Skip to content

Commit

Permalink
Merge branch 'main' into gitpathissue
Browse files Browse the repository at this point in the history
  • Loading branch information
@realshuting
realshuting authored Aug 16, 2023
2 parents 784a36b + 7ea68ba commit f448f24
Show file tree
Hide file tree
Showing 201 changed files with 7,663 additions and 1,068 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM ubuntu:latest@sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
FROM ubuntu:latest@sha256:ec050c32e4a6085b423d36ecd025c0d3ff00c38ab93a3d71a460ff1c44fa6d77

RUN apt-get update && apt-get install -y sudo git curl apt-transport-https ca-certificates gnupg-agent software-properties-common
ARG USERNAME=root
Expand Down
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/bug-cli.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ body:
- 1.9.5
- 1.10.0
- 1.10.1
- 1.10.2
validations:
required: true
- type: textarea
Expand Down
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/bug-other.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ body:
- 1.9.5
- 1.10.0
- 1.10.1
- 1.10.2
validations:
required: true
- type: textarea
Expand Down
4 changes: 3 additions & 1 deletion .github/ISSUE_TEMPLATE/bug-webhook.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ body:
- 1.9.5
- 1.10.0
- 1.10.1
- 1.10.2
validations:
required: true
- type: dropdown
Expand All @@ -53,6 +54,7 @@ body:
- 1.25.x
- 1.26.x
- 1.27.x
- 1.28.x
validations:
required: true
- type: dropdown
Expand Down Expand Up @@ -139,7 +141,7 @@ body:
This will be automatically formatted into code, so no need for backticks.
For help on how to view Pod logs in Kubernetes, see [here](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-running-pod/#examine-pod-logs).
For guidance on how to enable more verbose log output in Kyverno, see [the documentation](https://kyverno.io/docs/troubleshooting/#policies-are-partially-applied).
render: shell
render: Shell
- type: input
id: slack
attributes:
Expand Down
70 changes: 70 additions & 0 deletions .github/workflows/conformance.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ jobs:
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- autogen
- background-only
Expand Down Expand Up @@ -107,6 +109,68 @@ jobs:
if: failure()
uses: ./.github/actions/kyverno-logs


# runs conformance test suites with configuration:
ttl:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: ttl
values:
- standard
- ttl
k8s-version:
- name: v1.24
version: v1.24.15
- name: v1.25
version: v1.25.11
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- ttl
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup build env
uses: ./.github/actions/setup-build-env
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs

# runs conformance test suites with configuration:
force-failure-policy-ignore:
runs-on: ubuntu-latest
Expand All @@ -129,6 +193,8 @@ jobs:
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- force-failure-policy-ignore
- rbac
Expand Down Expand Up @@ -188,6 +254,8 @@ jobs:
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- rbac
needs: prepare-images
Expand Down Expand Up @@ -244,6 +312,8 @@ jobs:
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- argo
- aws
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/images-publish.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/kyverno
digest: "${{ needs.publish-images.outputs.kyverno-digest }}"
Expand All @@ -155,7 +155,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/kyvernopre
digest: "${{ needs.publish-images.outputs.kyverno-init-digest }}"
Expand All @@ -170,7 +170,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/background-controller
digest: "${{ needs.publish-images.outputs.background-controller-digest }}"
Expand All @@ -185,7 +185,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/cleanup-controller
digest: "${{ needs.publish-images.outputs.cleanup-controller-digest }}"
Expand All @@ -200,7 +200,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
digest: "${{ needs.publish-images.outputs.cli-digest }}"
Expand All @@ -215,7 +215,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/reports-controller
digest: "${{ needs.publish-images.outputs.reports-controller-digest }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
with:
build-cache-key: lint
- name: golangci-lint
uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: v1.52.2
skip-cache: true
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/kyverno
digest: "${{ needs.release-images.outputs.kyverno-digest }}"
Expand All @@ -150,7 +150,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/kyvernopre
digest: "${{ needs.release-images.outputs.kyverno-init-digest }}"
Expand All @@ -165,7 +165,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/background-controller
digest: "${{ needs.release-images.outputs.background-controller-digest }}"
Expand All @@ -180,7 +180,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/cleanup-controller
digest: "${{ needs.release-images.outputs.cleanup-controller-digest }}"
Expand All @@ -195,7 +195,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
digest: "${{ needs.release-images.outputs.cli-digest }}"
Expand All @@ -210,7 +210,7 @@ jobs:
packages: write # To upload assets to release.
actions: read # To read the workflow path.
# NOTE: The container generator workflow is not officially released as GA.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0
with:
image: ghcr.io/${{ github.repository_owner }}/reports-controller
digest: "${{ needs.release-images.outputs.reports-controller-digest }}"
Expand Down Expand Up @@ -241,7 +241,7 @@ jobs:
make release-notes > release/release-notes.out
cat release/release-notes.out
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
with:
version: latest
args: release --rm-dist --debug --release-notes=release/release-notes.out
Expand Down
16 changes: 7 additions & 9 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,20 +43,18 @@ signs:
archives:
- id: kyverno-cli-archive
name_template: |-
kyverno-cli_{{ .Tag }}_{{ .Os }}_{{ .Arch -}}
{{- with .Arm -}}
{{- if (eq . "6") -}}hf
{{- else -}}v{{- . -}}
{{- end -}}
{{- end -}}
kyverno-cli_{{ .Tag }}_{{ .Os }}_
{{ - with .Arch - }}
{{ - if eq . "amd64" - }}x86_64{{- else if eq . "386" -}}i386{{- else -}}{{- . -}}{{- end -}}
{{ - end - }}
{{ - with .Arm - }}
{{ - if eq . "6" - }}hf{{- else -}}v{{- . -}}{{- end -}}
{{ - end - }}
builds:
- kyverno-cli
format_overrides:
- goos: windows
format: zip
replacements:
386: i386
amd64: x86_64
files: ["LICENSE"]

checksum:
Expand Down
1 change: 1 addition & 0 deletions .vscode/launch.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@
"env": {
"KYVERNO_NAMESPACE": "kyverno",
"KYVERNO_SERVICEACCOUNT_NAME": "kyverno-cleanup-controller",
"KYVERNO_SVC": "kyverno-cleanup-controller",
"KYVERNO_DEPLOYMENT": "dummy",
"KYVERNO_POD_NAME": "dummy",
"INIT_CONFIG": "kyverno",
Expand Down
4 changes: 2 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,15 @@ REGISTER_GEN := $(TOOLS_DIR)/register-gen
DEEPCOPY_GEN := $(TOOLS_DIR)/deepcopy-gen
DEFAULTER_GEN := $(TOOLS_DIR)/defaulter-gen
APPLYCONFIGURATION_GEN := $(TOOLS_DIR)/applyconfiguration-gen
CODE_GEN_VERSION := v0.26.3
CODE_GEN_VERSION := v0.28.0
GEN_CRD_API_REFERENCE_DOCS := $(TOOLS_DIR)/gen-crd-api-reference-docs
GEN_CRD_API_REFERENCE_DOCS_VERSION := latest
GO_ACC := $(TOOLS_DIR)/go-acc
GO_ACC_VERSION := latest
GOIMPORTS := $(TOOLS_DIR)/goimports
GOIMPORTS_VERSION := latest
HELM := $(TOOLS_DIR)/helm
HELM_VERSION := v3.10.1
HELM_VERSION := v3.12.3
HELM_DOCS := $(TOOLS_DIR)/helm-docs
HELM_DOCS_VERSION := v1.11.0
KO := $(TOOLS_DIR)/ko
Expand Down
11 changes: 8 additions & 3 deletions api/kyverno/constants.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,20 @@ package kyverno

const (
// Well known labels
LabelAppManagedBy = "app.kubernetes.io/managed-by"
LabelAppComponent = "app.kubernetes.io/component"
LabelAppManagedBy = "app.kubernetes.io/managed-by"
LabelCacheEnabled = "cache.kyverno.io/enabled"
LabelCertManagedBy = "cert.kyverno.io/managed-by"
LabelCleanupTtl = "cleanup.kyverno.io/ttl"
LabelWebhookManagedBy = "webhook.kyverno.io/managed-by"
// Well known annotations
AnnotationAutogenControllers = "pod-policies.kyverno.io/autogen-controllers"
AnnotationImageVerify = "kyverno.io/verify-images"
AnnotationPolicyCategory = "policies.kyverno.io/category"
AnnotationPolicySeverity = "policies.kyverno.io/severity"
AnnotationPolicyScored = "policies.kyverno.io/scored"
AnnotationPolicySeverity = "policies.kyverno.io/severity"
// Well known values
ValueKyvernoApp = "kyverno"
ValueKyvernoApp = "kyverno"
ValueTtlDateTimeLayout = "2006-01-02T150405Z"
ValueTtlDateLayout = "2006-01-02"
)
20 changes: 19 additions & 1 deletion api/kyverno/v1/image_verification_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,11 @@ type ImageVerification struct {
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`

// UseCache enables caching of image verify responses for this rule
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
UseCache bool `json:"useCache" yaml:"useCache"`
}

type AttestorSet struct {
Expand Down Expand Up @@ -183,7 +188,7 @@ type StaticKeyAttestor struct {
Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`

// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
// Rekor is not checked. If an empty object is provided the public instance of
// or an empty object is provided, the public instance of
// Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Expand Down Expand Up @@ -243,6 +248,19 @@ type CTLog struct {
// +kubebuilder:validation:Required
// +kubebuilder:Default:=https://rekor.sigstore.dev
URL string `json:"url" yaml:"url"`

// RekorPubKey is an optional PEM encoded public key to use for a custom Rekor.
// If set, is used to validate signatures on log entries from Rekor.
// +kubebuilder:validation:Optional
RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`

// IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a certificate transparency log.
// +kubebuilder:validation:Optional
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`

// IgnoreTlog skip tlog verification
// +kubebuilder:validation:Optional
IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
}

// Attestation are checks for signed in-toto Statements that are used to verify the image.
Expand Down
Loading

0 comments on commit f448f24

Please sign in to comment.