-------------------------------------------------------------------
Thu Feb 02 06:49:27 UTC 2023 - kastl@b1-systems.de
- Update to version 1.9.0:
* tag v1.9.0 (#6186)
* fix: policy exception event source (#6122)
* Release v1.9.0-rc.4 (#6108)
* fix: tracing attributes length and tracer name (#6112)
* fix: cleanup-controller version (#6100) (#6105)
* fix: flag added to init container mistake (#6103)
* fix: allow deletion of namespace containing managed resources (#6098) (#6102)
* fix: flag added to init container mistake (#6103)
* Release v1.9.0-rc.3 (#6095)
* validate polex activation and namespace (#6046) (#6080)
* fix: pin busybox image tag in helm tests (#6051) (#6063)
* fix: replace + with _ in Chart.Version label field (#6047) (#6056)
* cherry-pick #6030 (#6034)
* tag v1.9.0-rc.2 (#6023)
* fix ns labels matching (#6022)
* tag v1.9.0-rc.1 (#6012)
* fix: policy match Kind case-senstive (#6010)
* fix: policy exceptions not working in background mode (#5980) (#6003)
* chore: log out cleanup policy events (#5998) (#6000)
* create failure events on errors (#5988) (#5997)
* fix: generate policy exception events (#5987) (#5996)
* cherry-pick #5920 (#5990)
* Fixes time_now failing (cherry-pick 5928) (#5991)
* create events for cleanup policies (#5982) (#5983)
* fix: invoke cleanup process during shutdown (#5974) (#5981)
* cherry-pick #5967 (#5970)
* log out deleted resources at default level (#5977) (#5978)
* fix: helm selector (#5965) (#5969)
* feat: add cluster role aggregation to cleanup controller (#5966) (#5968)
* fix chart invalid annotations (#5960) (#5963)
* tag v1.9.0-beta.2 (#5959)
* fix imageRef matching (#5956) (#5957)
* cherry-pick #5950 (#5955)
* Cherry-pick #5941 (#5952)
* fix: update policy exception CRD description (#5948) (#5951)
* chore: fix releaser badge (#5910) (#5947)
* Added a time_add() filter to add duration and absolute time (#5817) (#5946)
* fix: cleanup policies with user infos in match/exclude should be rejected (#5943) (#5944)
* test: add kuttl test for policy exception (#5935) (#5936)
* fix: missing user info matching (#5931) (#5934)
* chore: add missing gh workflow concurrency statements (#5914) (#5924)
* restrict cjs by PSS restricted checks (#5904) (#5922)
* fix: Configure webhook to add ephemeralcontainers for policies matching on Pod (#5886) (#5919)
* fix: golangci-lint workflow (#5913) (#5917)
* set resourceVersion before update (#5906) (#5916)
* fix: configure gh workflow permission (#5909) (#5915)
* chore: make check actions pinned by hash a standalone ci job (#5907) (#5911)
* feat: add violation details to report.results.properties for PSa policies (#5908) (#5912)
* Adds JMESPath filter for returning cron expression for absolute time (#5814) (#5905)
* chore: add setup test env gh action (#5897) (#5899)
* chore: add setup-build-env gh action (#5892) (#5896)
* fix cleanup var 'target.*' (#5888) (#5895)
* add kuttl assert file (#5870) (#5894)
* chore: small gh workflows improvements (#5883) (#5887)
* chore: use gh composite actions (#5885) (#5893)
* fix: Add group to subresources declaration in value.yaml file for CLI (#5881) (#5884)
* refactor: improve background scan reconciliation (#5871) (#5882)
* fix: Add subresources support to policy exceptions (#5839) (#5880)
* fix validation checks for foreach and nested foreach (#5875) (#5877)
* fix: force background scan recomputation (#5865) (#5868)
* fix: background scan events (#5807) (#5874)
* feat: cleanup enhancements-1 (cherry-pick #5796) (#5867)
* fix mutate targets variable (#5862) (#5866)
* chore: move ConvertToUnstructured from engine utils to kube utils (#5847) (#5863)
* cleanup new validate webhooks (#5851) (#5857)
* Walk back change in PSS policy to send to to_upper (#5823) (#5856)
* cherry-pick #5846 (#5855)
* feat: improve background scan reports enqueue logic (#5810) (#5853)
* chore: cleanup a couple workflows (#5844) (#5854)
* fix: improve cli help message (#5843) (#5849)
* chore: bump a couple of deps (#5840) (#5850)
* refactor: move utils into sub packages (#5828) (#5845)
* chore: add a couple unit tests (#5834) (#5842)
* chore: cleanup codecov workflow (#5829) (#5838)
* fix: enum values for ValidationFailureActionOverride (#5835) (#5836)
* fix: default value for validationFailureAction (#5832) (#5833)
* Adds JMESPath filter for returning current time (#5813) (#5831)
* add source archive checksum into the checksums.txt (#5819) (#5827)
* Adds notes to functions (#5824) (#5826)
* fix: error handling in last scan time parsing (#5808) (#5809)
* fix arguments passed to DeepEqual (#5801) (#5806)
* refactor: policy controller package (#5747) (#5803)
* enhance logging, fix pull flag description (#5797) (#5798)
* chore: switch to kyverno/kuttl (#5504) (#5794)
* fix cli output adjustments (#5787) (#5793)
* redirect stderr to get digest successfully (#5782) (#5791)
* chore: update publicKey description (#5789) (#5792)
* fix delete policy (#5776) (#5790)
* fix helm chart version (#5775)
* bump dep (#5765)
* fix image digest (#5762)
* tag v1.9.0-beta.1 (#5761)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.2 to 2.9.0 (#5760)
* chore(deps): bump fluxcd/flux2 from 0.37.0 to 0.38.1 (#5759)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.0 (#5758)
* refactor: move util funcs in sub packages (#5754)
* refactor: cleanup controller validating webhook (#5756)
* test: add unit test for GetResourceName util (#5752)
* refactor: auth package and add full unit test coverage (#5749)
* chore: bump deps including k8s ones (#5751)
* refactor: remove common package (#5750)
* refactor: use typed client in auth (#5743)
* refactor: remove a couple of old util funcs (#5746)
* chore: remove e2e tests (#5742)
* Issue_templates (#5741)
* chore: remove autogen internals tests (#5740)
* fix: cleanup controller image build (#5739)
* chore: build cleanup controller image (#5737)
* generate SLSA provenance on releases (#5735)
* run conformance tests on different k8s versions (#5733)
* Allows {{image}} var to be used in policies (#5122)
* refactor: split CLI jp command (#5566)
* chore: update k8s versions test grid (#5732)
* feat: add exception logic (#5712)
* fix: remove all category from all our CRDs (#5731)
* feat: force background scan regularly (#5727)
* add rule type pkg/metrics/parsers.go (#5729)
* bump Go 1.19.4 (#5728)
* Revert "chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)" (#5725)
* chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)
* feat: propagate psa checks results (#5719)
* fix: add back install.yaml manifest (#5721)
* refactor: supress usage of kustomize in build (#5691)
* Require predicate type (#5713)
* fix logger panic (#5715)
* fix: interface conversion panic (#5708)
* fix missing assignment (#5710)
* feat: add kuttl tests for #5704 (#5707)
* fix: allow policies from stdin in apply again (#5668)
* initialize configmap resolver in background components (#5705)
* feat: Implement PolicyException (#5680)
* fix digest and verify logic (#5703)
* fix: block policy admission if kyverno is down (#5677)
* fix info kind error (#5701)
* fix: exception validation follow up (#5697)
* chore(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#5696)
* feat: add policy exception validation webhook (#5679)
* chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#5695)
* chore: bump a couple of deps (#5688)
* chore(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#5694)
* chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#5683)
* fix: bump log level for autogen debug logs (#5687)
* chore: remove deprecated flag splitPolicyReport (#5686)
* chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#5684)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.1 to 2.8.2 (#5685)
* chore: remove secrets client from webhook controller (#5682)
* chore: rename exclude into match in policy exception (#5681)
* fix: case where deny message is not a string (#5678)
* feat: Introduce PolicyException CRD (#5662)
* feat: add certs controller to cleanup policies (#5671)
* chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#5666)
* Update version drop-downs in issue templates (#5674)
* fix AllNotIn operator (#5636)
* chore(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#5663)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#5667)
* feat: add engine traces (#5463)
* use camel case for ForEach naming (#5660)
* feat: add metrics service and service monitor to cleanup controller (#5653)
* Support existing imagePullSecrets for image verify functionality (#5627)
* Nested foreach (#5589)
* chore(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#5652)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#5650)
* feat: add dev config with support for prom loki and tempo (#5647)
* fix: grafana dashboard (#5645)
* fix: missing permission in cleanup controller role (#5646)
* refactor: tracing package (#5643)
* added Arrikto and Trendyol as adopters (via Google Form) (#5644)
* feat: improve cleanup policies controller and chart (#5628)
* feat: add support for subresources to validating and mutating policies (#4916)
* fix: Improve helm-test workflow (#5640)
* feat: propagate context through engine (#5639)
* chore(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#5631)
* feat: add conditions matching to cleanup controller (#5626)
* fix: setup tracing and minor cleanup in tracing and metrics code (#5629)
* feat: add http clients tracing (#5630)
* chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 (#5632)
* chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635)
* Add api docs (#5605)
* feat: use lister in registry client (#5620)
* fix: registry client not propagated correctly (#5622)
* fix: don't create orphan spans in instrumented clients (#5624)
* feat: introduce v2alpha1 (#5625)
* feat: implement cleanup policy matching (#5614)
* fix nil error panic (#5619)
* chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618)
* add 1.8.3 to version drop-downs (#5616)
* fix: mutation of cached object in bg scan controller (#5608)
* refactor: registry client (#5596)
* use helm values for crd labels (#5594)
* chore: bump a couple of deps (#5611)
* chore(deps): bump reviewdog/action-golangci-lint from 1.25.0 to 2.2.2 (#5603)
* chore(deps): bump azure/setup-helm from 1.1 to 3.4 (#5604)
* refactor: improve color management in cli test (#5609)
* chore: bump a couple of deps (#5610)
* chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.0.0 to 1.1.0 (#5601)
* feat: add cleanup handler (#5576)
* chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#5602)
* Fix: handling unexpected global-anchor-variable for the apply command (#5590)
* chore: bump a couple of deps (#5593)
* fix: use lister for CA secret (#5598)
* add logging guideline (#5406)
* Delete category all from CRDs (#5557)
* refactor: update otlp packages (#5367)
* chore: bump flux action (#5578)
* chore(deps): bump aquasecurity/trivy-action from 0.2.3 to 0.8.0 (#5584)
* fix: replace + symbol with _ symbol on the Chart.Version field (#5591)
* chore(deps): bump helm/chart-testing-action from 2.0.1 to 2.3.1 (#5586)
* chore(deps): bump rajatjindal/krew-release-bot from 0.0.38 to 0.0.43 (#5588)
* chore(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6 (#5587)
* chore(deps): bump actions/setup-go from 2.1.5 to 3.4.0 (#5585)
* chore(deps): bump actions/setup-python from 2.3.1 to 4.3.0 (#5562)
* chore(deps): bump sonarsource/sonarcloud-github-action from 1.7 to 1.8 (#5563)
* chore(deps): bump codecov/codecov-action from 2.1.0 to 3.1.1 (#5573)
* chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559)
* adding --warn-exit-code flag (#5577)
* feat: add cleanup controller BYOSA and RBAC extensions (#5580)
* chore(deps): bump goreleaser/goreleaser-action from 2.8.0 to 3.2.0 (#5572)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574)
* chore(deps): bump JasonEtco/create-an-issue from 2.8.0 to 2.8.1 (#5571)
* chore: disable dependabot auto rebase (#5567)
* chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560)
* refactor: jmespath arithmetic operations (#5544)
* chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.1 (#5561)
* chore(deps): bump actions/checkout from 2.4.0 to 3.1.0 (#5564)
* chore(deps): bump actions/cache from 3.0.8 to 3.0.11 (#5565)
* refactor: cli test command (#5550)
* refactor: cli jp command (#5552)
* add Wayfair to adopters (#5547)
* Kyverno CLI: added method to detect duplicate resource in kyverno test (#3612)
* To support gitURLs for "apply" command (#4502)
* issue-4613: Add support for cache enhancements with informers (#5484)
* chore(deps): bump stefanprodan/helm-gh-pages from 1.5.0 to 1.7.0 (#5534)
* chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#5532)
* chore(deps): bump github/codeql-action from 1.0.26 to 2.1.35 (#5536)
* bump slsa GH generator to 1.4.0 (#5530)
* chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#5535)
* chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1 (#5533)
* chore: enable dependabot (#5531)
* refactor: make policy context immutable and fields private (#5523)
* configure opentelemetry logger (#5513)
* feat: support attestations with multiple signatures (#5409)
* fix: bug in report resource watcher (#5525)
* Adding Rafay Systems to Kyverno Adopters list. (#5524)
* feat: Add default CI test values for helm charts (#5518)
* feat(policies chart): Add ability to set autogen behavior (#5517)
* fix: cleanup policy validation (#5514)
* fix: pod anti affinity (#5516)
* chore: improve cleanup controller (#5509)
* feat: use admission review v1 (#5464)
* refactor: use internal cmd package in kyverno (#5507)
* chore: bump a few deps (#5512)
* chore: stop using set-output in gh actions (#5500)
* refactor: add controller helper to internal package (#5506)
* chore: use builtin slices.Clone (#5510)
* feat: add webhook type to admission metrics (#5493)
* feat: propagate context to dynamic client (#5495)
* chore: bump a couple of deps (#5503)
* feat: add controller metrics (#5494)
* fix: panic when response is nil (#5502)
* fix: report deletion fighting with garbage collection (#5486)
* feat: add dynamic client support to internal cmd package (#5477)
* Migrate all mutate e2e tests to kuttl and expand (#5491)
* chore: replace utils.ContainsString with builtin slices.Contains (#5496)
* fix: add image extractor for ReplicationController (#5497)
* refactor: move metrics closer to the code that use them (#5492)
* chore: refactor metrics namespace check (#5489)
* Migrate validate e2e tests to kuttl tests (#5483)
* Fix: handled skip rule processing in anyPattern field (#5191)
* feat: propagate context to the metrics package (#5479)
* fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374)
* feat: add allowed label to admission metrics (#5478)
* chore: bump kyverno version in argo lab (#5482)
* fix: typo in autogen package (#5480)
* chore: improve tracing instrumented clients (#5474)
* refactor: metrics configuration code (#5475)
* feat: create a policy utils package (#5473)
* Add reconciling logic for creating cronjobs whenever a new cleanup policy is created (#5385)
* feat: add new filtering handlers (#5472)
* fix: remove filtering for policy admission handlers (#5462)
* fix: add clone check before validating namespace policy (#5459)
* fix: issue when calling kustomize concurrently (#5465)
* feat: support flagsets in internal cmd package (#5461)
* chore: add instrumented clients codegen verification (#5460)
* fix: reading policies for oci command and pushing image (#5435)
* fix: admission reports stacking up (#5457)
* docs: add controllers README (#5434)
* fix: log watcher error in reports controller (#5449)
* ci: cancel redundant builds of workflow on push (#5427)
* feat: use client funcs from internal cmd package (#5443)
* docs: add reports troubleshooting tips (#5448)
* fix: argocd lab monitoring namespace (#5446)
* fix: mutate existing policy does not get applied when background=false (#5439)
* feat: add signal in internal cmd package (#5444)
* feat: improve handlers tracing code (#5442)
* chore: bump a bunch of deps (#5440)
* feat: add logging support to instrumented clients (#5438)
* feat: add discovery support in instrumented clients (#5437)
* refactor: dynamic client use instrumented clients (#5436)
* fix request.operation in globalValues is always set to CREATE (#5423)
* chore: remove obsolete metrics client code (#5401)
* refactor: improve instrumented clients code and support dynamic/metadata client (#5428)
* refactor: split argocd lab into multiple steps (#5410)
* Fix multi attestor keyless (#5432)
* Handle Match resources kind (#5421)
* udpate slsa to v1.3.0 (#5419)
* chore: bump sigstore deps (#5376)
* fix blank lines in crds (#5422)
* refactor: improve instrumented clients creation (#5417)
* logging action (#5416)
* adding --audit-warn flag (#5321)
* Update version drop-downs; bump Trivy (#5425)
* Add most basic kuttl tests for generate rules, clone and sync (#5413)
* fix: typo (#5415)
* feat: make traces better (#5412)
* refactor: introduce cmd internal package (#5404)
* refactor: generated instrumented client code part 2 (#5398)
* feat: add tracing middleware (#5397)
* Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272)
* add os.Exit (#5402)
* Complete all basic kuttl tests for generate rules, clone and no-sync (#5400)
* refactor: generate instrumented client code (#5362)
* refactor: propagate context through admission handlers (#5392)
* refactor: improve tracing package (#5391)
* [Bug]: Fix wildcard any/all issue (#5387)
* Fix incorrect step ID reference (#5388)
* fix the entry length validation for the verify image rule (#5384)
* Add more kuttl generate test cases (#5364)
* fix: set correct logger in profiling server (#5358)
* fix closed watchers in the resource-report-controller (#5350)
* fix: set logger in metrics server (#5319)
* fixed dryrun option to handle changes caused by mutating policy (#4899)
* fix: add validation for generate namespace policy (#5346)
* chore: add tempo to argocd lab (#5365)
* chore: add performance tests tool (#5241)
* fix: panic when disable metrics is true (#5366)
* feat: add CleanupPolicy validation code to CleanupPolicyHandler (#5338)
* test: simplify autogen kuttl tests (#5343)
* chore: enable json logs in argocd lab (#5349)
* fix digest variable (#5356)
* chore: add helm ci values with cleanup controller (#5357)
* fix: add some missing options in cleanup helm chart (#5351)
* add test cases for yaml verification feature (#5326)
* refactor: optimise and use kuttl TestStep with tests (#5328)
* test: add rbac kuttl test (#5337)
* Update SLSA generator workflow to v1.2.2 (#5323)
* test: add kuttl debug failure (#5339)
* fix: add replicaset and replicationController kinds in podsecurity validation (#5336)
* feat: add cleanup controller to helm chart (#5329)
* chore: remove docker support (#5324)
* chore: add cli binary to gitignore (#5331)
* test: add test to check expected webhooks are created (#5330)
* feat: add cleanup controller makefile targets (#5327)
* feat: add replicaset and replicationcontroller to autogen (#4975)
* feat: add cleanupPolicy validation code (#5279)
* fix: synchronize source resource update to clone list resource (#5317)
* allow list with policies in test (#5227)
* test: add kuttl tests for jmespath special chars (#5310)
* Fix issue where CLI test command ignores failures (#5189)
* fix: wrong logger used (#5311)
* fix: send notification when stoping watching resource in reports system (#5298)
* fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767)
* fix: set rule response status as skip if precondition failed (#5162)
* Update kuttl test scaffolding (#5303)
* fix: reduce startup probe delay (#5296)
* tests: add kuttl tests for multiple clone generate (#5280)
* fix: allow delete of clone target resource with synchronize false (#5161)
* fix: image extractor kuttl tests (#5293)
* fix: check policy is ready in kuttl tests (#5286)
* fix: kuttl test external-service (#5287)
* chore: update kuttl (#5285)
* fix: make zapr compatible with klog's -v argument (#5166)
* feat: add flag to control leader election frequency (#5172)
* refactor: admission metrics (counter and latency) (#5245)
* fix: resource schema validation in policies under any/all match (#5246)
* fix: keep admission warnings (#5269)
* add test instructions (#5271)
* chore: add kuttl autogen tests (#5253)
* fix: add missing test suite to kuttl (#5268)
* fix: account for error rules in mutation webhook (#5264)
* refactor: admission response utils (#5234)
* feat: create cleanup new CRDs (#5233)
* chore: remove old conformance tests files (#5260)
* fix: add warning when using deprecated validation failure action (#5219)
* Kuttl updates (#5257)
* chore: use conditions in kuttl tests to check ready policies (#5252)
* chore: add kuttl in makefile (#5254)
* More kuttl tests (#5238)
* fix: remove unused code in config (#5242)
* feat: separate webhook rules per GVK/rule (#4986)
* fix: kyverno Dockerfile base image tag and sha256 hash (#5248)
* refactor: move all middlewares in handlers sub package (#5244)
* fix generateName mutation (#5146)
* Fix Keda policy installation issue (#5239)
* fix: remove /approve from prow actions (#5243)
* [Feature] Pin Dependencies by Hash (#5168)
* chore: add loki to argocd lab (#5231)
* Fixed description for secret name (#5228)
* feat: add grafana dashboard to helm chart (#5230)
* add remainder of e2e verifyImages tests (#5229)
* add kuttl tests (#5204)
* [BUG] Fix foreach deletion issue (#5224)
* feat: add policy label to policy reports (#5198)
* fix: too much information for the Policy Rule Execution Latency metric (#5208)
* chore: server side apply in argo lab (#5209)
* refactor: health check system (#5176)
* fix: early return in policy validation (#5200)
* feat: support disabling schema validation on the patched resource (#5197)
* fix: deletion of reports not belonging to kyverno (#5194)
* Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964)
* refactor: remove policyreport package (#5174)
* fix: use pagination to aggregate reports (#5190)
* fix: check resource version on update notification (#5179)
* fix: do not cancel context when loosing the lead (#5180)
* chore: add kind config file (#5178)
* fix: content type in log (#5177)
* feat: run leader election in loop (#5173)
* refactor: support Audit and Enforce validation failure actions (#5152)
* Corrected Kubernetes spelling (#5134)
* fix 5151 issue (#5170)
* Add ability to use commands in comments (#5154)
* fix: configure klog and global logger to use zapr in json mode (#5144)
* feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268)
* Fixed issue-5102: Show rule count and type in output (#5106)
* skip generating events on empty rule response (#5158)
* reset resource version on update (#5157)
* fix: mutation policy inconsistent patching for ephemeralContainers (#5121)
* feat: remove policy mutation for auto-gen rules (#5123)
* chore: remove old docs (#5130)
* fix finalizers mutation with patchesJson6902 (#5132)
* Add AGE in printer columns of CRDs (#5119)
* feat: oci pull/push support for policie(s) (#5026)
* feat: add categories support to our CRDs (#5112)
* Remove old version of golang.org/x/sys (#5125)
* fix: conformance tests (#5118)
* [Feature] create command line option to set failurePolicy globally (#4991)
* clean conformance (#5089)
* feat: enable/disable Debug mode which shows entire AdmissionReview payload (#5024)
* docs: separate dev and user docs (#5114)
* ci: Fix install manifests publishing with Flux (#5110)
* fix: use correct side effects in validating webhooks (#5080)
* refactor: simplify variables regex (#5075)
* feat: add flag to configure the number of background scan workers (#5088)
* fix: allow delete of target resource with synchronize false (#5081)
* ci: Use the Docker login action for GHCR auth (#5091)
* fix: handle resource cleanup when policy is deleted (#5021)
* test: add best practices policies in conformance tests (#5082)
* fix: use correct logger in webhook controller (#5083)
* feat: add simple conformance tests (#5073)
* fix: make reponse order predictable (#5079)
* added apiCalls support in kyverno-apply command (#4938)
* feat: add webhook server logger (#5063)
* fix: configure idle timeout in server (#5062)
* fix: image verification reports missing in admission mode (#5037)
* fix: setup max procs with correct logger (#5059)
* fix: detection of kyverno going down (#5055)
* fix: do not update reports when they are identical (#5056)
* fix: go routines not gracefully shut down in controllers (#5022)
* fix: account for policy/rule deletion in aggregated reports (#5048)
* Created configuration file for Openssf scorecard (#4778)
* feat: add image verification support to background scan (#5047)
* feat: add controller logger helper (#5029)
* fix env (#5046)
* fix: lease log message (#5030)
* feat: make shutdown more graceful (#5031)
* fix: lower default qps/burst (#5034)
* fix: Attempt to fix the CI failure, extract CI job push-sign-install-manifest (#5035)
* Fixed issue-4655: verifyImages is executed before mutate (#4996)
* fix: add more infos in reports printers (#5027)
* Enable adding annotations to configmaps in the helm chart (#4984)
* validate patchJSON6902 (#4469)
* remove RBACInfo check (#5015)
* fix: policy not denied when kinds set is empty (#5016)
* fix: global anchor warning (#4962)
* fix: don't process non background policies in background scan (#5008)
* fix: update policy status (#5006)
* fix: use default retry with retryfunc for a conflict (#4973)
* updates with case insensitivity guarantee (#4954)
* refactor: add update status helper (#4985)
* fix principal and role variables are not substituted (#5000)
* fix: skip admission in dry run requests (#4994)
* fix: webhooks not registering when using name override (#4992)
* feat: add metrics server and kube-prometheus-stack to argocd lab (#4995)
* feat: add startup probes support (#4896)
* feat: add policy-reporter to argocd lab (#4988)
* docs: add resource exclusions note in helm docs (#4989)
* chore: add myself in approvers (#4990)
* feat: Add container registry setting on Helm Chart (#4281)
* fix: config reloading not working correctly (#4951)
* fix: missing autogen rules in status (#4971)
* fix: add user info in admission request logs (#4969)
* fix: don't produce empty admission reports (#4966)
* fix: improve banned types management in reports (#4953)
* fix: missing watchers in resource report controller (#4967)
* chore: Push and sign install manifests to GHCR (#4895)
* Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733)
* fix: admission reports printer (#4950)
* chore: bump a few deps (#4943)
* Added support to specify key signature algorithm in verifyImages (#4855)
* fix: don't report ready until certs are valid (#4934)
* Update issue templates and scan for vulns action (#4952)
* Fix background scan with request.operation (#4947)
* fix: consider generateName when matching resources (#4945)
* fix: probes should work in debug mode (#4926)
* fix: set operation in context when necessary (#4940)
* chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922)
* fix: panic when bad variable substitution (#4928)
* feat: make cert renewer private and add server name support (#4904)
* chore: bump a couple of deps (#4925)
* [Cleanup] Disable PolicySkipped events (#4913)
* add filter for validation policies when ValidationFailureActionOverrides is used (#4809)
* chore: update controller-tools to v0.10.0 (#4918)
* fix: use constants defined in openapi controller (#4919)
* chore: signing helm releases (#4801)
* fix: openapi controller discovery (#4912)
* refactor: openapi controller part 2 (#4910)
* fix: clean background scan reports (#4908)
* fix: don't specify rules when aggregationRule is set (#4867)
* refactor: openapi controller part 1 (#4901)
* fix: remove unnecessary dependencies from tls package (#4903)
* fix: reduce webhook controller logs (#4897)
* chore: add argocd lab (#4884)
* refactor: manage webhooks with webhook controller (#4846)
* fix: auto gen enabled when using names (#4863)
* fix: non watchable resources in report controller (#4888)
* Fix result colour (#4885)
* fix: background scan labels (#4865)
* fix: hardening policy validation for generate cloneList (#4881)
* docs: add section in helm docs to install with argocd (#4878)
* fix test output numbering (#4853)
* feature: use cert extension oid as key (#4854)
* chore: add launch.json for vscode debugging (#4856)
* Add workflow to detect and report on image vulns (#4850)
* docs: add debug instructions (#4843)
* e2e test for mutate policy (#3383)
* fix: replace AbsPath with RequestURI to support query params (#4849)
* refactor: make cert manager a real controller (#4792)
* refactor: add config support to webhook controller (#4838)
* feat: use a dedicated policy metrics controller (#4818)
* chore: bump a couple of deps (#4842)
* Update PSa images dsecription (#4840)
* refactor: leader controllers management (#4832)
* fix extension checks (#4836)
* fix: call depth in logging package and global logger support for call depth (#4834)
* upgrade controller-runtime dependency (#4829)
* refactor: non leader controllers management (#4831)
* refactor: make tls cert func not depending on cert controller (#4820)
* fix: use new client in tls package (#4746)
* fix: debug mode (#4785)
* fix: add policy validation for ValidationFailureActionOverride field (#4784)
* update helm doc
* Fix CRD format issue
* Bump k8s libraries to v0.25.2
* Fix PSa the control name validation
* fix: validationFailureAction default value (#4822)
* refactor: split main into sub funcs (#4821)
* chore: use concurrent map v2 (generics) (#4803)
* fix: controllers start in loop (#4815)
* refactor: split main into sub func (#4810)
* feat: add context support to leader election (#4811)
* feat: add context funcs to logging package (#4812)
* skip succeed rules when building the blocked return message (#4804)
* fix: subject and issuer validation when attestations are present (#4786)
* refactor: split main func for metrics (#4796)
* fix: remove error prone debug field (#4794)
* chore: bump a couple of deps (#4802)
* refactor: split main into funcs (#4795)
* fix: logger panic (#4793)
* fix: publish yaml manifests in release instead of repo (#4738)
* fix: remove explicit wait for cache sync (#4791)
* Add security context and resource block to test (#4712)
* fix: new cert manager controller never returns error (#4789)
* chore: bump a few deps (#4790)
* refact:update script of generate-self-signed-cert-and-k8secrets.sh to supports custom namespace (#4758)
* refactor: introduce webhook controller (#4749)
* fix: remove reference to controller runtime log (#4779)
* refactor: more context less chans (#4764)
* Fix: Typo in x509_decode JMESPath function's note (#4773)
* fix: add workers to the controller interface (#4776)
* update cosign and k8s-manifest-sigstore (#4781)
* chore: change charts registry url (#4768)
* add package logger in files (#4766)
* fix: parse flags error handling (#4775)
* refactor: make server owner of the cleanup chan (#4765)
* refactor: use context in openapi controller (#4760)
* refactor: use context in controllers instead of chan (#4761)
* refactor: use context in dynamic client instead of chan (#4756)
* refactor: move from io/ioutil to io and os packages (#4752)
* refactor: split main in a couple of funcs and use local loggers (#4754)
* fix: helm self signed cert (#4745)
* add and use package level logger (#4750)
* fix: watch error in resource controller (#4751)
* chore: use constant in cert manager controller (#4747)
* feat: add typed client support and metrics wrapper (#4724)
* chore: speed up helm docs gen on mac (#4742)
* fix: reports not generated (#4743)
* feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661)
* fix: use a single leader election (#4722)
* fix: containerd dependency vulnerability (#4629)
* Add PSa policy validations (#4735)
* Added `x509_decode` JMESPath function (#4664)
* feat: add matchlabel selector support with multiple clone (#4713)
* docs: add policy cache controller docs (#4714)
* fix: output make messages to stderr (#4727)
* feat: reports v2 implementation (#4608)
* Support PSa integration by `controlName` only (#4710)
* chore: update client code generator (#4711)
* chore: group unit and cli tests targets and separate sections (#4693)
* fix: remove deprecation notice (#4635)
* chore: enable overriding images repo (#4694)
* fix: change key used in test (#4718)
* chore: refactor manifests related makefile targets (#4706)
* fix: missing client wrapper (#4703)
* refactor: use pod name as leader id (#4680)
* fix: split webhook handlers per failure policy (#4650)
* fix: shutdown controllers workers gracefully (#4681)
* fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671)
* refactor: replace signal package by signal.NotifyContext (#4691)
* fix: jmespath random error handling (#4697)
* chore: simplify go mod (#4692)
* fix: bump net standard lib (#4685)
* fix: handle auth permission for cloneList validation (#4684)
* fix: namespaced policy not validated in engine (#4653)
* chore: bump minimum go version (#4677)
* Fix issue for wildcard versions (#4670)
* chore: publish sbom result to a different repositry from an image (#4665)
* added kubeconfig and context flag to kyverno apply (#4524)
* feat: add feature flag to disable background scan (#4638)
* feat: add explicit key support to controller utils (#4628)
* refactor: update log based on the policy types (#4646)
* refactor: split policyreport api files (#4641)
* fix: missing elements in v2beta1 api (#4654)
* refactor: add a couple of constants in api (#4640)
* feat: introduce RCR interface (#4642)
* fix: incorrect namespace in report controller (#4637)
* fix: remove RCR from mutation webhook (#4636)
* feat: add controller utils tools (#4639)
* chore: bump cosign 1.12.0 to fix vulnerabilities (#4631)
* chore: add makefile target to deploy metrics server (#4627)
* chore: add target to deploy policy reporter (#4621)
* Integrate Sonarcloud and Nancy github action (#3491)
* fix: background printer column (#4617)
* enhance jmespath random-filter (#4591)
* fix: lock in policy report mapper (#4601)
* refactor: simplify RCR creator queue (#4578)
* chore: add messages in makefile kind targets (#4588)
* refactor: info in policyreport package (#4598)
* Fix multiple crd slowness issue (#4275)
* update helm releases path (#4596)
* enable autogen for validate.podsecurity with no exclude (#4594)
* chore: add a codegen-quick makefile target (#4583)
* chore: switch to github.com/IGLOU-EU/go-wildcard (#4563)
* allow PSa validation with no exceptions (#4558)
* fix: typo (#4582)
* fix: split policy report flag (#4576)
* update version drop-down (#4579)
* chore: add toggle package unit tests (#4577)
* chore: preserve pr title in cherry picks (#4573)
* refactor: move generation handler out of webhooks package (#4570)
* refactor: move image verification handler out of webhooks package (#4569)
* refactor: move mutation handler out of webhooks package (#4567)
* refactor: move validation audit out of webhooks package (#4562)
* chore: add kocache (#4482)
* docs: add help on fetching tags (#4560)
* refactor: move validation handler out of webhooks package (#4556)
* refactor: make webhook metrics helpers static (#4554)
* add new patterns for releases (#4552)
* refactor: move webhook events utils in utils package (#4545)
* chore: add unit test for updating ur status (#4541)
* fix: defer ur update until validation passes (#4540)
* refactor: introduce ur updater (#4535)
-------------------------------------------------------------------
Tue Dec 20 12:22:22 UTC 2022 - kastl@b1-systems.de
- Update to version 1.8.5:
* release v1.8.5 (#5726)
* tag v1.8.5-rc.1 (#5718)
* Cherry-pick Require predicate type (#5717)
* cherry-pick: fix digest and verify logic (#5706)
* fix: interface conversion panic (#5708) (#5711)
* Delete category all from CRDs (cherry-pick #5557) (#5709)
-------------------------------------------------------------------
Fri Dec 09 19:49:45 UTC 2022 - kastl@b1-systems.de
- Update to version 1.8.4:
* release v1.8.4 (#5638)
* tag v1.8.4-rc.1 (#5623)
* fix nil error panic (#5619) (#5621)
* fix: mutation of cached object in bg scan controller (#5608) (#5613)
-------------------------------------------------------------------
Tue Dec 06 06:10:10 UTC 2022 - kastl@b1-systems.de
- Update to version 1.8.3:
* tag v1.8.3 (#5579)
* tag v1.8.3-rc.2 (#5529)
* feat: support attestations with multiple signatures (cherry-pick #5409) (#5528)
* logging action (#5416) (#5527)
* fix: bug in report resource watcher (#5525) (#5526)
* feat: Add default CI test values for helm charts (#5518) (#5521)
* feat(policies chart): Add ability to set autogen behavior (#5517) (#5520)
* tag 1.8.3-rc.1 (#5508)
* fix: report deletion fighting with garbage collection (#5486) (#5501)
* Migrate all mutate e2e tests to kuttl and expand (#5491) (#5499)
* Cherry-pick ff9328809b62097895b99d866d0d3c6d6a801ae9 (#5488)
* fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374) (#5487)
* fix: typo in autogen package (#5480) (#5481)
* fix: add clone check before validating namespace policy (#5459) (#5471)
* fix: issue when calling kustomize concurrently (cherry-pick #5465) (#5470)
* fix: admission reports stacking up (#5457) (#5467)
* fix: log watcher error in reports controller (#5449) (#5455)
* Handle Match resources kind (#5421) (#5450)
* fix: mutate existing policy does not get applied when background=false (#5439) (#5447)
* Fix multi attestor keyless (#5432) (#5433)
* fix validationFailureAction case in kuttl tests (#5426)
* Add most basic kuttl tests for generate rules, clone and sync (#5413) (#5424)
-------------------------------------------------------------------
Mon Nov 21 09:25:18 UTC 2022 - kastl@b1-systems.de
- Update to version 1.8.2:
* Tag v1.8.2 (#5418)
* tag v1.8.2-rc.2 (#5408)
* Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) (#5407)
* add os.Exit (#5402) (#5405)
* Complete all basic kuttl tests for generate rules, clone and no-sync (#5400) (#5403)
* tag v1.8.2-rc.1 (#5393)
* [Bug]: Fix wildcard any/all issue (#5387) (#5390)
* fix: enable policy validation for the verifyImage rule (#5383)
* fix: set logger in metrics server (#5319) (#5377)
* Add more kuttl generate test cases (#5364) (#5382)
* test: add rbac kuttl test (#5337) (#5380)
* fix: set correct logger in profiling server (#5358) (#5381)
* fix closed watchers in the resource-report-controller (#5350) (#5378)
* fix: add validation for generate namespace policy (#5346) (#5373)
* fixed dryrun option to handle changes caused by mutating policy (#4899) (#5375)
* add test cases for yaml verification feature (#5326) (#5372)
* chore: add tempo to argocd lab (#5365) (#5370)
* chore: add performance tests tool (#5241) (#5369)
* fix: panic when disable metrics is true (#5366) (#5368)
* chore: enable json logs in argocd lab (#5349) (#5359)
* refactor: optimise and use kuttl TestStep with tests (#5328) (#5353)
* test: add kuttl debug failure (#5339) (#5341)
* chore: add cli binary to gitignore (#5331) (#5333)
* test: add test to check expected webhooks are created (#5330) (#5332)
* fix: synchronize source resource update to clone list resource (#5317) (#5320)
* Fix issue where CLI test command ignores failures (#5189) (#5313)
* fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767) (#5315)
* test: add kuttl tests for jmespath special chars (#5310) (#5316)
* fix: wrong logger used (#5311) (#5314)
* chore: Fix policy installation issue (cherry-pick #5239) (#5308)
* fix: reduce startup probe delay (#5296) (#5302)
* fix: send notification when stoping watching resource in reports system (#5298) (#5309)
* fix: set rule response status as skip if precondition failed (#5162) (#5306)
* Update kuttl test scaffolding (#5303) (#5304)
* tests: add kuttl tests for multiple clone generate (#5280) (#5299)
* add a note to 1.8.2-rc1 release (#5291)
* fix: allow delete of clone target resource with synchronize false (#5161) (#5297)
* fix: check policy is ready in kuttl tests (#5286) (#5292)
* fix: image extractor kuttl tests (#5293) (#5295)
* fix: kuttl test external-service (#5287) (#5290)
* chore: update kuttl (#5285) (#5288)
* refactor: admission metrics (counter and latency) (#5245) (#5282)
* chore: use conditions in kuttl tests to check ready policies (#5252) (#5281)
* fix: make zapr compatible with klog's -v argument (#5166) (#5283)
* fix: keep admission warnings (#5269) (#5275)
* chore: add kuttl autogen tests (#5253) (#5274)
* fix: add missing test suite to kuttl (#5268) (#5273)
* fix: early return in policy validation (cherry-pick #5200) (#5213)
* chore: remove old conformance tests files (#5260) (#5263)
* fix: account for error rules in mutation webhook (#5264) (#5267)
* refactor: admission response utils (#5234) (#5265)
* chore: add kuttl in makefile (#5254) (#5258)
* Kuttl updates (#5257) (#5261)
* More kuttl tests (#5238) (#5259)
* add remainder of e2e verifyImages tests (#5229) (#5256)
* add kuttl tests (cherry-pick #5204) (#5255)
* refactor: move all middlewares in handlers sub package (cherry-pick #5244) (#5250)
* chore: add loki to argocd lab (#5231) (#5240)
* feat: add grafana dashboard to helm chart (#5230) (#5232)
* feat: add policy label to policy reports (#5198) (#5225)
* Merge 396593d8997f218270a398e18e956d892f004bc3 into b3c5a9c74165d573aab9928dd8ac1187e8d8fc3a (#5216)
* chore: server side apply in argo lab (#5209) (#5210)
* refactor: health check system (#5176) (#5207)
* feat: support disabling schema validation on the patched resource (#5197) (#5206)
* Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) (#5195)
* fix: deletion of reports not belonging to kyverno (#5194) (#5196)
* fix: use pagination to aggregate reports (#5190) (#5192)
* fix: check resource version on update notification (#5179) (#5186)
* chore: add kind config file (#5178) (#5183)
* fix: content type in log (#5177) (#5182)
* fix: configure klog and global logger to use zapr in json mode (#5144) (#5181)
* skip generating events on empty rule response (#5158) (#5160)
* reset resource version on update (#5157) (#5159)
* feat: add categories support to our CRDs (#5112) (#5137)
* fix: mutation policy inconsistent patching for ephemeralContainers (#5121) (#5145)
* Fixed issue-4655: verifyImages is executed before mutate (#4996) (#5143)
* fix finalizers mutation with patchesJson6902 (#5132) (#5135)
-------------------------------------------------------------------
Tue Oct 25 18:44:22 UTC 2022 - kastl@b1-systems.de
- Update to version 1.8.1:
* Tag v1.8.1 (#5133)
* Tag v1.8.1-rc.4 (#5128)
* remove the empty add entry in Hehlm chart manifest (#5127)
* Remove old version of golang.org/x/sys (#5125) (#5126)
* docs: separate dev and user docs (cherry-pick #5114) (#5117)
* ci: Fix install manifests publishing with Flux (#5110) (#5111)
* Tag v1.8.1-rc.3 (#5108)
* fix: use correct side effects in validating webhooks (#5080) (#5105)
* refactor: simplify variables regex (#5075) (#5104)
* fix: allow delete of target resource with synchronize false (#5081) (#5095)
* test: add best practices policies in conformance tests (#5082) (#5097)
* fix: use correct logger in webhook controller (#5083) (#5098)
* feat: add flag to configure the number of background scan workers (#5088) (#5096)
* ci: Use the Docker login action for GHCR auth (#5091) (#5094)
* fix: handle resource cleanup when policy is deleted (#5021) (#5093)
* Cherry pick 5035, 5046 (#5090)
* fix: make reponse order predictable (#5079) (#5087)
* feat: add simple conformance tests (#5073) (#5086)
* feat: add webhook server logger (#5063) (#5085)
* release 1.8.1-rc.2 (#5072)
* fix: image verification reports missing in admission mode (cherry-pick #5037) (#5066)
* fix: configure idle timeout in server (#5062) (#5067)
* fix: setup max procs with correct logger (#5059) (#5065)
* fix: do not update reports when they are identical (#5056) (#5061)
* fix: detection of kyverno going down (#5055) (#5064)
* fix: go routines not gracefully shut down in controllers (#5022) (#5060)
* fix: account for policy/rule deletion in aggregated reports (#5048) (#5058)
* feat: add metrics server and kube-prometheus-stack to argocd lab (#4995) (#5052)
* feat: add image verification support to background scan (#5047) (#5049)
* feat: add controller logger helper (#5029) (#5050)
* feat: add policy-reporter to argocd lab (#4988) (#5051)
* feat: make shutdown more graceful (#5031) (#5040)
* Enable adding annotations to configmaps in the helm chart (#4984) (#5039)
* fix: wrong controller logger names (#5043)
* chore: add argocd lab (#4884) (#5041)
* fix: lease log message (#5030) (#5045)
* fix: lower default qps/burst (#5034) (#5038)
* fix: add more infos in reports printers (#5027) (#5033)
* Tag v1.8.1-rc1 (#5020)
* remove RBACInfo check (#5015) (#5019)
* fix: policy not denied when kinds set is empty (#5016) (#5017)
* fix: global anchor warning (#4962) (#5013)
* feat: add startup probes support (#4896) (#5012)
* fix: webhooks not registering when using name override (#4992) (#5010)
* fix: don't process non background policies in background scan (#5008) (#5009)
* fix principal and role variables are not substituted (#5000) (#5001)
* fix: update policy status (#5006) (#5007)
* fix: use default retry with retryfunc for a conflict (#4973) (#5005)
* updates with case insensitivity guarantee (#4954) (#5003)
* refactor: add update status helper (#4985) (#5002)
* fix: skip admission in dry run requests (#4994) (#4999)
* fix: improve banned types management in reports (#4953) (#4997)
* docs: add resource exclusions note in helm docs (#4989) (#4993)
* feat: Add container registry setting on Helm Chart (cherry-pick #4281) (#4987)
* fix: config reloading not working correctly (#4951) (#4982)
* fix: missing autogen rules in status (#4971) (#4978)
* fix: missing watchers in resource report controller (#4967) (#4974)
* fix: add user info in admission request logs (#4969) (#4976)
* fix: don't produce empty admission reports (#4966) (#4972)
* chore: Push and sign install manifests to GHCR (#4895) (#4970)
* fix: admission reports printer (#4950) (#4961)
* fix: consider generateName when matching resources (#4945) (#4960)
* chore: bump a few deps (#4943) (#4958)
* fix: don't report ready until certs are valid (#4934) (#4957)
* Fix background scan with request.operation (#4947) (#4949)
* fix: probes should work in debug mode (#4926) (#4944)
* fix: set operation in context when necessary (#4940) (#4942)
* chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922) (#4936)
* add filter for validation policies when ValidationFailureActionOverrides is used (#4809) (#4932)
* fix: panic when bad variable substitution (#4928) (#4935)
* feat: make cert renewer private and add server name support (#4904) (#4933)
* [Cleanup] Disable PolicySkipped events (#4913) (#4931)
* chore: bump a couple of deps (#4925) (#4929)
* chore: update controller-tools to v0.10.0 (#4918) (#4923)
* fix: use constants defined in openapi controller (#4919) (#4921)
* chore: signing helm releases (#4801) (#4920)
* fix: openapi controller discovery (#4912) (#4917)
* fix: don't specify rules when aggregationRule is set (#4867) (#4915)
* refactor: openapi controller part 2 (#4910) (#4914)
* refactor: openapi controller part 1 (#4901) (#4906)
* fix: clean background scan reports (#4908) (#4911)
* fix: remove unnecessary dependencies from tls package (#4903) (#4905)
* fix: reduce webhook controller logs (#4897) (#4900)
* refactor: manage webhooks with webhook controller (#4846) (#4893)
* fix: auto gen enabled when using names (#4863) (#4892)
* fix: non watchable resources in report controller (#4888) (#4890)
* Fix result colour (#4885) (#4887)
* fix: background scan labels (#4865) (#4886)
* cherry-pick (#4794 #4812 #4815 #4821 #4784 #4820 #4831 #4834 #4818 #4838 #4792 #4843 #4878) (#4882)
* fix: hardening policy validation for generate cloneList (#4881) (#4883)
* cherry-pick (#4811 #4849 #4842 #4829) (#4877)
* fix test output numbering (#4853) (#4875)
* cherry-pick (#4790 #4791 #4795 #4796 #4802 #4803) (#4861)
* cherry-pick (#4749 #4766 #4773 #4775 #4779 #4785 #4789) (#4860)
* cherry-pick (#4754 #4756 #4760 #4761 #4764 #4765 #4776) (#4859)
* cherry-pick (#4745 #4746 #4747 #4750 #4752) (#4858)
* cherry-pick (#4661 #4712 #4722 #4724 #4742) (#4857)
-------------------------------------------------------------------
Mon Oct 10 11:59:03 UTC 2022 - kastl@b1-systems.de
- Update to version 1.8.0:
* release: 1.8 (#4851)
* Update PSa images dsecription (#4840) (#4841)
* tag v1.8.0-rc6 (#4839)
* fix extension checks (#4836) (#4837)
* Cherry pick #4814 (#4826)
* update helm doc (#4824)
* fix: validationFailureAction default value (#4822) (#4823)
* Cherry-pick #4815 (#4817)
* tag v1.8.0-rc5 (#4807)
* fix: subject and issuer validation when attestations are present (#4786) (#4805)
* skip succeed rules when building the blocked return message (#4804) (#4806)
* cherry-pick #4738 (#4799)
* cherry-pick #4793 (#4800)
* update cosign (#4797)
* chore: change charts registry url (#4768) (#4780)
* tag v1.8.0-rc4 (#4759)
* fix: watch error in resource controller (#4751) (#4753)
* fix: reports not generated (#4743) (#4744)
* tag v1.8.0-rc3 (#4741)
* fix: containerd dependency vulnerability (#4629) (#4740)
* Add PSa policy validations (#4735) (#4739)
* Added `x509_decode` JMESPath function (#4664) (#4737)
* feat: add matchlabel selector support with multiple clone (#4713) (#4734)
* fix: output make messages to stderr (#4727)
* fix crds yaml conflicts
* feat: reports v2 implementation (#4608)
* docs: add policy cache controller docs (#4714) (#4730)
* chore: update client code generator (#4711) (#4728)
* Support PSa integration by `controlName` only (#4710) (#4725)
* chore: group unit and cli tests targets and separate sections (#4693) (#4723)
* chore: enable overriding images repo (#4694) (#4721)
* chore: refactor manifests related makefile targets (#4706) (#4720)
* fix: change key used in test (#4718) (#4719)
* fix: missing client wrapper (#4703) (#4709)
* refactor: use pod name as leader id (#4680) (#4708)
* fix: split webhook handlers per failure policy (#4650) (#4707)
* fix: shutdown controllers workers gracefully (#4681) (#4704)
* fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) (#4702)
* refactor: replace signal package by signal.NotifyContext (#4691) (#4701)
* fix: jmespath random error handling (#4697) (#4699)
* chore: simplify go mod (#4692) (#4696)
* fix: bump net standard lib (#4685) (#4690)
* fix: handle auth permission for cloneList validation (#4684) (#4687)
* fix: namespaced policy not validated in engine (#4653) (#4682)
* chore: bump minimum go version (#4677) (#4678)
* Fix issue for wildcard versions (#4670) (#4673)
* chore: publish sbom result to a different repositry from an image (#4665) (#4667)
* refactor: update log based on the policy types (#4646) (#4658)
* feat: add explicit key support to controller utils (#4628) (#4659)
* feat: add feature flag to disable background scan (#4638) (#4660)
* refactor: split policyreport api files (#4641) (#4657)
* fix: missing elements in v2beta1 api (#4654) (#4656)
* refactor: add a couple of constants in api (#4640) (#4652)
* feat: introduce RCR interface (#4642) (#4651)
* fix: incorrect namespace in report controller (#4637) (#4649)
* fix: remove RCR from mutation webhook (#4636) (#4647)
* chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) (#4633)
* feat: add controller utils tools (#4639) (#4645)
* fix: background printer column (#4617) (#4620)
* enhance jmespath random-filter (#4591) (#4619)
* fix: lock in policy report mapper (#4601) (#4611)
* release v1.8.0-rc2 (#4607)
* refactor: simplify RCR creator queue (#4578) (#4606)
* chore: add messages in makefile kind targets (#4588) (#4604)
* refactor: info in policyreport package (#4598) (#4603)
* Fix multiple crd slowness issue (#4275) (#4600)
* update helm releases path (#4596) (#4599)
* enable autogen for validate.podsecurity with no exclude (#4594) (#4595)
* chore: add a codegen-quick makefile target (#4583) (#4587)
* chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) (#4586)
* allow PSa validation with no exceptions (#4558) (#4585)
* fix: typo (#4582) (#4584)
* fix: split policy report flag (#4576) (#4581)
* chore: add toggle package unit tests (#4577) (#4580)
* chore: preserve pr title in cherry picks (#4573) (#4574)
* refactor: move generation handler out of webhooks package (#4570) (#4572)
* refactor: move image verification handler out of webhooks package (#4569) (#4571)
* refactor: move mutation handler out of webhooks package (#4567) (#4568)
* refactor: move validation audit out of webhooks package (#4562) (#4566)
* chore: add kocache (#4482) (#4564)
* refactor: move validation handler out of webhooks package (#4556) (#4561)
* refactor: make webhook metrics helpers static (#4554) (#4555)
* refactor: move webhook events utils in utils package (#4545) (#4548)
* add new patterns for releases (#4551)
* chore: add unit test for updating ur status (#4541) (#4544)
* - tag v1.8.0-rc1; - remove "v" from Helm charts versions (#4538)
* fix: defer ur update until validation passes (#4540) (#4543)
* refactor: introduce ur updater (#4535) (#4539)
* Support V2beta1 Version (#4514)
* refactor: webhook block and unit tests (#4531)
* refactor: webhook propagate start time along handlers (#4529)
* refactor: webhook exclusion and unit tests (#4528)
* feat: allow cloning multiple resource from a namespace (#4384)
* add random filter (#4527)
* chore: add protectManagedResources flag to changelog (#4522)
* refactor: utils for warnings and unit tests (#4523)
* refactor: use generics in client wrappers (#4525)
* refactor: add auth interface and unit tests (#4518)
* fix: api reference docs (#4490)
* refactor: client wrappers (#4519)
* feat: add kyverno managed resources protection (#4414)
* fix: load policy and add tests (#4515)
* chore: test for k8s 1.25 (#4503)
* chore: add unit tests for pkg/utils/json (#4516)
* chore: add unit tests for pkg/utils/yaml (#4512)
* chore: add unit tests for pkg/utils/wildcard (#4510)
* chore: add unit tests for pkg/utils/os (#4509)
* chore: add unit tests for pkg/utils/image (#4508)
* chore: update maintainers (#4511)
* docs: add section for generating helm docs and crds (#4507)
* chore: add wildcard unit test (#4506)
* chore: upgrade golang to 1.18 (#4505)
* docs: add section about switching between docker and ko (#4501)
* Auto-detect Kyverno version in policies chart (#4460)
* chore: refactor helm targets in makefile (#4498)
* feat: support switchin build with docker or ko (#4492)
* fix: incorrect kustomize call in makefile (#4493)
* refactor: verify codegen targets in makefile (#4494)
* fix: fetch history in pre-checks job (#4491)
* Improve printer column name for validationFailureAction (#4488)
* chore: Bump helm-docs version to v1.11.0 (#4489)
* chore: publish helm charts to ghcr.io (#4479)
* chore: bump cache action and improve paths (#4485)
* chore: relax auto update PRs conditions (#4486)
* fix: release workflow (#4483)
* refactor: clean webhooks logs (#4484)
* refactor: webhook policy context creation (#4480)
* docs: add api docs generation (#4476)
* fix: auto update pr workflow (#4478)
* chore: add makefile help comments (#4477)
* refactor: to remove generate cleanup controller (#4041)
* Add PodSecurity description (#4475)
* feat: remove context api call constraints (#4389)
* fix logger format (#4474)
* feat: enable autogen from makefile (#4467)
* chore: speed up local image builds (#4468)
* chore: enable cherry-pick bot (#4470)
* docs: add section for generated code (#4465)
* fix: local image build with docker (#4462)
* fix: warning in all makefile targets (#4464)
* Extend Pod Security Admission (#4364)
* docs: add section for deploying a local build (#4458)
* refactor: make toggles easier to define and use (#4456)
* Add the metric "kyverno_client_queries_total" (#4359)
* skip validate rules if conditional anchor key doesn't exist in the resource (#4451)
* refactor: clearly separate makefile docker targets for build and publish (#4454)
* Yaml signing and verification (#4235)
* docs: add pushing images section (#4452)
* refactor: clearly separate makefile ko targets for build and publish (#4450)
* chore: fix workflows related to ko recent changes (#4441)
* docs: add local image build section (#4449)
* chore: fix workflows related to ko recent changes (#4438)
* Update issue template drop-down version numbers (#4446)
* docs: add section for local builds (#4445)
* [Feature] Add ability to get additional policies from restricted (#4416)
* fix: update go-wildcard to v1.5.0 (#4444)
* docs: add section for dev tools (#4443)
* chore: remove godownloader and install-cli script (#4442)
* Added kubeconfig flag support (#4308)
* fix: ko login (#4427)
* fix: ko login (#4425)
* fix: ko login (#4424)
* fix: ko login (#4423)
* fix: ko login (#4422)
* fix: make ldflags optional in .ko.yaml (#4419)
* refactor: makefile build targets (#4418)
* fix: Add --bare for ko-build-dev targets (#4417)
* Use ko to build images (#4366)
* refactor: makefile (#4403)
* [Feature] Add posibility to set validationFailureAction by Policy (#4400)
* feat: enable autogen internals by default (#4381)
* bump golang 1.18.5 version digest in Dockerfile (#4413)
* bump cosign deps version to 1.11.1 (#4408)
* chore: improve docker image tagging (#4409)
* refactor: introduce wildcard utils package (#4406)
* fix: chart docs for generatecontrollerExtraResources (#4405)
* chore: enable asasalint linter (#4396)
* bump cosign version to 1.11.0 (#4398)
* Sync 1.7.3 Helm versions (#4395)
* fix: goimports check not working in ci job (#4387)
* chore: fix golangcilint timeout (#4388)
* fix: duration metrics precision (#4393)
* chore: add workflow to ensure github actions are pinned to a commit SHA (#4390)
* feat: add raw api call support (#3820)
* chore: update maintainers md (#4380)
* chore: fix fossa ci job (#4382)
* fix: missing aggregated role for UR (#4378)
* fix: exclude autogen rules when autogen internals is enabled (#4370)
* fix: prevent installing helm chart in namespace kube-system (#4368)
* fix: fix the verbosity of reconciling logs in the config controller (#4362)
* Update wgpolicyk8s.io CRDs (#4355)
* Update pr_documentation.md (#4361)
* Added remove-color flag for CLI-test (#4345)
* Added appropriate logging levels to log.Info() calls wherever necessary (#4341)
* update apply help message (#4344)
* Fix deprecated api policy issue (#4349)
* Treat normal and precondition variable equally (#4217)
* fix: image verify logs (#4348)
* Remove myself as codeowner (#4333)
* Fix PEM delimiter parse (#4331)
* [Helm] Added ability to remove namespaces from default resourceFilters list (#4299)
* chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328)
* support failurePolicy in kyverno-policies helm chart (#4323)
* Context vars substitution in CLI (#4290)
* Replaced status with message (#4315)
* Changed resource names to plurals (#4312)
* Fix pr image verify blocked (#4297)
* feat: use tombstone helper (#4273)
* Tightened scope on apiGroups for Kyverno:events Clusterrole (#4292)
* trivial typo update (#4291)
* use failurePolicy to block or allow requests, on policy errors (#4183)
* update log levels (#4286)
* added additional init and sidecar container config (#4283)
* feat: auto optimize GOMAXPROCS (#4277)
* add applyRules to control whether one or all rules are applied (#4196)
* feature: added new type of event, PolicySkipped (#4251)
* Reset policy status on termination (#4269)
* fix: use an absolute path in docker entrypoint (#4263)
* Add shutdown methods for exporters and controllers (#4214)
* sync Helm versions (#4262)
* fix: use only 1 kubernetes client (#4256)
* Add Techcombank to adopters (#4260)
* Implementing flag to show all failing tests only through the test command (#4227)
* fix split policyreport name with background scan (#4237)
* chore: use new distroless base image provided by distroless org (#4219)
* fix check depreciated api issue (#4243)
* Cherry-pick #4233 (#4236)
* Revert "fix: metrics with invalid validationMode (#4198)" (#4241)
* fix: metrics with invalid validationMode (#4198)
* Corrected description for UpdateRequest struct (#4215)
* Removed confusing output message for the apply and replaced no of policies by no of policy rules count in the output message (#4229)
* fix kyverno cli policy-report typo (#4224)
* feat: improve flag message for disableMetricsExport (#4194)
* precondition failure will skip rule independent of audit or enforce mode (#4163)
* Make method public (#4207)
* Fix UpdateRequest labeling (from pull #4199) (#4212)
* use the unstructured list instead of interface type (#4210)
* feat: Opentelemetry support for metrics and traces (#3910)
* Use non-blocking channel send for UpdateWebhookChan (#4204)
* Fix merging JSON patches (#4202)
* Resolve conflict introduced to contributing page (#4192)
* return helpful error message on invalid patched resources. (#4129)
* docs(contributing): add how to cherry-pick section (#4127)
* refactor: finish refactoring generate e2e tests (#4090)
* feat: policy status for autogen rules (#4173)
* fix: use official controller-gen (#4171)
* fix external.metrics.k8s.io/v1beta1 issue (#4139)
* fix: add seccompProfile (#4178)
* fix: add more verify images e2e test for bool fields (#4172)
* delete policy reports on policy deletion (#4174)
* chore: add myself into owners (#4170)
* feat: split policy report per policy bases (#4147)
* Clean up RCRs if the count exceeds the threshold (#4148)
* Wait for informers' cache to be synced before starting controllers (#4155)
* - Disable events generation on DELETE; - Reduce event generation retry from 10 to 3 (#4159)
* Use kyverno namespace informer to list pods while processing URs (#4156)
* Template updates (#4150)
* release event memory (#4138)
* fix: use dev tag for init container local build target (#4142)
* added resource lists for test cli (#4082)
* update contributing guide (#4119)
* sync release versions (#4133)
* bump cosign to 1.9.1 to fix fulcio panic (#4117)
* fix: use policyName key to get the policy name (#4114)
* fix imageVerify validation checks and conversion logic (#4038)
* fix: Stop incorrect any block condition logging (#4107)
* set test.namespace value implict as resource namespace until and unless explict value is added (#4100)
* remove TUF initialization from main (#4098)
* Update CODEOWNERS to include treydock (#4097)
* feat: add e2e framework and verify image new test (#4094)
* add chipzoller to CODEOWNERS (#4096)
* refactor: generate e2e GeneratePolicyDeletionforCloneTests (#4071)
* Exclude Kyverno namespace by default (#4079)
* docs(chart): fix deadlink in NOTES.txt (#4085)
* Updated jp command flags and also added URL for help. (#4084)
* update drop-downs (#4081)
* refactor: generate e2e tests (#4068)
* refactor: use t.Cleanup in e2e tests (#4067)
* Remove s390X (#4063)
* fix: add missing release notes in helm chart (#4057)
* fix: bool fields in image verification types (#4053)
* Print for failed test cases (#4048)
* Sync v1.7.0 release manifests (#4051)
* refactor: bump KIND version to use v1.24.0 k8s release (#3877)
* feat: add aggregated cluster role support (#3845)
* chore(dockerfile): use buildx features for cross-compilation (#4023)
* Ensure preconditions are present with default values (#4046)
* Fix handling of kyverno-policies version check when port in image tag (#4042)
* fix policy typo (#4039)
* Fix labels with invalid charrs (#4034)
* refactor: used typed admission request in ur (#4022)
* fix vulnerable (#4027)
* feat: Extend CLI to cover generate policies (#3456)
* Request operation value by default to CREATE (#3894)
* Feature: Add support for allowing insecure registries. (#3983)
* refactor: move policy deletion code from policy controller to ur controller (#4013)
* fix: bypass policy mutation if autogen internals enabled (#4007)
* fix: use background helper in ur generator (#4009)
* fix: remove update ur status in generator (#4008)
* refactor: add policy event listener in ur controller (#4012)
* chore: remove unused ur errors (#4011)
* refactor: ur cleaner controller (#3974)
* add validation check to ensure the annotations quoted (#3976)
* Support `@` for mutate targets (#3998)
* fix: stop mutation policies when autogen internals is enabled (#4004)
* refactor: background controllers cleanup (#4001)
* fix: stop mutating cached resource in ur controller (#4003)
* refactor: move label helper utils from policy package to background package (#3996)
* fix attestation checks (#3999)
* fix: init container gr copy (#3995)
* refactor: clean updaterequest generator (#3949)
* chore: enable nosprintfhostport linter (#3989)
* feat: add controller utils package (#3952)
* refactor: make registry client variables private (#3975)
* fix: ur is nil in ur controller (#3986)
* chore: add previous pod logs in case of job failure (#3978)
* fix: remove unused field (#3971)
* fix: release ur when handler pod is gone (#3973)
* fix: move ur controller filtering in reconciler (#3964)
* fix: mark ur retry on conflict (#3961)
* chore: enable paralleltest linter (#3946)
* chore: enable goimports linter (#3959)
* chore: make kyverno informers and listers import aliases consistent (#3958)
* chore: enable ifshort linter (#3945)
* fix: add helmignore (#3948)
* fix: replica count in helm chart (#3954)
* fix panic issue for ur (#3953)
* Cleanup URs on trigger deletion (#3955)
* chore: make kube informers and listers import aliases consistent (#3957)
* chore: make clients import aliases consistent (#3956)
* chore: make dclient import aliases consistent (#3951)
* chore: make k8s api import aliases consistent (#3950)
* fix: use admissionrequest subresource to filter webhooks (#3944)
* chore: make kyverno api import aliases consistent (#3939)
* chore: enable nolintlint linter (#3941)
* chore: enable grouper linter (#3940)
* fix: cache warmup log message (#3943)
* fix: use patch to update handler status in UR (#3928)
* chore: enable makezero linter (#3937)
* fix: handle UR delete once trigger namespace deleted (#3934)
* chore: enable gofmt and gofumpt linters (#3931)
* chore: enble gci linter (#3930)
* fix: return type changed to bool in jpfCompare fn (#3924)
* refactor: separate policy cache and controller (#3925)
* refactor: separate resource mutation/validation handlers from server (#3908)
* chore: enable misspell linter (#3932)
* chore: enable errname linter (#3926)
* chore: enable decorder linter (#3920)
* refactor: policy cache (#3919)
* chore: enable dogsled linter (#3921)
* Cleanup the UR for mutate policies once it's completed (#3912)
* [Bugbash] Kceu22 bugbash/fix staticcheck warnings (#3917)
* fix: gosec G304 file inclusion error (#3916)
* refactor: separate policy mutation/validation handlers from server (#3905)
* fix: docker build (#3907)
* refactor: webhooks server logger (#3904)
* feat: gracefull certificates rotation support (#3890)
* chore: remove ca-certificates from our repository (#3859)
* chore: enable wastedassign linter (#3898)
* chore: enable goprintffuncname linter (#3899)
* chore: remove unused function (#3902)
* Remove permissions in helm-release workflow (#3901)
* Timeout and init (#3893)
* fix: write secret (#3891)
* Fix subject match selector issue in cli (#3887)
* refactor: remove deployment hash on certs secrets (#3886)
* chore: enable noctx linter (#3888)
* chore: enable importas linter (#3882)
* skip var checks in attestations (#3876)
* chore: enable gochecknoinits linter (#3874)
* refactor: cleanup tls package (#3854)
* chore: enable containedctx linter (#3873)
* fix: include ca key in secret (#3804)
* refactor: make config vars private (#3823)
* fix: undo length validation check for generate rule resource name (#3865)
* fix subjects in test cli (#3743)
* chore: enable exportloopref linter (#3869)
* chore: enable tenv thelper and tparallel linters (#3868)
* chore: enable durationcheck linter (#3870)
* chore: enable asciicheck and bidichk linters (#3871)
* chore: add unconvert linter (#3867)
* chore: enable whitespace linter (#3864)
* Handle errors properly for mutate and generate on existing resources (#3863)
* fix: remove code to load CA from kubeconfig (#3860)
* chore: enable more linters (#3862)
* chore: enable deadcode and unused linters (#3861)
* chore: increase golangci-lint timeout (#3855)
* refactor: init certs with certs renewer directly (#3853)
* tests: add unit tests for utils functions (#3857)
* chore: enable golangci-lint in ci (#3852)
* feat: fetch tls certificate dynamically (#3851)
* fix: golangci-lint warnings in pkg (#3846)
* refactor: remove the need for self-signed annotation on cert secret (#3850)
* handle subresources (#3841)
* fix: golangci-lint warnings in cmd (#3843)
* refactor: webhookconfig package (part 4) (#3835)
* refactor: webhookconfig package (part 3) (#3834)
* refactor: remove unused functions (#3840)
-------------------------------------------------------------------
Tue Sep 27 06:32:11 UTC 2022 - kastl@b1-systems.de
- Update to version 1.7.4:
* fix: update github action to use current workflow path (#4705)
* tag v1.7.4 (#4698)
* fix: incorrect namespace in report controller (#4637) (#4688)
* Fix issue for wildcard versions (#4670) (#4674)
-------------------------------------------------------------------
Wed Sep 07 06:59:32 UTC 2022 - kastl@b1-systems.de
- Update to version 1.7.3:
* Cherry-pick #4398 - bump cosign to 1.11.0 (#4399)
* Release v1.7.3 (#4394)
* Fix deprecated api policy issue (#4349) (#4350)
* precondition failure will skip rule independent of audit or enforce mode (#4163) (#4296)
-------------------------------------------------------------------
Mon Jul 25 11:08:18 UTC 2022 - kastl@b1-systems.de
- Update to version 1.7.2:
* tag v1.7.2 (#4261)
* Use non-blocking channel send for UpdateWebhookChan (#4204) (#4247)
* Release v1.7.2-rc2 (#4246)
* fix split policyreport name with background scan (#4237) (#4245)
* fix check depreciated api issue (#4243) (#4244)
* fix kyverno cli policy-report typo (#4224) (#4232)
* Limit queued events (#4233)
* update cosign to v1.9.0 (#4231)
* Only set up logging context if it will be used (#4213)
* use the unstructured list instead of interface type (#4211)
* Fix UpdateRequest labeling (#4199)
* Release 1.7 (#4200)
* external.metrics.k8s.io/v1beta1 issue (#4182)
* delete policy reports on policy deletion (#4174) (#4175)
* tag v1.7.2-rc1 (#4167)
* feat: split policy report per policy bases (#4147) (#4166)
* Re-implement #4159 (#4165)
* Cherry pick #4155 (#4164)
* Cherry-pick #4148
* Use kyverno namespace informer to list pods while processing URs (#4156)
* Cherry-pick #4138 to 1.7 (#4160)
* fix: use dev tag for init container local build target (#4141)
-------------------------------------------------------------------
Wed Jun 22 08:17:51 UTC 2022 - kastl@b1-systems.de
- Update to version 1.7.1:
* tag v1.7.1 (#4132)
* fix build failures
* fix: bool fields in image verification types (#4053)
* cherry-pick #4013
* Release 1.7 (#4130)
* fix: use policyName key to get the policy name (#4113)
* chore(dockerfile): use buildx features for cross-compilation (#4023) (#4123)
* Updated jp command flags and also added URL for help. (#4122)
* fix: handle nil ur while retry (#4109)
* Release 1.7 (#4099)
* Bump Charts version to 2.5.0 (#4092)
* bump chart versions to v2.4.2 (#4089)
* cherry-pick #4079 (#4088)
* Remove s390X (#4063) (#4064)
* Bump charts version to 2.4.1 (#4061)
* Ensure preconditions are present with default values (#4046)
* Fix handling of kyverno-policies version check when port in image tag (#4042)
-------------------------------------------------------------------
Sat Jun 04 18:55:18 UTC 2022 - kastl@b1-systems.de
- Update to version 1.7.0:
* Tag v1.7.0 (#4050)
* refactor: bump KIND version to use v1.24.0 k8s release (#4049)
* fix policy typo (#4039) (#4045)
* Tag 1.7.0-rc3 (#4036)
* Fix labels with invalid charrs (#4034) (#4035)
* Cherry-pick #4022 (#4033)
* fix vulnerable (#4027) (#4028)
* Request operation value by default to CREATE (#3894) (#4026)
* Release v1.7.0-rc2 (#4021)
* Cherry pick #4007 #4008 (#4020)
* fix: stop mutation policies when autogen internals is enabled (#4004,#4009,#3996) (#4016)
* cherry-pick fix attestation checks https://github.com/kyverno/kyverno/pull/3999 (#4015)
* refactor: add policy event listener in ur controller (#4012) (#4014)
* Support `@` for mutate targets (#3998) (#4010)
* fix: stop mutating cached resource in ur controller (#4003) (#4006)
* fix: move ur controller filtering in reconciler (#3964) (#3994)
* fix: release ur when handler pod is gone (#3993)
* fix: mark ur retry on conflict (#3961) (#3963)
* fix: replica count in helm chart (#3954) (#3962)
* Cherry pick #3953 #3955 (#3960)
* fix: handle UR delete once trigger namespace deleted (#3934) (#3938)
* fix: use patch to update handler status in UR (#3927)
* Cleanup the UR for mutate policies once it's completed (#3923)
* Remove permissions in helm-release workflow (#3901) (#3903)
* Release v1.7.0-rc1 (#3896)
* cherry-pick #3893 (#3895)
* Fix subject match selector issue in cli (#3887) (#3892)
* skip var checks in attestations (#3876) (#3885)
* fix: undo length validation check for generate rule resource name (#3865) (#3872)
* Handle errors properly for mutate and generate on existing resources (#3863) (#3866)
* refactor: remove unused functions (#3844)
* handle subresources (#3841) (#3848)
* feat: trigger generate on existing matched resource (#3819)
* refactor: webhook config package (part 2) (#3833)
* refactor: webhookconfig package (part 1) (#3831)
* fix check and add logs (#3838)
* Allow variables of any kind to be defined (#3828)
* fix: policy deletion in webhookconfig (#3832)
* refactor: imported pkg redeclared and a few other unused func (#3827)
* refactor: shell to prevent globbing and word splitting (#3829)
* CLI should respect scored annotation for warnings (#3821)
* Add an object_from_lists function (#3824)
* Improve logging and error handling in json context (#3825)
* Relax JMESPath variable validation (#3826)
* Load `mutate.targets` via dclient (#3797)
* Cert attestor (#3809)
* handle duplicate images; use container name as key (#3779)
* fix: autogen rules in status (#3728)
* refact: disable leader for update request controller (#3807)
* chore: remove broken .ca from helm chart (#3811)
* fix: remove k8s apiserver from self-generated cert (#3803)
* Policy Validation check for onPolicyUpdate flag (#3814)
* Add `handler` to `UR.status` (#3791)
* fix: remove kubeconfig (#3802)
* fix: cleanup old dependencies from go.sum and go.mod (#3806)
* feat: parse all root CA certs (#3808)
* removed kubeconfig flags (#3744)
* Fix issue with image registry when decoding OCI descriptors with out of spec keys (#3799)
* refactor: move config controller in controllers package (#3790)
* chore: add informer util (#3796)
* chore: remove useless util NewKubeClient (#3795)
* fix: pod stay in terminating when scaling to 0 (#3793)
* Add JMESPath Function `items` (#3777)
* Fix Cli test for image verification (#3760)
* Add rule to PolicyViolation event messages (#3787)
* chore: remove config flags (#3786)
* fix: add missing tombstone calls (#3784)
* refactor: create a package for controllers and move certmanager in it (#3782)
* refactor: policycache package logger (#3783)
* refactor: move ImageExtractorConfigs in api package (#3781)
* refactor: dclient package logger (#3778)
* Fix PR update flow and allow updates from release branches (#3780)
* fix: cert manager duplicate event handler (#3772)
* webhookconfig: if services resource, add services/status as well (#3740)
* refactor: dclient package (#3775)
* refactor: replace clientset by inteface (#3774)
* refactor: cosign package logger (#3773)
* Bump cosign and sigstore version (#3771)
* Auto-update PRs which are enabled for auto-merging (#3766)
* refactor: wait for cache sync (#3765)
* Allow kyverno jp to take yaml files as inputs (#3768)
* Allow non-object type elements for foreach rules (#3763)
* fix: logger call depth (#3759)
* Reduce log verbosity for image extractors (#3764)
* chore: remove unused resourcecache package (#3762)
* refactor: remove unstructured usage from webhookconfig (#3737)
* refactor: use typed informers and add tombstone support to webhookconfig (#3736)
* Remove YAML multiline support in CM values (#3721)
* cleanup event messages and sources (#3741)
* Add tests for required checks for image verify (#3755)
* Add error handling and log for image extractor errors (#3724)
* Fix verify all images (#3748)
* Retry policy creation to avoid flaky CRD readiness (#3752)
* Fix test Summary printing for failure test cases (#3749)
* Enable tests in makefile (#3699)
* refactor: metrics package logger (#3734)
* Use inclusive language (#3738)
* fix: block policy for missing matched kind (#3733)
* fix: missing image verification rules in autogen (#3729)
* Convert GenerateRequest to UpdateRequest for backward compatibility (#3730)
* refactor: autogen package logger (#3727)
* fix: correct tombstone usage (#3718)
* refactor: remove some api unnecessary pointers (4) (#3713)
* Set policy kind to generate events in the webhook (#3726)
* Create UR for both mutate and generate policies (#3717)
* fix: remove supported from autogen status (#3714)
* fix: generated api reference docs (#3711)
* refactor: remove some api unnecessary pointers (3) (#3707)
* Optimize UR listing on policy events (#3712)
* - Create events for imageVerify rules (#3710)
* refactor: remove some api unnecessary pointers (2) (#3705)
* fix: remove unused type TargetMutation (#3706)
* refactor: remove some api unnecessary pointers (#3704)
* add e2e tests for mutate existing policies (#3703)
* Verify digest (#3679)
* fix: kind wash in mutate policy helper (#3698)
* refactor: auth package logger (#3696)
* chore: remove unused custom expansions from client (#3697)
* refactor: client gen code (#3695)
* Fix test command git issue (#3692)
* Enable verifyImages and CLI registry tests (#3684)
* Cherry-pick release-1.6 Helm changes (#3689)
* Show warnings in Helm chart installation; update issue templates (#3673)
* refactor: use typed k8s client in tls package (#3678)
* refactor: config package logger (#3683)
* Fix flaky e2e tests for generate policies (#3681)
* Fix regression in wildcard matches in In/AnyIn operators (#3686)
* feat: remove deprecated flags (#3680)
* Logic of match service account is fixed for namespace (#3662)
* fix test cli CI failures from main (#3682)
* Fix issue pod should not be ready until the policy cache loaded (#3646)
* bug: fix nil pointer when generating events (#3677)
* remove Validate Cmd (#3674)
* Support context variables when using foreach CLI (#3637)
* fix: webhooks are not configured correctly (#3660)
* bump to Go 1.17.9 (#3671)
* fix: api reference docs link (#3664)
* feat: mutate existing resources (#3669)
* fix: pass logger by value (#3666)
* Allow definition of inline variables in context (#3658)
* fix: add char length validation for generate rule resource name (#3640)
* chore: remove e2e tests for kube 1.20 (#3665)
* chore: add support for artifacthub.io/changes in helm charts (#3652)
* fix: policy controller missing GVK (#3659)
* [imageVerify]: adding `digestMutate` to simplify tag-to-digest mutation (#3531)
* Multiple keys (#3636)
* fix: do not remove webhooks during initialization (#3641)
* fix: prevent installing chart with 2 replicas (#3647)
* fix: print helm install warnings (#3648)
* chore: warn if kube version is too old in helm notes (#3650)
* chore: add artifacthub operator and prerelease annotations (#3649)
* refactor: use the typed ns informer in GR controller (#3554)
* refactor: image utils (#3630)
* Remove helm mode setting (#3628)
* refact: remove unused Run function from generate (#3638)
* Fix race condition in pCache (#3632)
* Allow defining imagePullSecrets (#3633)
* Image verify attestors (#3614)
* Allow kyverno-policies to have preconditions defined (#3606)
* updating version in Chart.yaml (#3618)
* Update vulnerable dependencies (#3577)
* Add support for custom image extractors (#3596)
* add-kms-libraries for cosign (#3603)
* refactor cli code from pkg to cmd (#3591)
* fix missing policy.kyverno.io/policy-name label (#3599)
* refactor generate controller (#3589)
* change/suppress warning messages (#3593)
* Feat - add the new CR UpdateRequest for post mutation (#3592)
* Update to cosign 1.7.1 (#3587)
* Update GH workflow config (#3588)
* Update CODEOWNER folders for @samj1912 (#3586)
* Update hash of dependencies instead of mutable version (#3582)
* add support for roles, cluster roles and subjects (#3188)
* fix imageVerify rule conversion (#3583)
* update imageVerify schema (#3574)
* Refactor image extraction to allow extracting custom resources (#3572)
* chore: remove dead code (#3561)
* Add returnType for regexMatch in kyverno jp output (#3575)
* refactor: engine context (#3563)
* Fixes #3555 (#3558)
* update image pull policy for YAML install which uses :latest (#3565)
* add @eddycharly as a maintainer! (#3566)
* chore: add some make help comments (#3560)
* refactor: switch to admission v1 (#3526)
* refactor: make response type (RuleType) typed (#3556)
* refactor: metrics package (#3549)
* refactor: webhooks metrics reporting (#3548)
* test: pass lock by value (#3481)
* refactor: simplify autogen package (#3532)
* refactor: move common utils (#3553)
* refactor: add engine utils sub package (#3552)
* fix: checkEngineResponse in webhooks (#3551)
* Do not generate preconditions not met warning for audit policies (#3487)
* refactor: reduce policy mutations (#3550)
* fix: annotation path (#3547)
* refactor: use GetFailurePolicy method (#3545)
* refactor: use BackgroundProcessingEnabled method (#3544)
* refactor: move some helpers in utils package (#3539)
* refactor: use GetValidationFailureAction method (#3546)
* fix: disallow all in autogen annotation (#3537)
* refactor: use existing ContainsString util (#3543)
* Create `poddisruptionbudget.yaml` when `mode=ha` (#3536)
* fix wildcards in value arrays (#3486)
* refactor: separate yaml utils package (#3520)
* refactor: separate kube utils package (#3527)
* refactor: add os utils sub package (#3528)
* refactor: add a json patch util and use it in autogen package (#3524)
* fix: tls min version (#3521)
* refactor: separate json utils package (#3523)
* refactor: webhooks package (#3516)
* refactor: use policy interface and introduce admission utils package (#3512)
* fix: use github repo env instead of hardcoded repo name (#3513)
* fix: reduce dependency to ns lister (#3509)
* refactor: use more policy interface (#3510)
* refactor: use policy interface in policycache package (#3503)
* refactor: make use of policy interface (#3499)
* refactor: improve policycache package (#3495)
* chore: add autogen internals e2e tests (#3492)
* refactor: factorize policy interface (#3496)
* feat: add webhooks object selector support (#3413)
* feat: generate support for namespace policy (#3472)
* chore: simplify validation with named return (#3493)
* add missing namespace to role and rolebinding (#3389) (#3429) (#3485)
* chore(deps): add renovate.json (#3471)
* feat: stop mutating rules (#3410)
* use mutex as field instead of embedded (#3480)
* refactor: create e2e infra using make to speed up e2e tests (#3470)
* fix ordering of mutate element (#3468)
* refactor: use abstract policy interface in webhookconfig (#3466)
* adds lease objects for storing last-request-time and set-status annotations in deployment (#3447)
* clean up dependencies (#3469)
* fix: use RWMutex lock while concurrent read/write (#3462)
* refactor: match and exclude conflict validation (#3454)
* refactor: add ValidationFailureAction to the api (#3451)
* refactor: remove ns lister from webhookconfig (#3452)
* refactor: add IsNamespaced() method to API policy types (#3450)
* fix: use PodControllersAnnotation constant (#3448)
* Update MAINTAINERS.md (#3449)
* support for deprecated API's (#3439)
* Drop v1alpha1 PolicyReport CRD (#3437)
* refactor: ExcludeResources validation (#3445)
* refactor: replace ExcludeResources by MatchResources (#3444)
* refactor: ResourceDescription validation (#3446)
* Fix incorrectly renamed file (#3443)
* Remove support for test.yaml (#3442)
* fix cli panic for --cluster flag (#3436)
* Fix check for generated webhook rules being equal to what the API server has (#3407)
* refactor: MatchResources validation (#3422)
* feat: use IsReady method (#3426)
* refactor: ValidationFailureActionOverrides validation (#3421)
* PR and issue template updates per contributors' meetings (#3428)
* [imageVerify]: correcting error msg (#3398)
* feat: add toggle package for feature flags (#3419)
* feat: move GetRules() at the policy level (#3420)
* feat: add conditions support (#3378)
* feat: stop adding autogen annotation (#3379)
* fix webhook configuration issue when auto update is disabled (#3417)
* Ignore test files that do not end in test.yaml (#3402)
* refactor: Policy name validation (#3409)
* Replace `ToUnstructured()` with Marshal/Unmarshal (#3150)
* [ImageVerify] Verify additional certificate-extensions (#3404)
* fix: filter resources names with helm custom release name (#3361)
* refactor: Rule names validation (#3406)
* refactor: Rule type validation (#3400)
* chore: remove check-helm-docs workflow (#3408)
* refactor: UserInfo validation (#3399)
* Fix webhook re-creation error (#3403)
* chore: add make help target (#3405)
* Only queue one retry if webhook update fails (#3353)
* chore: add more codegen target and verifications (#3393)
* Return warning on admission response when mutating pods (#3272)
* Add a registry flag to allow direct access to container registries in the CLI (#3396)
* feat: add rules to status (#3376)
* chore: makefile should not makefile go.mod (#3394)
* refactor: ImageVerification validation (#3372)
* Cli Apply command support Dir as resources (#3391)
* chore: add helm crds to make codegen target (#3375)
* fix: metrics config defaults (#3387)
* fix for gvk not working for existing resources policy (#3384)
* e2e test for mutate global anchor Policy (#2574)
* Add `codecov` to CI (#3382)
* Update cosign to v1.6.0 (#3341)
* fix: generate api reference docs (#3377)
* fix PodExecOptions issue (#3373)
* Update OWNERS.md (#3371)
* feat: add autogen controllers to policy status (#3332)
* chore: gen helm crds from config crds (#3356)
* refactor: introduce api common types (#3365)
* adding emptyDir vol for keyless signing (#3366)
* refactor: move api functions closer to the struct they belong to (#3363)
* refactor: introduce rules getters and setters (#3350)
* refactor: move controller autogen annotation in api package (#3364)
* Add new test-case-selector flag to test command (#3183)
* support RSA, ECDSA and EDDSA public key verification (#3362)
* fix: configmap resource filters generated by helm does not account for namespace (#3358)
* chore: check helm docs are up to date (#3310)
* Fix any_all wildcard issue (#3352)
* fix: invalid path in helm-test workflow (#3344)
* Add Bloomberg to adopters (#3348)
* updated description field of foreach (#3157)
* chore: verify codegen in CI (#3343)
* Update generate clusterrole (#3336)
* fix: CRD generation (#3334)
* refactor: reduce usage of reflect.DeepEqual (#3328)
* fix: update codegen (#3329)
* fix: naming typos (#3327)
* refactor: introduce autogen package (#3316)
* refactor: pass only spec instead of whole policy when possible (#3315)
* fetch tag across all branches instead of current branch (#3324)
* add separate step for digest (#3321)
* adding check for digest and update git command
* correcting makefile latest tag (#3314)
* fix: helm install docs (#3312)
* fix: seccomp profile (#3313)
* chore: drop helm v2 (#3311)
* feat: gen kyverno helm chart docs (#3309)
* feat: gen kyverno-policies helm chart docs (#3301)
* Fix workflow using regex in `main` (#3306)
* arranging permissions (#3293)
* fix: helm chart broken when use generatecontrollerExtraResources (#3302)
* feat: support background mode configuration in kyverno-policies chart (#3299)
* Improve CLI test times by instantiating openapi controller once (#3297)
* Fix namespace typo (#3298)
* fix: add support for other platforms before executing docker buildx (#3296)
* validate and block policy based on the matched kind cache (#3283)
* fix: comma separated lists in config (#3290)
* Run E2E tests on all supported k8s versions (#3256)
* latest will point to main (#3285)
* Shallow clone git repositories for kyverno test command
* update trivy scanning (#3284)
* feat: add linux/s390x builds (#3277)
* Fix label mutation while updating the secret (#3273)
* Modify capabilities for compatibility with Pod Security (#3274)
* Fix Helm releasing to preserve creation timestamps (#3268)
* Added `kyverno test` subcommand for test manifest file (#3264)
* Clean up commented out lines of code (#3263)
* Add .DS_store to gitignore (#3255)
* fix mutate wildcard issue (#3193)
* Fix foreach validations precondition issue (#3228)
* Fix policy report OwnerReference (#3249)
* Improve E2E test CI timings (#3250)
* Add openssf badge (#3246)
* Fix old object validation check (#3248)
* Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229)
* add helm pre-delete hook which deletes all the webhooks (#3148)
* Skip updating webhook configs if namespaceSelector is nil (#3237)
* Sync latest changes to release/install.yaml (#3239)
* add aggregated role for generaterequest (#3240)
* Remove abstraction that doesn't work anyway (#3209)
* Fix image parsing for image referenced as digests (#3196)
* feat: ha mode support in helm chart (#3207)
* Fix keyless attest (#3219)
* update dependencies (#3221)
* Issue forms and PR template adjustment (#3213)
* add prateekpandey14 to codeowners (#3205)
* Added e2e test for JSON patch mutate policy (#2966)
* fixing bug to handle two different types of rules (#2954)
* Allow setting validationFailureActionOverrides for policies (#3201)
* feat: fix app version in NOTES.txt (#3189)
* Indentation fix (#3179)
* Fix unused tagTest in helm chart tests (#3174)
* Update kyverno-policies chart with latest pod-security policies (#3126)
* Add a kyverno jp command to test jmespath expressions (#3169)
* test-cases for wildcard match label selector (#3165)
* Filter kyverno resources instead of entire kyverno namespace (#3170)
* Fix panic for provides a set to the key of a precondition and deny condition (#3162)
* Bump up verbosity for `patched resource mismatch` (#3127)
* bump chart versions (#3160)
* Update dev image tag in Make targets (#3159)
* Add sam (#3155)
* add missing patch verbs in event clusterrole (#3151)
* fix filtered and sort patches index (#3146)
* Fix kyverno panic with `PodSpec.containers` JSON merge patch w/o image (#3143)
* Relax rule context validation to follow JMESPath grammar (#3129)
* Fixed kyverno panic at JMESPath zero division (#3137)
* Fix variable substitution when curly braces are used in jmespath (#3133)
* Fix parsing of resources in preconditions (#3108)
* Add cloud provider keychains to DefaultKeychain (#3116)
* improve antiAffinity and add podAffinity and nodeAffinity for kyverno helm chart (#3067)
* fixing and adding tests (#3112)
* update cosign to 1.5.0 and fix issuer and subject for keyless (#3089)
* Add b/w compat support for K8s version 1.20 and below for Kyverno 1.6 (#3100)
* Fix the kyverno default keychain value to be the ggcr default keychain (#3096)
* fix: typo Cluter to Cluster (#3092)
* Fix memory leak when updating ggcr keychain (#3088)
* Support registry keychain from cloud providers (#3036)
* Updates Changelog to add note for anyPattern issue due to k8s v1.23 (#3045)
* Add KYVERNO_DEPLOYMENT to initContainer (#3086)
* apply patches cumulatively (#3083)
* Fix CLI test/apply when any/all use namespaceSelector (#3050)
* fix mutating ownerReferenecs (#3061)
* update workflow configurations to fix CI failure (#3060)
* Fix documentation for helm charts (#3056)
-------------------------------------------------------------------
Fri Apr 01 07:04:47 UTC 2022 - kastl@b1-systems.de
- Update to version 1.6.2:
* tag v1.6.2 (#3511)
* Cherry-pick #3111 and release v1.6.2-rc3 (#3506)
* tag v1.6.2-rc2 (#3500)
* feat: generate support for namespace policy (#3498)
* use mutex as field instead of embedded (#3480) (#3489)
* release v1.6.2-rc1 (#3482)
* Cherry-pick #3477 (#3479)
* adds lease objects for storing last-request-time and set-status annotations in deployment (#3447) (#3478)
* fix: use RWMutex lock while concurrent read/write (#3462) (#3467)
* support for deprecated API's (#3439) (#3453)
* fix cli panic for --cluster flag (#3436) (#3438)
* add missing namespace to role and rolebinding (#3389) (#3429)
* fix webhook configuration issue when auto update is disabled (#3417) (#3418)
* Cli Apply command support Dir as resources (#3391) (#3392)
* fix for gvk not working for existing resources policy (#3384) (#3386)
* Cherry pick/3366 (#3367)
* Update generate clusterrole (#3336) (#3359)
* fixing bug to handle two different types of rules (#2954) (#3357)
* Fix any_all wildcard issue (#3352)
-------------------------------------------------------------------
Wed Mar 02 05:51:37 UTC 2022 - kastl@b1-systems.de
- Update to version 1.6.1:
* fix release tag command (#3323)
* fetching proper digest for release images (#3319)
* update release v1.6.1 manifest (#3318)
* changing git command to fetch the tag (#3317)
* release v1.6.1-rc2
* cherry-pick c4075af3d17c59fe73b50083bb206d85a1cb38ba
* Run E2E tests on all supported k8s versions (#3256)
* Fix namespace typo (#3298)
* feat: support background mode configuration in kyverno-policies chart (#3299)
* fix: helm chart broken when use generatecontrollerExtraResources (#3302)
* Shallow clone git repositories for kyverno test command
* fix: add support for other platforms before executing docker buildx (#3296)
* latest pointing to main
* added condition
* using regex
* updated workflows
* validate and block policy based on the matched kind cache (#3283) (#3291)
* Filter kyverno resources instead of entire kyverno namespace (#3170) (#3171)
* update trivy scanning (#3284)
* tag v1.6.1-rc1
* Fix label mutation while updating the secret (#3273) (#3278)
* Modify capabilities for compatibility with Pod Security (#3274) (#3275)
* Fix Helm releasing to preserve creation timestamps (#3268)
* fix mutate wildcard issue (#3193)
* Fix foreach validations precondition issue (#3228)
* Fix policy report OwnerReference (#3249) (#3257)
* Fix old object validation check (#3248)
* Skip updating webhook configs if namespaceSelector is nil (#3237) (#3243)
* bump chart versions to v2.3.0
* cherry-pick #3209
* Fix image parsing for image referenced as digests (#3196) (#3233)
* Fix keyless attest (#3219)
* update dependencies (#3221)
* release Helm chart v2.2.1
* Allow setting validationFailureActionOverrides for policies (#3201)
-------------------------------------------------------------------
Fri Feb 18 15:07:52 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- link /usr/bin/kyverno to /usr/bin/kubectl-kyverno to make this usable as a kubectl plugin
-------------------------------------------------------------------
Fri Feb 18 13:02:16 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- new package kyverno: CLI and kubectl plugin for the Kyverno Policy engine