realshuting · realshuting · May 20, 2024 · May 20, 2024 · May 20, 2024 · May 20, 2024
diff --git a/.chainsaw.yaml b/.chainsaw.yaml
@@ -0,0 +1,15 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Configuration
+metadata:
+  name: configuration
+spec:
+  timeouts:
+    assert: 90s
+    error: 90s
+  parallel: 1
+  fullName: true
+  failFast: true
+  excludeTestRegex: '_.+'
+  forceTerminationGracePeriod: 5s
+  delayBeforeCleanup: 3s
+  template: false
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -0,0 +1,34 @@
+FROM ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30
+
+RUN apt-get update && apt-get install -y sudo git curl apt-transport-https ca-certificates gnupg-agent software-properties-common
+ARG USERNAME=root
+RUN echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
+    && chmod 0440 /etc/sudoers.d/$USERNAME
+
+# Install Golang
+RUN ARCH="$(dpkg --print-architecture)"; \
+    curl -LO https://dl.google.com/go/go1.21.3.linux-$ARCH.tar.gz \
+    && tar -C /usr/local -xzf go1.21.3.linux-$ARCH.tar.gz \
+    && rm go1.21.3.linux-$ARCH.tar.gz \
+    && echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
+
+# Install Docker
+# Install Docker
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+RUN echo \
+    "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
+    $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+RUN apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io
+
+# Install kubectl and Minikube
+RUN ARCH="$(dpkg --print-architecture)"; \
+    curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/$ARCH/kubectl \
+    && chmod +x kubectl && mv kubectl /usr/local/bin/ \
+    && curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-$ARCH \
+    && install minikube-linux-$ARCH /usr/local/bin/minikube \
+    && minikube config set driver docker
+
+# Expose ports for Minikube and Docker
+EXPOSE 22 80 2375 8443
+
+CMD ["/bin/bash"]
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,10 @@
+// See https://containers.dev/implementors/json_reference/ for configuration reference
+{
+    "name": "Kyverno",
+    "build": {
+        "dockerfile": "Dockerfile"
+    },
+    "remoteUser": "root",
+    "mounts": ["source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"],
+    "runArgs": ["--privileged", "--network=host", "-p", "22:22", "-p", "80:80", "-p", "2375:2375", "-p", "8443:8443"]
+}
diff --git a/.github/ISSUE_TEMPLATE/bug-cli.yaml b/.github/ISSUE_TEMPLATE/bug-cli.yaml
@@ -14,25 +14,37 @@ body:
       description: >-
         What version of the Kyverno CLI are you running (`kyverno version`)?
       options:
-        - 1.4.x
-        - 1.5.x
-        - 1.6.0
-        - 1.6.1
-        - 1.6.2
-        - 1.6.3
-        - 1.7.0
-        - 1.7.1
-        - 1.7.2
-        - 1.7.3
-        - 1.7.4
-        - 1.7.5
         - 1.8.0
         - 1.8.1
         - 1.8.2
         - 1.8.3
         - 1.8.4
         - 1.8.5
         - 1.9.0
+        - 1.9.1
+        - 1.9.2
+        - 1.9.3
+        - 1.9.4
+        - 1.9.5
+        - 1.10.0
+        - 1.10.1
+        - 1.10.2
+        - 1.10.3
+        - 1.10.4
+        - 1.10.5
+        - 1.10.6
+        - 1.11.0
+        - 1.11.1
+        - 1.11.2
+        - 1.11.3
+        - 1.11.4
+        - 1.11.5
+        - 1.12.0
+        - 1.12.1
+        - 1.12.2
+        - 1.12.3
+        - 1.12.4
+        - 1.12.5
     validations:
       required: true
   - type: textarea
@@ -84,7 +96,7 @@ body:
       description: >-
         Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
         Kyverno CLI logs may be found by passing the -v flag to any command.
-      render: shell
+      render: Shell
   - type: input
     id: slack
     attributes:

diff --git a/.github/ISSUE_TEMPLATE/bug-other.yaml b/.github/ISSUE_TEMPLATE/bug-other.yaml
@@ -13,25 +13,37 @@ body:
       label: Kyverno Version
       description: What version of Kyverno are you running?
       options:
-        - 1.4.x
-        - 1.5.x
-        - 1.6.0
-        - 1.6.1
-        - 1.6.2
-        - 1.6.3
-        - 1.7.0
-        - 1.7.1
-        - 1.7.2
-        - 1.7.3
-        - 1.7.4
-        - 1.7.5
         - 1.8.0
         - 1.8.1
         - 1.8.2
         - 1.8.3
         - 1.8.4
         - 1.8.5
         - 1.9.0
+        - 1.9.1
+        - 1.9.2
+        - 1.9.3
+        - 1.9.4
+        - 1.9.5
+        - 1.10.0
+        - 1.10.1
+        - 1.10.2
+        - 1.10.3
+        - 1.10.4
+        - 1.10.5
+        - 1.10.6
+        - 1.11.0
+        - 1.11.1
+        - 1.11.2
+        - 1.11.3
+        - 1.11.4
+        - 1.11.5
+        - 1.12.0
+        - 1.12.1
+        - 1.12.2
+        - 1.12.3
+        - 1.12.4
+        - 1.12.5
     validations:
       required: true
   - type: textarea

diff --git a/.github/ISSUE_TEMPLATE/bug-webhook.yaml b/.github/ISSUE_TEMPLATE/bug-webhook.yaml
@@ -13,25 +13,37 @@ body:
       label: Kyverno Version
       description: What version of Kyverno are you running?
       options:
-        - 1.4.x
-        - 1.5.x
-        - 1.6.0
-        - 1.6.1
-        - 1.6.2
-        - 1.6.3
-        - 1.7.0
-        - 1.7.1
-        - 1.7.2
-        - 1.7.3
-        - 1.7.4
-        - 1.7.5
         - 1.8.0
         - 1.8.1
         - 1.8.2
         - 1.8.3
         - 1.8.4
         - 1.8.5
         - 1.9.0
+        - 1.9.1
+        - 1.9.2
+        - 1.9.3
+        - 1.9.4
+        - 1.9.5
+        - 1.10.0
+        - 1.10.1
+        - 1.10.2
+        - 1.10.3
+        - 1.10.4
+        - 1.10.5
+        - 1.10.6
+        - 1.11.0
+        - 1.11.1
+        - 1.11.2
+        - 1.11.3
+        - 1.11.4
+        - 1.11.5
+        - 1.12.0
+        - 1.12.1
+        - 1.12.2
+        - 1.12.3
+        - 1.12.4
+        - 1.12.5
     validations:
       required: true
   - type: dropdown
@@ -40,13 +52,15 @@ body:
       label: Kubernetes Version
       description: What version of Kubernetes are you running?
       options:
-        - 1.20.x
         - 1.21.x
         - 1.22.x
         - 1.23.x
         - 1.24.x
         - 1.25.x
         - 1.26.x
+        - 1.27.x
+        - 1.28.x
+        - 1.29.x
     validations:
       required: true
   - type: dropdown
@@ -61,6 +75,7 @@ body:
         - KinD
         - Minikube
         - K3d
+        - K3s
         - OpenShift
         - VMware Tanzu (specify in description)
         - Bare metal
@@ -133,7 +148,7 @@ body:
         This will be automatically formatted into code, so no need for backticks.
         For help on how to view Pod logs in Kubernetes, see [here](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-running-pod/#examine-pod-logs).
         For guidance on how to enable more verbose log output in Kyverno, see [the documentation](https://kyverno.io/docs/troubleshooting/#policies-are-partially-applied).
-      render: shell
+      render: Shell
   - type: input
     id: slack
     attributes:

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -25,6 +25,13 @@ Add the milestone label by commenting `/milestone 1.2.3`.
 
 -->
 
+## Documentation (required for features)
+
+My PR contains new or altered behavior to Kyverno. 
+- [ ] I have sent the draft PR to add or update [the documentation](https://github.com/kyverno/website) and the link is:
+  <!-- Uncomment to link to the PR -->
+  <!-- https://github.com/kyverno/website/pull/123 -->
+
 ## What type of PR is this
 
 <!--
@@ -99,12 +106,6 @@ them, don't hesitate to ask. We're here to help! This is simply a reminder of wh
 - [ ] My PR needs to be cherry picked to a specific release branch which is <replace>.
 - [ ] My PR contains new or altered behavior to Kyverno and
   - [ ] CLI support should be added and my PR doesn't contain that functionality.
-  - [ ] I have added or changed [the documentation](https://github.com/kyverno/website) myself in an existing PR and the link is:
-  <!-- Uncomment to link to the PR -->
-  <!-- https://github.com/kyverno/website/pull/123 -->
-  - [ ] I have raised an issue in [kyverno/website](https://github.com/kyverno/website) to track the documentation update and the link is:
-  <!-- Uncomment to link to the issue -->
-  <!-- https://github.com/kyverno/website/issues/1 -->
 
 ## Further Comments
 

diff --git a/.github/actions/kyverno-logs/action.yaml b/.github/actions/kyverno-logs/action.yaml
@@ -9,15 +9,14 @@ runs:
       run: |
         kubectl get mutatingwebhookconfigurations
         kubectl get validatingwebhookconfigurations
+        kubectl auth can-i --list --as system:serviceaccount:kyverno:kyverno-background-controller 
     - shell: bash
       run: |
         kubectl -n kyverno get pod
         kubectl -n kyverno describe pod | grep -i events -A10
     - shell: bash
       run: |
-        kubectl -n kyverno logs deploy/kyverno --all-containers -p || true
-        kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers -p || true
-    - shell: bash
-      run: |
-        kubectl -n kyverno logs deploy/kyverno --all-containers
+        kubectl -n kyverno logs deploy/kyverno-admission-controller --all-containers
+        kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers
+        kubectl -n kyverno logs deploy/kyverno-reports-controller --all-containers
         kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers
diff --git a/.github/actions/kyverno-wait-ready/action.yaml b/.github/actions/kyverno-wait-ready/action.yaml
@@ -7,4 +7,4 @@ runs:
   steps:
     - shell: bash
       run: |
-        kubectl wait --namespace kyverno --for=condition=ready pod --all --timeout=60s
+        kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
diff --git a/.github/actions/publish-image/action.yaml b/.github/actions/publish-image/action.yaml
@@ -0,0 +1,88 @@
+name: Publish image
+
+description: Publishes a docker image, SBOM, scans vulns, and signs the image.
+
+inputs:
+  makefile-target:
+    required: true
+    description: makefile target to invoke for publishing image with ko
+  registry:
+    required: true
+    description: registry to publish image to
+  registry-username:
+    required: true
+    description: registry credentials username
+  registry-password:
+    required: true
+    description: registry credentials password
+  repository:
+    required: true
+    description: repository to publish image to
+  version:
+    required: true
+    description: published image version
+  sign-image:
+    required: true
+    description: sign image
+  sbom-name:
+    required: true
+    description: name of the cyclonedx sbom
+  sbom-repository:
+    required: true
+    description: sbom repository
+  signature-repository:
+    required: true
+    description: signature repository
+  main-path:
+    required: true
+    description: path to main go entry point
+
+outputs:
+  digest:
+    value: ${{ steps.digest.outputs.digest }}
+    description: published image digest
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      id: ko-publish
+      env:
+        REGISTRY: ${{ inputs.registry }}
+        REPO: ${{ inputs.repository }}
+        REGISTRY_PASSWORD: ${{ inputs.registry-password }}
+        COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+      run: |
+        set -e
+        echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT
+    - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0
+      with:
+        version: v1
+        args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      with:
+        name: ${{ inputs.sbom-name }}-bom-cdx
+        path: ${{ inputs.sbom-name }}-bom.cdx.json
+    - shell: bash
+      if: ${{ inputs.sign-image == 'true' }}
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
+      run: |
+        set -e
+        cosign sign --yes \
+          -a "repo=${{ github.repository }}" \
+          -a "workflow=${{ github.workflow }}" \
+          -a "ref=${{ github.sha }}" \
+          ${{ steps.ko-publish.outputs.digest }}
+    - shell: bash
+      env:
+        COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
+      run: |
+        cosign attach sbom --sbom ./${{ inputs.sbom-name }}-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
+    - shell: bash
+      id: digest
+      run: |
+        echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
+        DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
+        echo "Digest from image is: $DIGEST"
+        echo "digest=$DIGEST" >> $GITHUB_OUTPUT