kyverno
diff --git a/‎.github/workflows/check-links.yaml‎
Lines changed: 36 additions & 22 deletions b/‎.github/workflows/check-links.yaml‎
Lines changed: 36 additions & 22 deletions
diff --git a/‎.lycheeignore‎
Lines changed: 0 additions & 1 deletion b/‎.lycheeignore‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 16 additions & 0 deletions b/‎README.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎config/_default/hugo.toml‎
Lines changed: 2 additions & 2 deletions b/‎config/_default/hugo.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/_default/markup.toml‎
Lines changed: 6 additions & 0 deletions b/‎config/_default/markup.toml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎config/_default/menus/menu.en.toml‎
Lines changed: 1 addition & 1 deletion b/‎config/_default/menus/menu.en.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/_default/params.toml‎
Lines changed: 1 addition & 1 deletion b/‎config/_default/params.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎content/en/_index.md‎
Lines changed: 4 additions & 4 deletions b/‎content/en/_index.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎content/en/blog/general/2023-security-audit/index.md‎
Lines changed: 10 additions & 8 deletions b/‎content/en/blog/general/2023-security-audit/index.md‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎content/en/blog/general/CVE-2022-47633/index.md‎
Lines changed: 1 addition & 1 deletion b/‎content/en/blog/general/CVE-2022-47633/index.md‎
Lines changed: 1 addition & 1 deletion
@@ -11,36 +11,50 @@ jobs:
   linkChecker:
     runs-on: ubuntu-latest
     steps:
-      - name: Waiting for Netlify Preview
-        uses: jakepartusch/wait-for-netlify-action@f1e137043864b9ab9034ae3a5adc1c108e3f1a48 # v1.4
-        id: wait-for-netflify-preview
-        with:
-          site_name: kyverno
-          max_timeout: 120
-
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
-      - name: Setup Hugo
-        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
-        with:
-          hugo-version: latest
-          extended: true
-  
-      - name: Install site dependencies
-        run: npm install --save-dev autoprefixer && npm install --save-dev postcss-cli && npm install -D postcss
-
-      - name: Build site with Hugo
-        run: hugo --minify -b ${{ steps.wait-for-netflify-preview.outputs.url }}
-
-      - name: Link Checker
-        id: lychee
+      - name: Check unrendered links
+        id: lychee_unrendered
         uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
           fail: true
           debug: false
-          args: --no-progress --github-token ${{secrets.GITHUB_TOKEN}} -c lychee.toml -E public
+          args: --no-progress --include-fragments --github-token ${{secrets.GITHUB_TOKEN}} -c lychee.toml -E content/
+
+      # Deactivated. The --include-fragments flag is causing failures because rendered links
+      # have a trailing '#' which is probably a result of the link style change plus the new
+      # custom link renderer in layouts/_default/_markup_render-link.html.
+
+      # - name: Setup Hugo
+      #   uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2.6.0
+      #   with:
+      #     hugo-version: latest
+      #     extended: true
+
+      # - name: Waiting for Netlify Preview
+      #   uses: jakepartusch/wait-for-netlify-action@f1e137043864b9ab9034ae3a5adc1c108e3f1a48 # v1.4
+      #   id: wait-for-netflify-preview
+      #   with:
+      #     site_name: kyverno
+      #     max_timeout: 120
+
+      # - name: Install site dependencies
+      #   run: npm install --save-dev autoprefixer && npm install --save-dev postcss-cli && npm install -D postcss
+
+      # - name: Build site with Hugo
+      #   run: hugo --minify -b ${{ steps.wait-for-netflify-preview.outputs.url }}
+
+      # - name: Check rendered links
+      #   id: lychee_rendered
+      #   uses: lycheeverse/lychee-action@c053181aa0c3d17606addfe97a9075a32723548a # v1.9.3
+      #   env:
+      #     GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      #   with:
+      #     fail: true
+      #     debug: false
+      #     args: --no-progress --include-fragments --github-token ${{secrets.GITHUB_TOKEN}} -c lychee.toml -E public
 
       # - name: Create Issue From File
       #   if: steps.lychee.outputs.exit_code != 0
 
@@ -3,4 +3,3 @@ http://sodipodi.sourceforge.net*
 http://purl.org*
 https://github.com/kyverno/policies/openshift/
 gcpkms://*
-https://nirmata.com/*
@@ -71,6 +71,22 @@ Active voice is preferred in most writing examples. Ex., "this ClusterPolicy mut
 
 * We standardize on use of the Oxford comma.
 
+### Links
+
+In order to ensure that broken link detection works optimally as well as providing a way for users to find linked content when viewing the raw Markdown files on GitHub, links should be made using **relative paths to files** and not relative rendered paths. Following this method ensures not only pages can be found but anchor links are still valid.
+
+This is a good link:
+
+```
+[some link text](foo.md#my-anchor)
+```
+
+This is a bad link:
+
+```
+[some link text](/docs/foo/#my-anchor)
+```
+
 ## Documentation Versioning
 
 The Kyverno website now uses releases to organize documentation by the specified release making it easier for users to find the information that pertains to their version. Releases are defined by branches of kyverno/website and a combination of exposing them in the website configuration and modifying hosting parameters.
 
@@ -21,7 +21,7 @@ disableKinds = ["taxonomy"]
 
 ignoreFiles = [ "^OWNERS$", "README[-]+[a-z]*\\.md", "^node_modules$"]
 
-timeout = 3000
+timeout = "30s"
 
 # Norwegian ("no") is sometimes but not currently used for testing.
 # Hindi is disabled because it's currently in development.
@@ -38,7 +38,7 @@ blog = "/:section/:year/:month/:day/:slug/"
 [imaging]
 resampleFilter = "CatmullRom"
 quality = 75
-anchor = "smart"
+anchor = "Smart"
 
 # First one is picked as the Twitter card image if not set on page.
 # images = ["images/project-illustration.png"]
 
@@ -2,6 +2,12 @@
 [goldmark]
   [goldmark.renderer]
     unsafe = true
+  [goldmark.renderHooks]
+    [goldmark.renderHooks.link]
+      enableDefault = true
+    # [goldmark.renderHooks.image]
+    #   enableDefault = true
+
 [highlight]
   # See a complete list of available styles at https://xyproto.github.io/splash/docs/all.html
   style = "tango"
 
@@ -3,7 +3,7 @@
 [[main]]
   name = "About"
   weight = -103
-  url = "#td-block-1"
+  url = "#kyverno-is-a-policy-engine-designed-for-kubernetes"
 
 [[main]]
   name = "Documentation"
 
@@ -97,7 +97,7 @@ footer_about_disable = false
 enable = true
 
 # The responses that the user sees after clicking "yes" (the page was helpful) or "no" (the page was not helpful).
-yes = 'Glad to hear it! Please <a href="https://github.com/kyverno/kyverno/issues/new">tell us how we can improve</a>.'
+yes = 'Glad to hear it! Please <a href="https://github.com/kyverno/website/issues/new/choose">tell us how we can improve</a>.'
 no = 'Sorry to hear that. Please <a href="https://github.com/kyverno/website/issues/new/choose">tell us how we can improve</a>.'
 
 # Adds a reading time to the top of each doc.
 
@@ -7,14 +7,14 @@ linkTitle = "Kyverno"
 # Kubernetes Native Policy Management { class="text-center" }
 
 <div class="mt-5 mx-auto">
-	<a class="btn btn-lg btn-primary mr-3 mb-4" href="#td-block-1">
+	<a class="btn btn-lg btn-primary mr-3 mb-4" href="#kyverno-is-a-policy-engine-designed-for-kubernetes">
 		Learn More <i class="fa fa-chalkboard-teacher ml-2"></i>
 	</a>
-	<a class="btn btn-lg btn-secondary mr-3 mb-4" href="/docs/introduction/#quick-start">
+	<a class="btn btn-lg btn-secondary mr-3 mb-4" href="docs/introduction/#quick-start-guides">
 		Get Started <i class="fa fa-arrow-alt-circle-right ml-2 "></i>
 	  </a>
 
-  <a class="btn btn-link text-info" href="#td-block-1" aria-label="Read more"><i class="fa fa-chevron-circle-down" style="font-size: 400%"></i></a>
+  <a class="btn btn-link text-info" href="#kyverno-is-a-policy-engine-designed-for-kubernetes" aria-label="Read more"><i class="fa fa-chevron-circle-down" style="font-size: 400%"></i></a>
 
 </div>
 {{< /blocks/cover >}}
@@ -37,7 +37,7 @@ Kyverno policies can **validate, mutate, generate, and cleanup** Kubernetes reso
 The Kyverno CLI can be used to test policies and validate resources as part of a **CI/CD pipeline**.
 
 <div class="mt-5 mx-auto">
-	<a class="btn btn-lg btn-primary mr-3 mb-4" href="/docs/introduction/">
+	<a class="btn btn-lg btn-primary mr-3 mb-4" href="docs/introduction/">
 		Documentation <i class="fa fa-book ml-2"></i>
 	</a>
 	<a class="btn btn-lg btn-secondary mr-3 mb-4" href="/policies/">
 
@@ -8,18 +8,19 @@ description: "Presenting the results from the Kyverno security audit"
 The Kyverno project is pleased to announce the completion of its third-party security audit. The audit was conducted by [Ada Logics](https://adalogics.com) in collaboration with the Kyverno maintainers, the [Open Source Technology Improvement Fund](https://ostif.org) and was funded by the [Cloud Native Computing Foundation](https://www.cncf.io).
 
 The audit was a holistic security audit with four goals:
+
 1. Define a formal threat model for Kyverno.
 2. Conduct a manual code audit for security vulnerabilities.
-3. Assess Kyverno’s fuzzing suite against the threat model.
-4. Evaluate Kyvernos supply-chain risks against SLSA.
+3. Assess Kyverno's fuzzing suite against the threat model.
+4. Evaluate Kyverno's supply-chain risks against SLSA.
 
-Ada Logics found 10 security issues during the manual code auditing goal. Four of these had their root cause in the Notary verifier which had not been released prior to the audit. One of the findings was in a third-party dependency to Kyverno and was fixed by the Cosign project maintainers. 
+Ada Logics found 10 security issues during the manual code auditing goal. Four of these had their root cause in the Notary verifier which had not been released prior to the audit. One of the findings was in a third-party dependency to Kyverno and was fixed by the Cosign project maintainers.
 
-In total, 6 CVE’s were assigned during the audit for the following components:
+In total, 6 CVEs were assigned during the audit for the following components:
 
 | CVE ID | Vulnerable Kyverno Component | CVE Severity |
 | ------ | ---------------------------- | ------------ |
-| CVE-2023-42816 | Notary verifier | Moderate | 
+| CVE-2023-42816 | Notary verifier | Moderate |
 | CVE-2023-42815 | Notary verifier | Low |
 | CVE-2023-42813 | Notary verifier | Moderate |
 | CVE-2023-42814 | Notary verifier | Low |
@@ -28,13 +29,14 @@ In total, 6 CVE’s were assigned during the audit for the following components:
 
 Users consuming Kyverno from official releases have not been affected by the four CVE’s in the Notary verifier, since the Notary verifier has never been part of a public release, before Ada Logics reported the findings during the security audit. Only users building Kyverno from the main branch would be affected by these, however, building from main is highly discouraged.
 
-During the fuzzing goal of the audit, Ada Logics wrote three new fuzzers and added them to Kyvernos fuzzing suite; Earlier this year, Kyverno completed its dedicated fuzzing security audit during which Ada Logics integrated Kyverno into OSS-Fuzz and built a fuzzing suite focusing on hitting high-coverage entry points. During the current security audit, Ada Logics wrote two fuzzers specifically for policy enforcement that attempt to create admission requests that are able to bypass Kyverno policies. In addition, Ada Logics wrote a fuzzer for a third-party dependency that implements complex data processing routines. The two policy fuzzers did not find any possible policy bypasses; the fuzzer for the third-party dependency found two reliability bugs.
+During the fuzzing goal of the audit, Ada Logics wrote three new fuzzers and added them to Kyverno's fuzzing suite; Earlier this year, Kyverno completed its dedicated fuzzing security audit during which Ada Logics integrated Kyverno into OSS-Fuzz and built a fuzzing suite focusing on hitting high-coverage entry points. During the current security audit, Ada Logics wrote two fuzzers specifically for policy enforcement that attempt to create admission requests that are able to bypass Kyverno policies. In addition, Ada Logics wrote a fuzzer for a third-party dependency that implements complex data processing routines. The two policy fuzzers did not find any possible policy bypasses; the fuzzer for the third-party dependency found two reliability bugs.
 
-During the SLSA goal, the auditors found that Kyverno impressively complies with the highest possible SLSA score and thereby ensures tamper-proof artifacts to consumers. Kyverno adopts the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) which ensures SLSA level 3 compliance by generating verifiable provenance alongside releases on GitHub actions. Consumers can verify Kyvernos provenance by using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier).
+During the SLSA goal, the auditors found that Kyverno impressively complies with the highest possible SLSA score and thereby ensures tamper-proof artifacts to consumers. Kyverno adopts the [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) which ensures SLSA level 3 compliance by generating verifiable provenance alongside releases on GitHub actions. Consumers can verify Kyverno's provenance by using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier).
 
 The Kyverno maintainers have quickly addressed all issues found during the audit, with fixes incorporated in Kyverno v1.10.6 and v1.11.1. By prioritizing security work, the Kyverno team aims to provide a seamless and secure experience for consumers. Kyverno will continue to invest in robust security measures, staying ahead of potential threats and vulnerabilities.
 
 Security researchers interested in contributing to Kyverno can find information about getting started [here](https://github.com/kyverno/kyverno/blob/main/SECURITY.md) or [engage with the Kyverno community](https://kyverno.io/community).
 
 ## Links
-- [Audit report](https://github.com/kyverno/website/blob/main/content/en/blog/general/2023-security-audit/kyverno-2023-security-audit-report.pdf)
+
+- [Audit report (PDF)](kyverno-2023-security-audit-report.pdf)
@@ -28,7 +28,7 @@ Prior to the December 14th disclosure, Ben had been in contact with the Kyverno
 Checking image signatures is a good starting point but not a complete solution to securing the software supply chain. Additional policies should be used to:
 
 * Require that only trusted registries are used ([sample policy](/policies/best-practices/restrict_image_registries/restrict_image_registries/)).
-* Ensure attestations (i.e. signed metadata) are checked for provenance and other image attributes ([docs](/docs/writing-policies/verify-images/#verifying-image-attestations)).
+* Ensure attestations (i.e. signed metadata) are checked for provenance and other image attributes ([docs](../../../docs/writing-policies/verify-images/sigstore/_index.md#verifying-image-attestations)).
 
 Requiring trusted registries would prevent this attack, as users cannot use the malicious proxy or other untrusted registries.