Merge branch 'main' into 10556

.github/actions/kyverno-logs/action.yaml

@@ -14,15 +14,9 @@ runs:
       run: |
         kubectl -n kyverno get pod
         kubectl -n kyverno describe pod | grep -i events -A10
-    - shell: bash
-      run: |
-        kubectl -n kyverno logs deploy/kyverno-admission-controller --all-containers -p || true
-        kubectl -n kyverno logs deploy/kyverno-reports-controller --all-containers -p || true
-        kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers -p || true
-        kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers -p || true
     - shell: bash
       run: |
         kubectl -n kyverno logs deploy/kyverno-admission-controller --all-containers
+        kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers
         kubectl -n kyverno logs deploy/kyverno-reports-controller --all-containers
         kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers
-        kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers

.github/workflows/scorecard.yaml

@@ -40,6 +40,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
         with:
           sarif_file: results.sarif

MAINTAINERS.md

@@ -7,8 +7,6 @@ Maintainers are approvers who have shown good technical judgement in guiding fea
 | Jim Bugwadia             | [@JimBugwadia](https://github.com/JimBugwadia)         | Nirmata                   |
 | Shuting Zhao             | [@realshuting](https://github.com/realshuting)         | Nirmata                   |
 | Chip Zoller              | [@chipzoller](https://github.com/chipzoller)           | Stackwatch (Kubecost)     |
-| Marcel Müller            | [@MarcelMue](https://github.com/MarcelMue)             | Giant Swarm GmbH          |
-| Trey Dockendorf          | [@treydock](https://github.com/treydock)               | Ohio Supercomputer Center |
 | Charles-Edouard Brétéché | [@eddycharly](https://github.com/eddycharly)           | Nirmata                   |
 | Vishal Choudhary         | [@vishal-chdhry](https://github.com/vishal-chdhry)     | Nirmata                   |
 | Mariam Fahmy             | [@MariamFahmy98](https://github.com/MariamFahmy98)     | Nirmata                   |
@@ -22,3 +20,5 @@ Maintainers are approvers who have shown good technical judgement in guiding fea
 | Vyankatesh Kudtarkar     | [@vyankyGH](https://github.com/vyankyGH)               |                           |
 | Prateek Pandey           | [@prateekpandey14](https://github.com/prateekpandey14) |                           |
 | Sambhav Kothari          | [@samj1912](https://github.com/samj1912)               | Bloomberg                 |
+| Trey Dockendorf          | [@treydock](https://github.com/treydock)               | Ohio Supercomputer Center |
+| Marcel Müller            | [@MarcelMue](https://github.com/MarcelMue)             | Giant Swarm GmbH          |

Makefile

@@ -501,7 +501,7 @@ codegen-client-all: codegen-client-wrappers
 codegen-crds-kyverno: ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
 	@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
-	@go run ./hack/controller-gen -- paths=./api/kyverno/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
+	@go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
 
 .PHONY: codegen-crds-policyreport
 codegen-crds-policyreport: ## Generate policy reports CRDs

api/kyverno/v1/image_verification_types.go

@@ -9,7 +9,7 @@ import (
 )
 
 // ImageVerificationType selects the type of verification algorithm
-// +kubebuilder:validation:Enum=Cosign;Notary
+// +kubebuilder:validation:Enum=Cosign;SigstoreBundle;Notary
 // +kubebuilder:default=Cosign
 type ImageVerificationType string
 
@@ -18,8 +18,9 @@ type ImageVerificationType string
 type ImageRegistryCredentialsProvidersType string
 
 const (
-	Cosign ImageVerificationType = "Cosign"
-	Notary ImageVerificationType = "Notary"
+	Cosign         ImageVerificationType = "Cosign"
+	SigstoreBundle ImageVerificationType = "SigstoreBundle"
+	Notary         ImageVerificationType = "Notary"
 
 	DEFAULT ImageRegistryCredentialsProvidersType = "default"
 	AWS     ImageRegistryCredentialsProvidersType = "amazon"
@@ -46,7 +47,7 @@ type ImageVerification struct {
 	ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
 
 	// Type specifies the method of signature validation. The allowed options
-	// are Cosign and Notary. By default Cosign is used if a type is not specified.
+	// are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
 	// +kubebuilder:validation:Optional
 	Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
 
@@ -256,10 +257,18 @@ type KeylessAttestor struct {
 	// +kubebuilder:validation:Optional
 	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
 
+	// IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.
+	// +kubebuilder:validation:Optional
+	IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"`
+
 	// Subject is the verified identity used for keyless signing, for example the email address.
 	// +kubebuilder:validation:Optional
 	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
 
+	// SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.
+	// +kubebuilder:validation:Optional
+	SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"`
+
 	// Roots is an optional set of PEM encoded trusted root certificates.
 	// If not provided, the system roots are used.
 	// +kubebuilder:validation:Optional

api/kyverno/v2/constants.go

@@ -10,9 +10,5 @@ const (
 
 	// URGeneratePolicyLabel adds the policy name to URs for generate policies
 	URGeneratePolicyLabel          = "generate.kyverno.io/policy-name"
-	URGenerateResourceNameLabel    = "generate.kyverno.io/resource-name"
-	URGenerateResourceUIDLabel     = "generate.kyverno.io/resource-uid"
-	URGenerateResourceNSLabel      = "generate.kyverno.io/resource-namespace"
-	URGenerateResourceKindLabel    = "generate.kyverno.io/resource-kind"
 	URGenerateRetryCountAnnotation = "generate.kyverno.io/retry-count"
 )

api/kyverno/v2/updaterequest_types.go

@@ -82,23 +82,45 @@ type UpdateRequestSpec struct {
 	// Specifies the name of the policy.
 	Policy string `json:"policy" yaml:"policy"`
 
+	// RuleContext is the associate context to apply rules.
+	// optional
+	RuleContext []RuleContext `json:"ruleContext,omitempty" yaml:"ruleContext,omitempty"`
+
 	// Rule is the associate rule name of the current UR.
 	Rule string `json:"rule" yaml:"rule"`
 
 	// DeleteDownstream represents whether the downstream needs to be deleted.
+	// Deprecated
 	DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
 
 	// Synchronize represents the sync behavior of the corresponding rule
 	// Optional. Defaults to "false" if not specified.
+	// Deprecated, will be removed in 1.14.
 	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
 
 	// ResourceSpec is the information to identify the trigger resource.
 	Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"`
 
-	// Context ...
+	// Context represents admission request context.
+	// It is used upon admission review only and is shared across rules within the same UR.
 	Context UpdateRequestSpecContext `json:"context" yaml:"context"`
 }
 
+type RuleContext struct {
+	// Rule is the associate rule name of the current UR.
+	Rule string `json:"rule" yaml:"rule"`
+
+	// DeleteDownstream represents whether the downstream needs to be deleted.
+	DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
+
+	// Synchronize represents the sync behavior of the corresponding rule
+	// Optional. Defaults to "false" if not specified.
+	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
+
+	// ResourceSpec is the information to identify the trigger resource.
+	Trigger kyvernov1.ResourceSpec `json:"trigger" yaml:"resource"`
+}
+
 // UpdateRequestSpecContext stores the context to be shared.
 type UpdateRequestSpecContext struct {
 	// +optional

api/kyverno/v2alpha1/global_context_entry_types.go

@@ -118,8 +118,8 @@ type GlobalContextEntryList struct {
 // KubernetesResource stores infos about kubernetes resource that should be cached
 type KubernetesResource struct {
 	// Group defines the group of the resource.
-	// +kubebuilder:validation:Required
-	Group string `json:"group"`
+	// +kubebuilder:validation:Optional
+	Group string `json:"group,omitempty"`
 	// Version defines the version of the resource.
 	// +kubebuilder:validation:Required
 	Version string `json:"version"`
@@ -136,7 +136,8 @@ type KubernetesResource struct {
 
 // Validate implements programmatic validation
 func (k *KubernetesResource) Validate(path *field.Path) (errs field.ErrorList) {
-	if k.Group == "" {
+	isCoreGroup := k.Group == "" && k.Version == "v1"
+	if k.Group == "" && !isCoreGroup {
 		errs = append(errs, field.Required(path.Child("group"), "A Resource entry requires a group"))
 	}
 	if k.Version == "" {