Merge branch 'release-1.13' into release-1-13-2-rc.1

Makefile

@@ -1142,8 +1142,8 @@ dev-lab-otel-collector: $(HELM) ## Deploy tempo helm chart
 .PHONY: dev-lab-metrics-server
 dev-lab-metrics-server: $(HELM) ## Deploy metrics-server helm chart
 	@echo Install metrics-server chart... >&2
-	@$(HELM) upgrade --install metrics-server --namespace kube-system --wait \
-		--repo https://charts.bitnami.com/bitnami metrics-server \
+	@$(HELM) install metrics-server oci://registry-1.docker.io/bitnamicharts/metrics-server \
+		--namespace kube-system --wait \
 		--values ./scripts/config/dev/metrics-server.yaml
 
 .PHONY: dev-lab-all

charts/kyverno-policies/Chart.yaml

@@ -28,3 +28,5 @@ annotations:
       description: Add spec.validate[*].failureAction field to policies
     - kind: fixed
       description: Fix the merging of policyExclude customizations to avoid wrong overrides
+    - kind: added
+      description: Add spec.validate[*].allowExistingViolations field to policies

charts/kyverno-policies/README.md

@@ -84,6 +84,7 @@ The command removes all the Kubernetes components associated with the chart and
 | validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
 | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
 | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
+| validationAllowExistingViolations | bool | `true` | Validate already existing resources. For more info https://kyverno.io/docs/writing-policies/validate. |
 | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
 | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
 | autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |

charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml

@@ -68,6 +68,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
           FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)

charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml

@@ -52,6 +52,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
           spec.hostIPC, and spec.hostPID must be unset or set to `false`.

charts/kyverno-policies/templates/baseline/disallow-host-path.yaml

@@ -51,6 +51,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
         pattern:

charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml

@@ -51,6 +51,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
           , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort

charts/kyverno-policies/templates/baseline/disallow-host-process.yaml

@@ -52,6 +52,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
           spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,

charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml

@@ -50,6 +50,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
           and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.

charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml

@@ -52,6 +52,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Changing the proc mount from the default is not allowed. The fields
           spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,

charts/kyverno-policies/templates/baseline/disallow-selinux.yaml

@@ -50,6 +50,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Setting the SELinux type is restricted. The fields
           spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
@@ -98,6 +99,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Setting the SELinux user or role is forbidden. The fields
           spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,

charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml

@@ -53,6 +53,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Specifying other AppArmor profiles is disallowed. The annotation
           `container.apparmor.security.beta.kubernetes.io` if defined

charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml

@@ -51,6 +51,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Use of custom Seccomp profiles is disallowed. The fields
           spec.securityContext.seccompProfile.type,

charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml

@@ -54,6 +54,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Setting additional sysctls above the allowed type is disallowed.
           The field spec.securityContext.sysctls must be unset or not use any other names

charts/kyverno-policies/templates/other/require-non-root-groups.yaml

@@ -52,6 +52,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Running with root group IDs is disallowed. The fields
           spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
@@ -107,6 +108,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Containers cannot run with a root primary or supplementary GID. The field
           spec.securityContext.supplementalGroups must be unset or
@@ -137,6 +139,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Containers cannot run with a root primary or supplementary GID. The field
           spec.securityContext.fsGroup must be unset or set to a value greater than zero.

charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml

@@ -69,6 +69,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Containers must drop `ALL` capabilities.
         foreach:
@@ -122,6 +123,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Any capabilities added other than NET_BIND_SERVICE are disallowed.
         foreach:

charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml

@@ -50,6 +50,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Privilege escalation is disallowed. The fields
           spec.containers[*].securityContext.allowPrivilegeEscalation,

charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml

@@ -50,6 +50,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Running as root is not allowed. The fields spec.securityContext.runAsUser,
           spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser,

charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml

@@ -51,6 +51,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
           must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,

charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml

@@ -53,6 +53,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Use of custom Seccomp profiles is disallowed. The fields
           spec.securityContext.seccompProfile.type,

charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml

@@ -70,6 +70,7 @@ spec:
         {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
         failureActionOverrides: {{ toYaml . | nindent 8 }}
         {{- end }}
+        allowExistingViolations: {{ .Values.validationAllowExistingViolations }}
         message: >-
           Only the following types of volumes may be used: configMap, csi, downwardAPI,
           emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.

charts/kyverno-policies/values.yaml

@@ -55,6 +55,10 @@ validationFailureActionOverrides:
   #     namespaces:
   #       - fluent
 
+# -- Validate already existing resources.
+# For more info https://kyverno.io/docs/writing-policies/validate.
+validationAllowExistingViolations: true
+
 # -- Exclude resources from individual policies.
 # Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map.
 policyExclude: {}

pkg/engine/api/policycontext.go

@@ -17,9 +17,9 @@ type PolicyContext interface {
 	NewResource() unstructured.Unstructured
 	OldResource() unstructured.Unstructured
 	SetResources(oldResource, newResource unstructured.Unstructured) error
+	SetOperation(kyvernov1.AdmissionOperation) error
 	AdmissionInfo() kyvernov2.RequestInfo
 	Operation() kyvernov1.AdmissionOperation
-	SetOperation(op kyvernov1.AdmissionOperation) error
 	NamespaceLabels() map[string]string
 	RequestResource() metav1.GroupVersionResource
 	ResourceKind() (schema.GroupVersionKind, string)

pkg/engine/handlers/validation/utils.go

@@ -1,14 +1,24 @@
 package validation
 
 import (
+	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/internal"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-func matchResource(resource unstructured.Unstructured, rule kyvernov1.Rule, namespaceLabels map[string]string, policyNamespace string, operation kyvernov1.AdmissionOperation) bool {
+func matchResource(logger logr.Logger, resource unstructured.Unstructured, rule kyvernov1.Rule, namespaceLabels map[string]string, policyNamespace string, operation kyvernov1.AdmissionOperation, jsonContext enginecontext.Interface) bool {
+	if rule.RawAnyAllConditions != nil {
+		preconditionsPassed, _, err := internal.CheckPreconditions(logger, jsonContext, rule.RawAnyAllConditions)
+		if !preconditionsPassed || err != nil {
+			return false
+		}
+	}
+
 	// cannot use admission info from the current request as the user can be different, if the rule matches on old request user info, it should skip
 	admissionInfo := kyvernov2.RequestInfo{
 		Roles:        []string{"kyverno:invalidrole"},

pkg/engine/handlers/validation/validate_assert.go

@@ -16,6 +16,7 @@ import (
 	enginectx "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/handlers"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
+	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/client-go/tools/cache"
@@ -123,7 +124,7 @@ func (h validateAssertHandler) Process(
 		if action.Enforce() {
 			allowExisitingViolations := rule.HasValidateAllowExistingViolations()
 			if engineutils.IsUpdateRequest(policyContext) && allowExisitingViolations {
-				errs, err := validateOldObject(ctx, policyContext, rule, payload, bindings)
+				errs, err := validateOldObject(ctx, logger, policyContext, rule, payload, bindings)
 				if err != nil {
 					logger.V(4).Info("warning: failed to validate old object", "rule", rule.Name, "error", err.Error())
 					return resource, handlers.WithSkip(rule, engineapi.Validation, "failed to validate old object")
@@ -149,25 +150,37 @@ func (h validateAssertHandler) Process(
 	)
 }
 
-func validateOldObject(ctx context.Context, policyContext engineapi.PolicyContext, rule kyvernov1.Rule, payload map[string]any, bindings binding.Bindings) (field.ErrorList, error) {
+func validateOldObject(ctx context.Context, logger logr.Logger, policyContext engineapi.PolicyContext, rule kyvernov1.Rule, payload map[string]any, bindings binding.Bindings) (errs field.ErrorList, err error) {
 	if policyContext.Operation() != kyvernov1.Update {
 		return nil, nil
 	}
 
 	oldResource := policyContext.OldResource()
 
-	if ok := matchResource(oldResource, rule, policyContext.NamespaceLabels(), policyContext.Policy().GetNamespace(), kyvernov1.Create); !ok {
-		return nil, nil
+	if err := policyContext.SetOperation(kyvernov1.Create); err != nil { // simulates the condition when old object was "created"
+		return nil, errors.Wrapf(err, "failed to set operation")
 	}
 
 	payload["object"] = policyContext.OldResource().Object
 	payload["oldObject"] = nil
 	payload["operation"] = kyvernov1.Create
 
-	asserttion := assert.Parse(ctx, rule.Validation.Assert.Value)
-	errs, err := assert.Assert(ctx, nil, asserttion, payload, bindings)
-	if err != nil {
-		return nil, fmt.Errorf("failed to apply assertion: %w", err)
+	defer func() {
+		if err = policyContext.SetOperation(kyvernov1.Update); err != nil {
+			logger.Error(errors.Wrapf(err, "failed to reset operation"), "")
+		}
+
+		payload["object"] = policyContext.NewResource().Object
+		payload["oldObject"] = policyContext.OldResource().Object
+		payload["operation"] = kyvernov1.Update
+	}()
+
+	if ok := matchResource(logger, oldResource, rule, policyContext.NamespaceLabels(), policyContext.Policy().GetNamespace(), kyvernov1.Create, policyContext.JSONContext()); !ok {
+		return
 	}
-	return errs, nil
+
+	assertion := assert.Parse(ctx, rule.Validation.Assert.Value)
+	errs, err = assert.Assert(ctx, nil, assertion, payload, bindings)
+
+	return
 }