changes in file names
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* tests added
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* removed print statements
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* Changes to reduce code redundancy
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* Minor corrections in anyin and allin
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* added correction for anynotin and allnotin
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* updates for foreach and mutate (#2891)
* updates for foreach and mutate
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* allow tests to pass on Windows
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix linter check
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add elementIndex variable
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix jsonResult usage
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add mutate validation and fix error in validate.foreach
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* do not skip validation for all array entries when one is skipped
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add foreach tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix format errors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* remove unused declarations
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* revert namespaceWithLabelYaml
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix mutate of element list
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update CRDs
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Update api/kyverno/v1/policy_types.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/forceMutate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/mutation.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update pkg/engine/validate/validate.go
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/custom-functions/policy.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* Update test/cli/test/foreach/policies.yaml
Co-authored-by: Steven E. Harris <seh@panix.com>
* accept review comments and format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add comments to strategicMergePatch buffer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* load context and evaluate preconditions foreach element
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add test for foreach mutate context and precondition
* precondition testcase
* address review comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update message
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* format
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Added report generation for verifyImage rules (#2782)
* Add report generation for verifyImage rules
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Add flag comment
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Mutation: handleDelete()
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Remove redundant delete
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Test validation failure
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Validation force rules test
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Default validation behaviour
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Manual rules
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Update Config Manager
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Move Delete check
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Improve endpoint check (#2902)
* improve endpoint checks
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update make target for the local build
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove debug log
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* added check for any/all (#2907)
* added check for any/all
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* minor corrections
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* fixing cosign command (#2915)
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* Manage affinity with Helm values (#2900)
Signed-off-by: Frank Jogeleit <frank.jogeleit@lovoo.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Fix TLS inconsitency in HA (#2910)
* Fix TLS inconsitency in HA
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Add error checks
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Remove rendundant err definitions
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Handle all Secret errors
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* fix in image workflow (#2921)
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* removing docker buildx (#2922)
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* removing spaces (#2923)
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* adding permissions in jobs (#2924)
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* adds ephemeralContainers to the image variable (#2662)
* adds ephemeralContainers to the image variable
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* fixes unit tests
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Corrected the value of `INIT_CONFIG` env in deployment (#2927)
Signed-off-by: Abhinav Sinha <zeborg3@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Fix condition for rolling update (#2930)
* ValidCert Secret Annotation Check (#2933)
* Annotation check for Secrets
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Fix inconsistent errors
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Fix linting error
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Fix the PR template checkboxes to render empty instead of brackets (#2942)
The current PR template doesn't render the checkboxes by default as unticked and instead as square brackets. This change
allows contributors to use the rendered UI to check boxes instead of manually fixing markdown.
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Fix: CI job to release images (#2929)
* making required changes in images workflow
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
* making required changes in release workflow
Signed-off-by: Namanl2001 <namanlakhwani@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Add parse_json function the decode json strings (#2941)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Added TLS annotation check in the initContainer (#2956)
* Added TLS annotation check in the initContainer
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Error checks
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Refactor annotation addition code
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Strict error reporting
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Error handling for Secrets
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Updated error conditions
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Update for nil error
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Remove spurious prints and fix line endings (#2963)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* kyverno/test: print test summary of kyverno test results (#2944)
Signed-off-by: sloorush <aarush.bhatt@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* check for issuer and subject only when declared in policy. fix log levels (#2973)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* feat: pin dependencies in gh actions (#2952)
Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* move guidelines up (#2976)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* chore: bump golang to 1.7.6 in dockerfiles (#2968)
Signed-off-by: Michael McLeroy <michaelmcleroy@cloudfitsoftware.com>
Co-authored-by: Michael McLeroy <michaelmcleroy@cloudfitsoftware.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Renamed test.yaml to kyverno-test.yaml (#2898)
Signed-off-by: 4molybdenum2 <tathagatapaul7@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* handle CRDs with no props (#2975)
* handle CRDs with no props
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Fix autogen issue with cronjob generator and foreach pod generator (#2989)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add arm64 goarch to go releaser (#2991)
Signed-off-by: Roee Landesman <roee.landesman@gmail.com>
* Add github token permissions to improve ossf scorecard (#2992)
* Fix autogen issue with cronjob generator and foreach pod generator (#2989)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Signed-off-by: Roee Landesman <roee.landesman@gmail.com>
* Add baseline read-all permissions
Signed-off-by: Roee Landesman <roee.landesman@gmail.com>
* remove extra read-all
Signed-off-by: Roee Landesman <roee.landesman@gmail.com>
* Add arm64 goarch to go releaser (#2991)
Signed-off-by: Roee Landesman <roee.landesman@gmail.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* add top level permissions to remaining github workflows (#2995)
Signed-off-by: Roee Landesman <roee.landesman@gmail.com>
* Fix variable substitution for foreach preconditions (#2993)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Add image data to validate image configs (#2946)
* Add image data to validate image configs
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add tests for image context
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add e2e test cases for image size policy
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* cherry-pick #2980 (#3001)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Add a parse_yaml function (#2999)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Add CODEOWNER (#3011)
* Add CODEOWNER
* update codeowner file
* update file
* Support mutation of variables in validate.deny (#2947)
* Support mutation of variables in validate.deny
* remove comment
* fix e2e test
* Added Mac ARM64 build to Krew config (#3002)
Signed-off-by: Marcus Noble <github@marcusnoble.co.uk>
* Add samj1912 to codeowners (#3015)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Remove resourceCache from engine (#3013)
* update log messages
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove resourceCache from the background controller when:
- register resource scope
- list resources per namespace
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* - use client call for configmap lookup;
- remove resourceCache from policy controller, webhook server and generate controller
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix(generate): use JSON patch for GenerateRequests status updates (#3000)
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Added Kyverno specific SharedInformerFactory (#2987)
* Added Kyverno specific SharedInformerFactory
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Replace ToUnstructured()
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Add GVK to returned resource
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* clean up managed resources when cannot find kyverno deployment (#3018)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* refactoring github actions to remove duplication and enhancement for versioned sbom's (#2979)
* initial commit
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* adding docker-buildx-builder to makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* reverting git describe in makefile
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* uploading sbom for each kyverno image
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* small nits
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* scanning image before pushing and removed cosign.pub
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* CLI fix for foreach policies (#2997)
* CLI fix for foreach policies
* add test-case for foreach container and initcontainer
* fix comments
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Support `namespaceSelector` with dynamic webhook enabled (#2953)
* Support `namespaceSelector` with dynamic webhook enabled
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* Implemented suggested changes
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* Implemented suggest changes
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Fixed error handling for negation anchors (#2986)
* Fixed error handling for negation anchors
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Fix permissions for image publish workflows (#3021)
All of the jobs in this workflow use the same set of permissions and this workflow is only run on pushes to master. Adding the appropriate permissions to read repository contents, publish packages and ID token for cosign.
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* fixing bildx version (#3023)
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* SharedInformers for WebhookConfigurations (#3007)
* SharedInformers for WebhookConfigurations
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Add GVK to typed resources
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Remove ToUnstructured()
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Remove default informers from Resource Cache
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Formatted files
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* list resources once per policy in the background reconcilliation (#3026)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix deployment replica type conversion and refactor webhook logs (#3022)
- add level in info webhook configuration update success logs
- fix deployment replica count conversion issue
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Disable autogen for policies without Pod (#2737)
* Disable autogen for policies without Pod
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Fix autogen check
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Fix failing test
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Fix webhook tests
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Remove redundant checks
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Check autogen for exclude block
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Fix: namespace quota policy failed to be applied for two resources named ResourceQuota with different APIVersions (#2612)
Signed-off-by: Shaohui Liu <liushaohui@xiaomi.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Broken exclude any all (#2990)
* added check for any/all
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* minor corrections
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* corrected return check for rbac info
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
* added cli test
Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings (#3029)
* clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings (#3032)
* fix comment
* fix comment
* Reduce throttling requests for Kyverno managed resources (#3016)
* remove resoureCache from the event controller
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* create rcr using typed client to reduce PUT throttling request
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Update division for same units (#3038)
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Namespace Specific ValidationFailureAction (#2794)
* Implement ValidationFailureActionOverride
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Update CRDs
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Update getEnforceFailureErrorMsg()
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Allow validate policies to be checked
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Fix linting issues
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Added tests for ValidationFailureActionOverrides
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Added schema validation
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Added description for ValidationFailureActionOverrides
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Policy validation
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Update CRDs
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Replace literals with constants
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Updated Policy Cache
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
* Refactor
Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Reduce throttling requests for Kyverno resources (#3042)
* remove resoureCache from the event controller
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* create rcr using typed client to reduce PUT throttling request
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* use typed client for report/rcr operations
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings (#3029)
* clarify naming patterns for Kyverno ClusterRoles/ClusterRoleBindings (#3032)
* fix comment
* fix comment
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Fix dynamic webhook for namespace policies (#3044)
* fix dynamic webhook for namespace policies
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* improve policy listing to reduce duplicate processing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update logger
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* bumps k8s libraries for k8s v1.23 upgrade for kyverno (#3043)
* bumps k8s libraries for k8s v1.23 upgrade for kyverno
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* fixes kustomize version
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* updates golang to v1.17 to test fails
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* updates logr package to 1.2.2
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* Fixed tests for `pkg/cosign` and `pkg/webhooks/generation`
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* fix go-logr deps version issue
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* fix kube-openapi commit hash
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: prateekpandey14 <prateekpandey14@gmail.com>
* Bump go version from `1.16` to `1.17` (#3048)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* fix mutate preprocessing for anchors (#3052)
* fix mutate preprocessing for anchors
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
* Fix documentation for helm charts (#3056)
Signed-off-by: 4molybdenum2 <tathagatapaul7@gmail.com>
* update workflow configurations to fix CI failure (#3060)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix mutating ownerReferenecs (#3061)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Fix CLI test/apply when any/all use namespaceSelector (#3050)
* Fix CLI test/apply when any/all use namespaceSelector
Fixes #3047
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* gofmt fix
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* apply patches cumulatively (#3083)
* apply patches cumulatively
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle skipped rules
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add test files
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Add KYVERNO_DEPLOYMENT to initContainer (#3086)
Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
* Updates Changelog to add note for anyPattern issue due to k8s v1.23 (#3045)
* adds notes for anyPattern issue due to k8s v1.23
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* updates changelog
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* updates changelog for any/all
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* Update CHANGELOG.md
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
* Support registry keychain from cloud providers (#3036)
* Enable cloud provider registry keychains
It's desirable that Kyverno supports using workload identity and other
cloud provider metadata services for registry credentials.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Always initialize registry keychain
This supports using docker configuration on disk and credentials from
cloud providers without having to specify image pull secrets.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Get pull secrets from kyverno service account
It was previously using 'default'. I think it makes more sense to use
the service account that Kyverno actually runs with.
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't split empty pull secrets list
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Add KYVERNO_SVC_ACCOUNT to config manifests
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Don't retrieve secrets from service account
Signed-off-by: Rob Best <robertbest89@gmail.com>
* Reduce scope of keychain changes
Just enable cloud provider keychains.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fix memory leak when updating ggcr keychain (#3088)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* fix: typo Cluter to Cluster (#3092)
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
* Fix the kyverno default keychain value to be the ggcr default keychain (#3096)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add b/w compat support for K8s version 1.20 and below for Kyverno 1.6 (#3100)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* update cosign to 1.5.0 and fix issuer and subject for keyless (#3089)
* update cosign to 1.5.0 and add checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix subject and issuer checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fix tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixing and adding tests (#3112)
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
* improve antiAffinity and add podAffinity and nodeAffinity for kyverno helm chart (#3067)
* add nodeAffinity for kyverno helm chart
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* quite better and more open solution for affinity in helm chart. it assist all kinds of other affinitys
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix typo in parameter
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* make affinity selection easier - return to antiAffinity for less change
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* return to antiAffinity to make change easier
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* add documentation for new values and helm functions
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* simplified again the use of new affinities. Dont need to extra enable if
you insert affinities
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix "if" of the affinity block
Co-authored-by: treydock <treydock@gmail.com>
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* Now finaly renamed values to avoid braking change; adjust readme for the
parameter names
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* alphabetic order readme
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
Co-authored-by: Kevin Welter <kevin.welter@digital-nx.com>
Co-authored-by: treydock <treydock@gmail.com>
* Add cloud provider keychains to DefaultKeychain (#3116)
Removes the need to specify an image pull secret to make use of cloud
provider credentials. As I understand it, this should be fine outside of
cloud provider contexts.
As part of this, I've switched to using authn/kubernetes, which I believe
is preferable to k8schain.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fix parsing of resources in preconditions (#3108)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Fix variable substitution when curly braces are used in jmespath (#3133)
* Fix variable substitution when inline jmespath objects are defined
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add additional test cases which use brackets
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fixed kyverno panic at JMESPath zero division (#3137)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Relax rule context validation to follow JMESPath grammar (#3129)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fix kyverno panic with `PodSpec.containers` JSON merge patch w/o image (#3143)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* fix filtered and sort patches index (#3146)
added missing start index value for the
patches slice
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* add missing patch verbs in event clusterrole (#3151)
As part of tighten and clarify Kyverno roles and
permissions, PR #2799 we missed to update the charts
templates events clusterroles.
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Add sam (#3155)
* add Sam as a maintainer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update maintainers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* address comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixed link
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Update dev image tag in Make targets (#3159)
* - update dev images tag; - update chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update to use dev tag when setting up e2e tests infra
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* default chart test image tag for busybox to latest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set image tag to latest for chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* correct tag
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test tag in e2e.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* bump chart versions (#3160)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Bump up verbosity for `patched resource mismatch` (#3127)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* Fix panic for provides a set to the key of a precondition and deny condition (#3162)
* Filter kyverno resources instead of entire kyverno namespace (#3170)
Signed-off-by: Abhinav Sinha <abhinav@nirmata.com>
* test-cases for wildcard match label selector (#3165)
* Add a kyverno jp command to test jmespath expressions (#3169)
* Add a kyverno jp command to test jmespath expressions
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Auto-generate custom function docs
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Update kyverno-policies chart with latest pod-security policies (#3126)
* Update kyverno-policies chart with latest pod-security policies
Fixes #3063
Fixes #2277
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README to have better example
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use chart testing during e2e to test against ci values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix e2e tests for Helm chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix Kyverno chart testing to actually test values, and fix networkpolicy template
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README for exclusion
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Allow adding 'other' policies via Helm
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update Chart.yaml for kyverno-policies
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump minimum Kubernetes version in charts
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update kyverno-policies chart readme
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases (part 2)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use same logic to get git tag by using Makefile target for updating Helm values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* Fix unused tagTest in helm chart tests (#3174)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Indentation fix (#3179)
Removed unnecessary indentation on line 107 to avoid confusion.
* feat: fix app version in NOTES.txt (#3189)
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
* Allow setting validationFailureActionOverrides for policies (#3201)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* fixing bug to handle two different types of rules (#2954)
* fixing bug for the info variable
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Added e2e test for JSON patch mutate policy (#2966)
* Adds e2e test for JSON patch mutate policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies the config to use the optimal version of that policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* Fixes the lint issuue
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies test to pass
Signed-off-by: afzal442 <afzal442@gmail.com>
* adds changes to resources
Signed-off-by: afzal442 <afzal442@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* add prateekpandey14 to codeowners (#3205)
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Issue forms and PR template adjustment (#3213)
* add cherry pick requirement
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
* adopt github issue forms
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
* update dependencies (#3221)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Fix keyless attest (#3219)
* allow root cert for keyless attestations checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add logs and improve var names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle err in sig loading
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* feat: ha mode support in helm chart (#3207)
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Co-authored-by: @necatican @f9n
Signed-off-by: Emin Aktas <eminaktas34@gmail.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* Fix image parsing for image referenced as digests (#3196)
* fixes image break with sha256
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
* fixes priority to digest
Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Remove abstraction that doesn't work anyway (#3209)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: Trey Dockendorf <tdockendorf@osc.edu>
* add aggregated role for generaterequest (#3240)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Sync latest changes to release/install.yaml (#3239)
* sync latest changes to release/install.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* bump chart versions
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* Skip updating webhook configs if namespaceSelector is nil (#3237)
* skip updating webhook configs if namespaceSelector is nil
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address comments
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address comment for mutating webhook
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address comments
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update logs
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add helm pre-delete hook which deletes all the webhooks (#3148)
* add helm pre-delete hook for graceful uninstallation of webhooks
Signed-off-by: rahulii <r.sawra@gmail.com>
* remove white spaces
Signed-off-by: rahulii <r.sawra@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229)
* fixed bug where negation of kernel version caused cpolr to fail
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* small fix in function validateString
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Added necessary tests
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Added one more test
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Add more tests and added a policy to the test folder
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* added policy for test cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fix old object validation check (#3248)
* fix validation check on UPDATE
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* prevent policy bypass using preconditions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* separate replace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add error handling
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* Add openssf badge (#3246)
* add openssf badge
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* retrigger CI tests
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
* Improve E2E test CI timings (#3250)
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Fix policy report OwnerReference (#3249)
* add namespaces/finalizers to clusterrole kyverno:generate
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set policy report's owner to Kyverno namespace
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address comments
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* address comments
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove BlockOwnerDeletion
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove namespaces/finalizers permission
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* Fix foreach validations precondition issue (#3228)
* fix foreach validations precondition issue
* added test-cases
* fix mutate wildcard issue (#3193)
Co-authored-by: shuting <shuting@nirmata.com>
* Add .DS_store to gitignore (#3255)
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Clean up commented out lines of code (#3263)
Signed-off-by: Abhishek Choudhary <shreemaan.abhishek@gmail.com>
* Added `kyverno test` subcommand for test manifest file (#3264)
* Adds `kyverno test` subcommand for test manifest file
Signed-off-by: afzal442 <afzal442@gmail.com>
Adds sub cmd
Signed-off-by: afzal442 <afzal442@gmail.com>
Adds usage
Signed-off-by: afzal442 <afzal442@gmail.com>
* Refactors the help command
Signed-off-by: afzal442 <afzal442@gmail.com>
Refactors help cmd
Signed-off-by: afzal442 <afzal442@gmail.com>
* Modifies manifest desc and removes the unused test manifest
Signed-off-by: afzal442 <afzal442@gmail.com>
Adds changes
Signed-off-by: afzal442 <afzal442@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
* Fix Helm releasing to preserve creation timestamps (#3268)
* Modify capabilities for compatibility with Pod Security (#3274)
Kyverno manifests are incompatible with the restricted Pod Security
Standards included with Kubernetes 1.22 and 1.23 because the Pod
Security admission controller looks for "ALL" in securityContext.capabilities.drop,
but does not accept "all".
https://github.com/kubernetes/pod-security-admission/blob/1b741f89aa417a489aa68ec2d0cc65eeca8dff80/policy/check_capabilities_restricted.go#L88
Signed-off-by: Ryan White <ryan@alzabo.io>
* Fix label mutation while updating the secret (#3273)
* Fix label mutation while updating the secret
* Update util.go
* fix converter issue
* code indentation
* feat: add linux/s390x builds (#3277)
Signed-off-by: skuethe <56306041+skuethe@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
* update trivy scanning (#3284)
Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com>
Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com>
Co-authored-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Steven E. Harris <seh@panix.com>
Co-authored-by: Jose Armesto <github@armesto.net>
Co-authored-by: vivek kumar sahu <vivekkumarsahu650@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Shubham Palriwala <spalriwalau@gmail.com>
Co-authored-by: Igor Urazov <z0rc@users.noreply.github.com>
Co-authored-by: Sebastian Widmer <widmer.sebastian@gmail.com>
Co-authored-by: Anita-ihuman <62384659+Anita-ihuman@users.noreply.github.com>
Co-authored-by: Tobias Brunner <tobias@tobru.ch>
Co-authored-by: Bricktop <marcel.mueller1@rwth-aachen.de>
Co-authored-by: Danny__Wei <11975786+Danny-Wei@users.noreply.github.com>
Co-authored-by: weiwei.danny <weiwei.danny@bytedance.com>
Co-authored-by: Joel Kamp <2976326+mrjoelkamp@users.noreply.github.com>
Co-authored-by: Sebastian Widmer <sebastian.widmer@vshn.net>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
Co-authored-by: Naman Lakhwani <namanlakhwani@gmail.com>
Co-authored-by: treydock <tdockendorf@osc.edu>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: Frank Jogeleit <frank.jogeleit@web.de>
Co-authored-by: Danny Kulchinsky <61992380+dkulchinsky@users.noreply.github.com>
Co-authored-by: Kushal Beniwal <kbeniwal2305@gmail.com>
Co-authored-by: Abhinav Sinha <37282098+zeborg@users.noreply.github.com>
Co-authored-by: Franz Nemeth <franznemeth@users.noreply.github.com>
Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Aarush Bhat <aarush.bhatt@gmail.com>
Co-authored-by: Boojapho <Boojapho@users.noreply.github.com>
Co-authored-by: Michael McLeroy <michaelmcleroy@cloudfitsoftware.com>
Co-authored-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Roee Landesman <roee.landesman@gmail.com>
Co-authored-by: Marcus Noble <AverageMarcus@users.noreply.github.com>
Co-authored-by: Liu Shaohui <liushaohui@xiaomi.com>
Co-authored-by: Abhinav Sinha <abhinav@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Co-authored-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Kevin Welter <39271501+welterk@users.noreply.github.com>
Co-authored-by: Kevin Welter <kevin.welter@digital-nx.com>
Co-authored-by: treydock <treydock@gmail.com>
Co-authored-by: Ramanand Thakur <80584888+ramanand-rv@users.noreply.github.com>
Co-authored-by: Erkan Zileli <erkan.zileli@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Co-authored-by: Afzal Ansari <afzal442@gmail.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Yasin Taha Erol <yasintahaerol@gmail.com>
Co-authored-by: Adam Kosmin <windowsrefund@users.noreply.github.com>
Co-authored-by: Rahul Sawra <r.sawra@gmail.com>
Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
Co-authored-by: Abhishek Choudhary <shreemaan.abhishek@gmail.com>
Co-authored-by: Ryan White <4404175+alzabo@users.noreply.github.com>
Co-authored-by: skuethe <56306041+skuethe@users.noreply.github.com>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issue
closes #2571
resolve #2813
Milestone of this PR
/milestone 1.6.0
What type of PR is this
/kind cleanup
Proposed Changes
Added this segment in new operators to deal with wildcard values in key and value
Proof Manifests
To test use the pod.yaml
when the policy pol.yaml
is applied the request is denied
Checklist
Further Comments
I didn't add this in the old operators
InandNotInas these are deprecated.