Merge branch 'main' into generate-foreach-2

realshuting · Aug 16, 2024 · 79443d8 · 79443d8
2 parents 3a695fc + f69ffe1
commit 79443d8
Show file tree

Hide file tree

Showing 37 changed files with 2,561 additions and 61 deletions.
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -40,6 +40,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1
+        uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
         with:
           sarif_file: results.sarif
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
@@ -7,7 +7,6 @@ Maintainers are approvers who have shown good technical judgement in guiding fea
 | Jim Bugwadia             | [@JimBugwadia](https://github.com/JimBugwadia)         | Nirmata                   |
 | Shuting Zhao             | [@realshuting](https://github.com/realshuting)         | Nirmata                   |
 | Chip Zoller              | [@chipzoller](https://github.com/chipzoller)           | Stackwatch (Kubecost)     |
-| Marcel Müller            | [@MarcelMue](https://github.com/MarcelMue)             | Giant Swarm GmbH          |
 | Charles-Edouard Brétéché | [@eddycharly](https://github.com/eddycharly)           | Nirmata                   |
 | Vishal Choudhary         | [@vishal-chdhry](https://github.com/vishal-chdhry)     | Nirmata                   |
 | Mariam Fahmy             | [@MariamFahmy98](https://github.com/MariamFahmy98)     | Nirmata                   |
@@ -22,3 +21,4 @@ Maintainers are approvers who have shown good technical judgement in guiding fea
 | Prateek Pandey           | [@prateekpandey14](https://github.com/prateekpandey14) |                           |
 | Sambhav Kothari          | [@samj1912](https://github.com/samj1912)               | Bloomberg                 |
 | Trey Dockendorf          | [@treydock](https://github.com/treydock)               | Ohio Supercomputer Center |
+| Marcel Müller            | [@MarcelMue](https://github.com/MarcelMue)             | Giant Swarm GmbH          |
diff --git a/Makefile b/Makefile
@@ -501,7 +501,7 @@ codegen-client-all: codegen-client-wrappers
 codegen-crds-kyverno: ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
 	@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
-	@go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
+	@go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
 
 .PHONY: codegen-crds-policyreport
 codegen-crds-policyreport: ## Generate policy reports CRDs

diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go
@@ -256,10 +256,18 @@ type KeylessAttestor struct {
 	// +kubebuilder:validation:Optional
 	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
 
+	// IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.
+	// +kubebuilder:validation:Optional
+	IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"`
+
 	// Subject is the verified identity used for keyless signing, for example the email address.
 	// +kubebuilder:validation:Optional
 	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
 
+	// SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.
+	// +kubebuilder:validation:Optional
+	SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"`
+
 	// Roots is an optional set of PEM encoded trusted root certificates.
 	// If not provided, the system roots are used.
 	// +kubebuilder:validation:Optional

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
@@ -295,6 +295,7 @@ The chart values are organised per component.
 | config.excludeClusterRoles | list | `[]` | Exclude roles |
 | config.generateSuccessEvents | bool | `false` | Generate success events. |
 | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
+| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. |
 | config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
 | config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
 | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |