diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 9a832ab42331..15ed5a6a5de2 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1 + uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2 with: sarif_file: results.sarif diff --git a/MAINTAINERS.md b/MAINTAINERS.md index c387932c23c3..8aad70bad826 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -7,7 +7,6 @@ Maintainers are approvers who have shown good technical judgement in guiding fea | Jim Bugwadia | [@JimBugwadia](https://github.com/JimBugwadia) | Nirmata | | Shuting Zhao | [@realshuting](https://github.com/realshuting) | Nirmata | | Chip Zoller | [@chipzoller](https://github.com/chipzoller) | Stackwatch (Kubecost) | -| Marcel Müller | [@MarcelMue](https://github.com/MarcelMue) | Giant Swarm GmbH | | Charles-Edouard Brétéché | [@eddycharly](https://github.com/eddycharly) | Nirmata | | Vishal Choudhary | [@vishal-chdhry](https://github.com/vishal-chdhry) | Nirmata | | Mariam Fahmy | [@MariamFahmy98](https://github.com/MariamFahmy98) | Nirmata | @@ -22,3 +21,4 @@ Maintainers are approvers who have shown good technical judgement in guiding fea | Prateek Pandey | [@prateekpandey14](https://github.com/prateekpandey14) | | | Sambhav Kothari | [@samj1912](https://github.com/samj1912) | Bloomberg | | Trey Dockendorf | [@treydock](https://github.com/treydock) | Ohio Supercomputer Center | +| Marcel Müller | [@MarcelMue](https://github.com/MarcelMue) | Giant Swarm GmbH | diff --git a/Makefile b/Makefile index b607859d4981..e903f03fc7ec 100644 --- a/Makefile +++ b/Makefile @@ -501,7 +501,7 @@ codegen-client-all: codegen-client-wrappers codegen-crds-kyverno: ## Generate kyverno CRDs @echo Generate kyverno crds... >&2 @rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno - @go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno + @go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno .PHONY: codegen-crds-policyreport codegen-crds-policyreport: ## Generate policy reports CRDs diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 30925a772cd0..5d2800edae1d 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -256,10 +256,18 @@ type KeylessAttestor struct { // +kubebuilder:validation:Optional Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"` + // IssuerRegExp is the regular expression to match certificate issuer used for keyless signing. + // +kubebuilder:validation:Optional + IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"` + // Subject is the verified identity used for keyless signing, for example the email address. // +kubebuilder:validation:Optional Subject string `json:"subject,omitempty" yaml:"subject,omitempty"` + // SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address. + // +kubebuilder:validation:Optional + SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"` + // Roots is an optional set of PEM encoded trusted root certificates. // If not provided, the system roots are used. // +kubebuilder:validation:Optional diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 48ed8b51d0c3..ed1b01e1a85e 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -295,6 +295,7 @@ The chart values are organised per component. | config.excludeClusterRoles | list | `[]` | Exclude roles | | config.generateSuccessEvents | bool | `false` | Generate success events. | | config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. | +| config.updateRequestThreshold | int | `1000` | Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. | | config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) | | config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. | | config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. | diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 7335ea1766ab..11b7467a1ea1 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -3570,6 +3570,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3601,6 +3606,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -4070,6 +4081,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4101,6 +4117,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4447,6 +4469,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4477,6 +4504,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -8349,6 +8382,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8380,6 +8418,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8854,6 +8898,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8887,6 +8937,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -9237,6 +9294,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9268,6 +9330,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12924,6 +12992,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12955,6 +13028,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -13413,6 +13492,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13444,6 +13528,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13790,6 +13880,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13820,6 +13915,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -17672,6 +17773,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17703,6 +17809,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -18177,6 +18289,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18210,6 +18328,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -18560,6 +18685,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18591,6 +18721,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 1402c5f1d960..b14619c02fc6 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -3571,6 +3571,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3602,6 +3607,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -4071,6 +4082,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4102,6 +4118,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4448,6 +4470,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4478,6 +4505,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -8351,6 +8384,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8382,6 +8420,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8856,6 +8900,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8889,6 +8939,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -9239,6 +9296,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9270,6 +9332,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12927,6 +12995,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12958,6 +13031,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -13416,6 +13495,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13447,6 +13531,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13793,6 +13883,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13823,6 +13918,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -17675,6 +17776,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17706,6 +17812,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -18180,6 +18292,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18213,6 +18331,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -18563,6 +18688,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18594,6 +18724,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml index 030e189ccfe2..9549de94368e 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml @@ -24,6 +24,392 @@ spec: singular: updaterequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy diff --git a/charts/kyverno/templates/config/configmap.yaml b/charts/kyverno/templates/config/configmap.yaml index 7d6a91678c77..d10a74d5dde6 100644 --- a/charts/kyverno/templates/config/configmap.yaml +++ b/charts/kyverno/templates/config/configmap.yaml @@ -35,6 +35,9 @@ data: resourceFilters: >- {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }} {{- end -}} + {{- with .Values.config.updateRequestThreshold }} + updateRequestThreshold: {{ . | quote }} + {{- end -}} {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }} webhooks: {{ include "kyverno.config.webhooks" . | quote }} {{- else if .Values.config.webhooks }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 052b8c32d519..2f8cf434dc86 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -309,6 +309,9 @@ config: - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]' - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]' + # -- Sets the threshold for the total number of UpdateRequests generated for mutateExisitng and generate policies. + updateRequestThreshold: 1000 + # -- Defines the `namespaceSelector` in the webhook configurations. # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element # will be forwarded to the webhook configurations. diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 9551d5c52c85..2e34212605c9 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3564,6 +3564,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3595,6 +3600,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -4064,6 +4075,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4095,6 +4111,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4441,6 +4463,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4471,6 +4498,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -8343,6 +8376,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8374,6 +8412,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8848,6 +8892,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8881,6 +8931,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -9231,6 +9288,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9262,6 +9324,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12918,6 +12986,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12949,6 +13022,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -13407,6 +13486,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13438,6 +13522,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13784,6 +13874,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13814,6 +13909,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -17666,6 +17767,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17697,6 +17803,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -18171,6 +18283,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18204,6 +18322,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -18554,6 +18679,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18585,6 +18715,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 8b1f30b122db..f5270c9754cb 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3565,6 +3565,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3596,6 +3601,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -4065,6 +4076,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4096,6 +4112,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4442,6 +4464,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4472,6 +4499,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -8345,6 +8378,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8376,6 +8414,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8850,6 +8894,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8883,6 +8933,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -9233,6 +9290,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9264,6 +9326,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12921,6 +12989,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12952,6 +13025,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -13410,6 +13489,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13441,6 +13525,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13787,6 +13877,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13817,6 +13912,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -17669,6 +17770,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17700,6 +17806,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -18174,6 +18286,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18207,6 +18325,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -18557,6 +18682,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18588,6 +18718,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 926e8911bc27..72d52f7df4ed 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -13,6 +13,7 @@ import ( "github.com/go-logr/logr" "github.com/kyverno/kyverno/cmd/internal" "github.com/kyverno/kyverno/pkg/auth/checker" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions" "github.com/kyverno/kyverno/pkg/clients/dclient" @@ -25,7 +26,6 @@ import ( policycachecontroller "github.com/kyverno/kyverno/pkg/controllers/policycache" vapcontroller "github.com/kyverno/kyverno/pkg/controllers/validatingadmissionpolicy-generate" webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook" - "github.com/kyverno/kyverno/pkg/d4f" "github.com/kyverno/kyverno/pkg/engine/apicall" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/globalcontext/store" @@ -522,7 +522,7 @@ func main() { setup.Logger.Error(errors.New("failed to start admission reports watcher"), "failed to start admission reports watcher") os.Exit(1) } - reportsBreaker := d4f.NewBreaker("admission reports", func(context.Context) bool { + reportsBreaker := breaker.NewBreaker("admission reports", func(context.Context) bool { count, isRunning := ephrs.Count() if !isRunning { return true diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 9551d5c52c85..2e34212605c9 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -3564,6 +3564,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3595,6 +3600,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -4064,6 +4075,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4095,6 +4111,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4441,6 +4463,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4471,6 +4498,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -8343,6 +8376,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8374,6 +8412,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8848,6 +8892,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8881,6 +8931,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -9231,6 +9288,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9262,6 +9324,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12918,6 +12986,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12949,6 +13022,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -13407,6 +13486,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13438,6 +13522,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13784,6 +13874,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13814,6 +13909,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -17666,6 +17767,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17697,6 +17803,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -18171,6 +18283,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18204,6 +18322,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -18554,6 +18679,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18585,6 +18715,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 8b1f30b122db..f5270c9754cb 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -3565,6 +3565,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -3596,6 +3601,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -4065,6 +4076,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4096,6 +4112,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -4442,6 +4464,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -4472,6 +4499,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -8345,6 +8378,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8376,6 +8414,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -8850,6 +8894,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8883,6 +8933,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -9233,6 +9290,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9264,6 +9326,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -12921,6 +12989,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12952,6 +13025,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -13410,6 +13489,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13441,6 +13525,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13787,6 +13877,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13817,6 +13912,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -17669,6 +17770,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17700,6 +17806,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -18174,6 +18286,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18207,6 +18325,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -18557,6 +18682,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -18588,6 +18718,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more diff --git a/config/crds/kyverno/kyverno.io_updaterequests.yaml b/config/crds/kyverno/kyverno.io_updaterequests.yaml index 20cbe100d1b1..dde694005f84 100644 --- a/config/crds/kyverno/kyverno.io_updaterequests.yaml +++ b/config/crds/kyverno/kyverno.io_updaterequests.yaml @@ -18,6 +18,392 @@ spec: singular: updaterequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index f5e0bd937a63..6cedf4eb5897 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -172,6 +172,7 @@ data: [ServiceMonitor,kyverno,kyverno-reports-controller] [Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] + updateRequestThreshold: "1000" webhooks: "[{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}]" webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}" --- @@ -8360,6 +8361,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8391,6 +8397,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -8860,6 +8872,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -8891,6 +8908,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -9237,6 +9260,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -9267,6 +9295,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -12730,6 +12764,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -12761,6 +12800,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -13235,6 +13280,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13268,6 +13319,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -13618,6 +13676,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -13649,6 +13712,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -16904,6 +16973,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -16935,6 +17009,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -17393,6 +17473,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17424,6 +17509,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -17770,6 +17861,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -17800,6 +17896,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -21243,6 +21345,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -21274,6 +21381,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -21748,6 +21861,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -21781,6 +21900,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -22131,6 +22257,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -22162,6 +22293,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -25926,6 +26063,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -25957,6 +26099,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -26426,6 +26574,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -26457,6 +26610,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -26803,6 +26962,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -26833,6 +26997,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -30297,6 +30467,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -30328,6 +30503,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -30802,6 +30983,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -30835,6 +31022,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -31185,6 +31379,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -31216,6 +31415,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -34472,6 +34677,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -34503,6 +34713,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used + for keyless signing, for example the + email address. + type: string type: object keys: description: Keys specifies one or more @@ -34961,6 +35177,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -34992,6 +35213,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -35338,6 +35565,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate issuer + used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -35368,6 +35600,12 @@ spec: used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the regular + expression to match identity used for + keyless signing, for example the email + address. + type: string type: object keys: description: Keys specifies one or more public @@ -38811,6 +39049,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the + regular expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -38842,6 +39085,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for + example the email address. + type: string type: object keys: description: Keys specifies one or more @@ -39316,6 +39565,12 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is + the regular expression to + match certificate issuer used + for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -39349,6 +39604,13 @@ spec: keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is + the regular expression to + match identity used for keyless + signing, for example the email + address. + type: string type: object keys: description: Keys specifies one @@ -39699,6 +39961,11 @@ spec: description: Issuer is the certificate issuer used for keyless signing. type: string + issuerRegExp: + description: IssuerRegExp is the regular + expression to match certificate + issuer used for keyless signing. + type: string rekor: description: |- Rekor provides configuration for the Rekor transparency log service. If an empty object @@ -39730,6 +39997,12 @@ spec: identity used for keyless signing, for example the email address. type: string + subjectRegExp: + description: SubjectRegExp is the + regular expression to match identity + used for keyless signing, for example + the email address. + type: string type: object keys: description: Keys specifies one or more @@ -41379,6 +41652,392 @@ spec: singular: updaterequest scope: Namespaced versions: + - additionalPrinterColumns: + - jsonPath: .spec.policy + name: Policy + type: string + - jsonPath: .spec.rule + name: Rule + type: string + - jsonPath: .spec.requestType + name: RuleType + type: string + - jsonPath: .spec.resource.kind + name: ResourceKind + type: string + - jsonPath: .spec.resource.name + name: ResourceName + type: string + - jsonPath: .spec.resource.namespace + name: ResourceNamespace + type: string + - jsonPath: .status.state + name: status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1beta1 + schema: + openAPIV3Schema: + description: UpdateRequest is a request to process mutate and generate rules + in background. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ResourceSpec is the information to identify the trigger resource. + properties: + context: + description: Context ... + properties: + admissionRequestInfo: + description: AdmissionRequestInfoObject stores the admission request + and operation details + properties: + admissionRequest: + description: AdmissionRequest describes the admission.Attributes + for the admission request. + properties: + dryRun: + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. + type: boolean + kind: + description: Kind is the fully-qualified type of object + being submitted (for example, v1.Pod or autoscaling.v1.Scale) + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + name: + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. + type: string + namespace: + description: Namespace is the namespace associated with + the request (if any). + type: string + object: + description: Object is the object from the incoming request. + type: object + x-kubernetes-preserve-unknown-fields: true + oldObject: + description: OldObject is the existing object. Only populated + for DELETE and UPDATE requests. + type: object + x-kubernetes-preserve-unknown-fields: true + operation: + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. + type: string + options: + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. + type: object + x-kubernetes-preserve-unknown-fields: true + requestKind: + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. + properties: + group: + type: string + kind: + type: string + version: + type: string + required: + - group + - kind + - version + type: object + requestResource: + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + requestSubResource: + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. + type: string + resource: + description: Resource is the fully-qualified resource + being requested (for example, v1.pods) + properties: + group: + type: string + resource: + type: string + version: + type: string + required: + - group + - resource + - version + type: object + subResource: + description: SubResource is the subresource being requested, + if any (for example, "status" or "scale") + type: string + uid: + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. + type: string + userInfo: + description: UserInfo is information about the requesting + user + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by + the authenticator. + type: object + groups: + description: The names of groups this user is a part + of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this + user among all active users. + type: string + type: object + required: + - kind + - operation + - resource + - uid + - userInfo + type: object + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object + userInfo: + description: RequestInfo contains permission info carried in an + admission request. + properties: + clusterRoles: + description: ClusterRoles is a list of possible clusterRoles + send the request. + items: + type: string + nullable: true + type: array + roles: + description: Roles is a list of possible role send the request. + items: + type: string + nullable: true + type: array + userInfo: + description: UserInfo is the userInfo carried in the admission + request. + properties: + extra: + additionalProperties: + description: ExtraValue masks the value so protobuf + can generate + items: + type: string + type: array + description: Any additional information provided by the + authenticator. + type: object + groups: + description: The names of groups this user is a part of. + items: + type: string + type: array + x-kubernetes-list-type: atomic + uid: + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. + type: string + username: + description: The name that uniquely identifies this user + among all active users. + type: string + type: object + type: object + type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean + policy: + description: Specifies the name of the policy. + type: string + requestType: + description: Type represents request type for background processing + enum: + - mutate + - generate + type: string + resource: + description: ResourceSpec is the information to identify the trigger + resource. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. + type: boolean + required: + - context + - deleteDownstream + - policy + - resource + - rule + type: object + status: + description: Status contains statistics related to update request. + properties: + generatedResources: + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. + items: + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + uid: + description: UID specifies the resource uid. + type: string + type: object + type: array + handler: + description: Deprecated + type: string + message: + description: Specifies request status message. + type: string + retryCount: + type: integer + state: + description: State represents state of the update request. + type: string + required: + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - jsonPath: .spec.policy name: Policy diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 47308c9ebf63..e5724029ca65 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -2700,6 +2700,17 @@

KeylessAttestor +issuerRegExp
+ +string + + + +

IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.

+ + + + subject
string @@ -2711,6 +2722,17 @@

KeylessAttestor +subjectRegExp
+ +string + + + +

SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.

+ + + + roots
string diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 433baef7a551..fc2ae141c887 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -5436,6 +5436,35 @@

KeylessAttestor + + issuerRegExp + + * + +
+ + + + + string + + + + + + +

IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.

+ + + + + + + + + + + subject @@ -5465,6 +5494,35 @@

KeylessAttestor + + subjectRegExp + + * + +
+ + + + + string + + + + + + +

SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.

+ + + + + + + + + + + roots diff --git a/pkg/d4f/breaker.go b/pkg/breaker/breaker.go similarity index 99% rename from pkg/d4f/breaker.go rename to pkg/breaker/breaker.go index 7866307d3f9a..580f8e02297a 100644 --- a/pkg/d4f/breaker.go +++ b/pkg/breaker/breaker.go @@ -1,4 +1,4 @@ -package d4f +package breaker import ( "context" diff --git a/pkg/d4f/breaker_test.go b/pkg/breaker/breaker_test.go similarity index 98% rename from pkg/d4f/breaker_test.go rename to pkg/breaker/breaker_test.go index b1b626d6b017..649f2c4ce98f 100644 --- a/pkg/d4f/breaker_test.go +++ b/pkg/breaker/breaker_test.go @@ -1,4 +1,4 @@ -package d4f +package breaker import ( "context" diff --git a/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go b/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go index 9604052ca0ac..f3861678fa6e 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go +++ b/pkg/client/applyconfigurations/kyverno/v1/keylessattestor.go @@ -24,7 +24,9 @@ type KeylessAttestorApplyConfiguration struct { Rekor *RekorApplyConfiguration `json:"rekor,omitempty"` CTLog *CTLogApplyConfiguration `json:"ctlog,omitempty"` Issuer *string `json:"issuer,omitempty"` + IssuerRegExp *string `json:"issuerRegExp,omitempty"` Subject *string `json:"subject,omitempty"` + SubjectRegExp *string `json:"subjectRegExp,omitempty"` Roots *string `json:"roots,omitempty"` AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty"` } @@ -59,6 +61,14 @@ func (b *KeylessAttestorApplyConfiguration) WithIssuer(value string) *KeylessAtt return b } +// WithIssuerRegExp sets the IssuerRegExp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IssuerRegExp field is set to the value of the last call. +func (b *KeylessAttestorApplyConfiguration) WithIssuerRegExp(value string) *KeylessAttestorApplyConfiguration { + b.IssuerRegExp = &value + return b +} + // WithSubject sets the Subject field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Subject field is set to the value of the last call. @@ -67,6 +77,14 @@ func (b *KeylessAttestorApplyConfiguration) WithSubject(value string) *KeylessAt return b } +// WithSubjectRegExp sets the SubjectRegExp field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the SubjectRegExp field is set to the value of the last call. +func (b *KeylessAttestorApplyConfiguration) WithSubjectRegExp(value string) *KeylessAttestorApplyConfiguration { + b.SubjectRegExp = &value + return b +} + // WithRoots sets the Roots field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Roots field is set to the value of the last call. diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index a0411f64be4e..8bda32fc8e84 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -452,7 +452,7 @@ func (c *controller) updatePolicyStatuses(ctx context.Context) error { if c.autoUpdateWebhooks { for _, set := range c.policyState { if !set.Has(policyKey) { - ready, message = false, "Not ready yet" + ready, message = false, "Not Ready" break } } diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 3cf8c8d584b5..16ae87d3c855 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -8,6 +8,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "regexp" "strings" "github.com/google/go-containerregistry/pkg/name" @@ -74,7 +75,7 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option return nil, err } - if err := matchSignatures(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + if err := matchSignatures(signatures, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil { return nil, err } @@ -308,7 +309,7 @@ func (v *cosignVerifier) FetchAttestations(ctx context.Context, opts images.Opti continue } - if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil { + if err := matchSignatures([]oci.Signature{signature}, opts.Subject, opts.SubjectRegExp, opts.Issuer, opts.IssuerRegExp, opts.AdditionalExtensions); err != nil { return nil, err } } @@ -500,7 +501,7 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage) (strin return "", fmt.Errorf("digest not found for %s", imgRef) } -func matchSignatures(signatures []oci.Signature, subject, issuer string, extensions map[string]string) error { +func matchSignatures(signatures []oci.Signature, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error { if subject == "" && issuer == "" && len(extensions) == 0 { return nil } @@ -516,7 +517,7 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi return fmt.Errorf("certificate not found") } - if err := matchCertificateData(cert, subject, issuer, extensions); err != nil { + if err := matchCertificateData(cert, subject, subjectRegExp, issuer, issuerRegExp, extensions); err != nil { errs = append(errs, err) } else { // only one signature certificate needs to match the required subject, issuer, and extensions @@ -532,31 +533,66 @@ func matchSignatures(signatures []oci.Signature, subject, issuer string, extensi return fmt.Errorf("invalid signature") } -func matchCertificateData(cert *x509.Certificate, subject, issuer string, extensions map[string]string) error { - if subject != "" { - s := "" +func matchCertificateData(cert *x509.Certificate, subject, subjectRegExp, issuer, issuerRegExp string, extensions map[string]string) error { + if subject != "" || subjectRegExp != "" { if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 { - s = sans[0] - } - if !wildcard.Match(subject, s) { - return fmt.Errorf("subject mismatch: expected %s, received %s", subject, s) + subjectMatched := false + if subject != "" { + for _, s := range sans { + if wildcard.Match(subject, s) { + subjectMatched = true + break + } + } + } + if subjectRegExp != "" { + regex, err := regexp.Compile(subjectRegExp) + if err != nil { + return fmt.Errorf("invalid regexp for subject: %s : %w", subjectRegExp, err) + } + for _, s := range sans { + if regex.MatchString(s) { + subjectMatched = true + break + } + } + } + + if !subjectMatched { + sub := "" + if subject != "" { + sub = subject + } else if subjectRegExp != "" { + sub = subjectRegExp + } + return fmt.Errorf("subject mismatch: expected %s, received %s", sub, strings.Join(sans, ", ")) + } } } - if err := matchExtensions(cert, issuer, extensions); err != nil { + if err := matchExtensions(cert, issuer, issuerRegExp, extensions); err != nil { return err } return nil } -func matchExtensions(cert *x509.Certificate, issuer string, extensions map[string]string) error { +func matchExtensions(cert *x509.Certificate, issuer, issuerRegExp string, extensions map[string]string) error { ce := cosign.CertExtensions{Cert: cert} - if issuer != "" { + if issuer != "" || issuerRegExp != "" { val := ce.GetIssuer() - if !wildcard.Match(issuer, val) { - return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val) + if issuer != "" { + if !wildcard.Match(issuer, val) { + return fmt.Errorf("issuer mismatch: expected %s, received %s", issuer, val) + } + } + if issuerRegExp != "" { + if regex, err := regexp.Compile(issuerRegExp); err != nil { + return fmt.Errorf("invalid regexp for issuer: %s : %w", issuerRegExp, err) + } else if !regex.MatchString(val) { + return fmt.Errorf("issuer mismatch: expected %s, received %s", issuerRegExp, val) + } } } diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index 053bbac018d6..d102ecac5095 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -227,7 +227,10 @@ func TestCosignMatchCertificateData(t *testing.T) { assert.NilError(t, err) subject1 := "https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/*" + subject1RegExp := `https://github\.com/JimBugwadia/demo-java-tomcat/.+` issuer1 := "https://token.actions.githubusercontent.com" + issuer1RegExp := `https://token\.actions\..+` + extensions := map[string]string{ "githubWorkflowTrigger": "push", "githubWorkflowSha": "c7645284fa7aebe554618eee879b4d6947f8564e", @@ -235,20 +238,41 @@ func TestCosignMatchCertificateData(t *testing.T) { "githubWorkflowRepository": "JimBugwadia/demo-java-tomcat", } - matchErr := matchCertificateData(cert1, subject1, issuer1, extensions) + matchErr := matchCertificateData(cert1, subject1, "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, "", "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", nil) + assert.NilError(t, matchErr) + + matchErr = matchCertificateData(cert1, "", subject1RegExp, "", issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, "", issuer1, extensions) + matchErr = matchCertificateData(cert1, "", "", "", issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, subject1, issuer1, nil) + matchErr = matchCertificateData(cert1, subject1, subject1RegExp, issuer1, issuer1RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchCertificateData(cert1, "wrong-subject", issuer1, extensions) + matchErr = matchCertificateData(cert1, "", `^wrong-regex$`, issuer1, issuer1RegExp, nil) + assert.Error(t, matchErr, "subject mismatch: expected ^wrong-regex$, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22") + + matchErr = matchCertificateData(cert1, "", "", "", `^wrong-regex$`, nil) + assert.Error(t, matchErr, "issuer mismatch: expected ^wrong-regex$, received https://token.actions.githubusercontent.com") + + matchErr = matchCertificateData(cert1, "wrong-subject", "", issuer1, "", extensions) assert.Error(t, matchErr, "subject mismatch: expected wrong-subject, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22") + matchErr = matchCertificateData(cert1, "", "*", "", issuer1RegExp, nil) + assert.Error(t, matchErr, "invalid regexp for subject: * : error parsing regexp: missing argument to repetition operator: `*`") + + matchErr = matchCertificateData(cert1, "", subject1RegExp, "", "?", nil) + assert.Error(t, matchErr, "invalid regexp for issuer: ? : error parsing regexp: missing argument to repetition operator: `?`") + extensions["githubWorkflowTrigger"] = "pull" - matchErr = matchCertificateData(cert1, subject1, issuer1, extensions) + matchErr = matchCertificateData(cert1, subject1, "", issuer1, "", extensions) assert.Error(t, matchErr, "extension mismatch: expected pull for key githubWorkflowTrigger, received push") } @@ -431,17 +455,28 @@ func TestCosignMatchSignatures(t *testing.T) { } subject2 := "*@nirmata.com" + subject2RegExp := `.+@nirmata\.com` issuer2 := "https://github.com/login/oauth" + issuer2RegExp := `https://github\.com/login/.+` + + matchErr := matchSignatures(sigs, subject1, "", issuer1, "", extensions) + assert.NilError(t, matchErr) + + matchErr = matchSignatures(sigs, subject2, "", issuer2, "", nil) + assert.NilError(t, matchErr) - matchErr := matchSignatures(sigs, subject1, issuer1, extensions) + matchErr = matchSignatures(sigs, "", subject2RegExp, issuer2, "", nil) assert.NilError(t, matchErr) - matchErr = matchSignatures(sigs, subject2, issuer2, nil) + matchErr = matchSignatures(sigs, "", "", "", issuer2RegExp, nil) assert.NilError(t, matchErr) - matchErr = matchSignatures(sigs, subject2, issuer1, nil) + matchErr = matchSignatures(sigs, subject2, "", issuer1, "", nil) assert.Error(t, matchErr, "subject mismatch: expected *@nirmata.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth") - matchErr = matchSignatures(sigs, subject2, issuer2, extensions) + matchErr = matchSignatures(sigs, "", subject2RegExp, issuer1, "", nil) + assert.Error(t, matchErr, `subject mismatch: expected .+@nirmata\.com, received https://github.com/JimBugwadia/demo-java-tomcat/.github/workflows/publish.yaml@refs/tags/v0.0.22; issuer mismatch: expected https://token.actions.githubusercontent.com, received https://github.com/login/oauth`) + + matchErr = matchSignatures(sigs, subject2, "", issuer2, "", extensions) assert.ErrorContains(t, matchErr, "extension mismatch") } diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go index c3d6c908bc0d..d248c47b0b4f 100644 --- a/pkg/engine/internal/imageverifier.go +++ b/pkg/engine/internal/imageverifier.go @@ -639,7 +639,9 @@ func (iv *ImageVerifier) buildCosignVerifier( opts.Roots = attestor.Keyless.Roots opts.Issuer = attestor.Keyless.Issuer + opts.IssuerRegExp = attestor.Keyless.IssuerRegExp opts.Subject = attestor.Keyless.Subject + opts.SubjectRegExp = attestor.Keyless.SubjectRegExp opts.AdditionalExtensions = attestor.Keyless.AdditionalExtensions } diff --git a/pkg/images/verifier.go b/pkg/images/verifier.go index 5deead8097f1..13e8f6421ff5 100644 --- a/pkg/images/verifier.go +++ b/pkg/images/verifier.go @@ -29,7 +29,9 @@ type Options struct { CertChain string Roots string Subject string + SubjectRegExp string Issuer string + IssuerRegExp string AdditionalExtensions map[string]string Annotations map[string]string Repository string diff --git a/pkg/logging/log.go b/pkg/logging/log.go index a5ac2120b914..d2c3d9530a99 100644 --- a/pkg/logging/log.go +++ b/pkg/logging/log.go @@ -55,27 +55,9 @@ func InitFlags(flags *flag.FlagSet) { // Setup configures the logger with the supplied log format. // It returns an error if the JSON logger could not be initialized or passed logFormat is not recognized. func Setup(logFormat string, loggingTimestampFormat string, level int) error { - var zerologLevel zerolog.Level - switch level { - case 6: - zerologLevel = zerolog.TraceLevel - case 5: - zerologLevel = zerolog.TraceLevel - case 4: - zerologLevel = zerolog.TraceLevel - case 3: - zerologLevel = zerolog.DebugLevel - case 2: - zerologLevel = zerolog.InfoLevel - case 1: - zerologLevel = zerolog.WarnLevel - default: - zerologLevel = zerolog.WarnLevel - } + zerologr.SetMaxV(level) - zerolog.SetGlobalLevel(zerologLevel) var logger zerolog.Logger - switch logFormat { case TextFormat: output := zerolog.ConsoleWriter{Out: os.Stderr} diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 827be222fead..96deb10a86d8 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -11,13 +11,13 @@ import ( "github.com/alitto/pond" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/d4f" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/policycontext" @@ -64,7 +64,7 @@ type resourceHandlers struct { admissionReports bool backgroundServiceAccountName string auditPool *pond.WorkerPool - reportsBreaker d4f.Breaker + reportsBreaker breaker.Breaker } func NewHandlers( @@ -85,7 +85,7 @@ func NewHandlers( jp jmespath.Interface, maxAuditWorkers int, maxAuditCapacity int, - reportsBreaker d4f.Breaker, + reportsBreaker breaker.Breaker, ) webhooks.ResourceHandlers { return &resourceHandlers{ engine: engine, diff --git a/pkg/webhooks/resource/imageverification/handler.go b/pkg/webhooks/resource/imageverification/handler.go index 1e726159a6c4..115800c7b75a 100644 --- a/pkg/webhooks/resource/imageverification/handler.go +++ b/pkg/webhooks/resource/imageverification/handler.go @@ -7,9 +7,9 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/d4f" "github.com/kyverno/kyverno/pkg/engine" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/mutate/patch" @@ -40,7 +40,7 @@ type imageVerificationHandler struct { admissionReports bool cfg config.Configuration nsLister corev1listers.NamespaceLister - reportsBreaker d4f.Breaker + reportsBreaker breaker.Breaker } func NewImageVerificationHandler( @@ -51,7 +51,7 @@ func NewImageVerificationHandler( admissionReports bool, cfg config.Configuration, nsLister corev1listers.NamespaceLister, - reportsBreaker d4f.Breaker, + reportsBreaker breaker.Breaker, ) ImageVerificationHandler { return &imageVerificationHandler{ kyvernoClient: kyvernoClient, diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index ffec49f53817..d344df0297b0 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -7,9 +7,9 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/breaker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/d4f" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/policycontext" "github.com/kyverno/kyverno/pkg/event" @@ -46,7 +46,7 @@ func NewValidationHandler( metrics metrics.MetricsConfigManager, cfg config.Configuration, nsLister corev1listers.NamespaceLister, - reportsBreaker d4f.Breaker, + reportsBreaker breaker.Breaker, ) ValidationHandler { return &validationHandler{ log: log, @@ -74,7 +74,7 @@ type validationHandler struct { metrics metrics.MetricsConfigManager cfg config.Configuration nsLister corev1listers.NamespaceLister - reportsBreaker d4f.Breaker + reportsBreaker breaker.Breaker } func (v *validationHandler) HandleValidationEnforce( diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md new file mode 100644 index 000000000000..5c342638ffad --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/README.md @@ -0,0 +1,8 @@ +## Description + +Verify image attestations with regexp subject + +## Expected Behavior + +The pod creation should pass. + diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml new file mode 100644 index 000000000000..29271af436b1 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: keyless-attestation-invalid-attestor +spec: + timeouts: + delete: 2m + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml new file mode 100644 index 000000000000..e47387521843 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml new file mode 100644 index 000000000000..921f8ee74797 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml new file mode 100644 index 000000000000..0556cd0c33b3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy-assert.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-invalid-attestors-in-attestations + annotations: + pod-policies.kyverno.io/autogen-controllers: none diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml new file mode 100644 index 000000000000..93e3c7b91235 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-invalid-attestors-in-attestations + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-invalid-attestation-attestor + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - validationFailureAction: Enforce + imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - type: https://slsa.dev/provenance/v0.2 + attestors: + - count: 1 + entries: + - keyless: + subjectRegExp: https://github\.com/slsa-framework/slsa-github-generator/\.github/workflows/generator_container_slsa3\.yml@.+ + issuerRegExp: https://token\.actions\.githubusercontent.+ + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true