------------------------------------------------------------------- Thu Feb 02 06:49:27 UTC 2023 - kastl@b1-systems.de - Update to version 1.9.0: * tag v1.9.0 (#6186) * fix: policy exception event source (#6122) * Release v1.9.0-rc.4 (#6108) * fix: tracing attributes length and tracer name (#6112) * fix: cleanup-controller version (#6100) (#6105) * fix: flag added to init container mistake (#6103) * fix: allow deletion of namespace containing managed resources (#6098) (#6102) * fix: flag added to init container mistake (#6103) * Release v1.9.0-rc.3 (#6095) * validate polex activation and namespace (#6046) (#6080) * fix: pin busybox image tag in helm tests (#6051) (#6063) * fix: replace + with _ in Chart.Version label field (#6047) (#6056) * cherry-pick #6030 (#6034) * tag v1.9.0-rc.2 (#6023) * fix ns labels matching (#6022) * tag v1.9.0-rc.1 (#6012) * fix: policy match Kind case-senstive (#6010) * fix: policy exceptions not working in background mode (#5980) (#6003) * chore: log out cleanup policy events (#5998) (#6000) * create failure events on errors (#5988) (#5997) * fix: generate policy exception events (#5987) (#5996) * cherry-pick #5920 (#5990) * Fixes time_now failing (cherry-pick 5928) (#5991) * create events for cleanup policies (#5982) (#5983) * fix: invoke cleanup process during shutdown (#5974) (#5981) * cherry-pick #5967 (#5970) * log out deleted resources at default level (#5977) (#5978) * fix: helm selector (#5965) (#5969) * feat: add cluster role aggregation to cleanup controller (#5966) (#5968) * fix chart invalid annotations (#5960) (#5963) * tag v1.9.0-beta.2 (#5959) * fix imageRef matching (#5956) (#5957) * cherry-pick #5950 (#5955) * Cherry-pick #5941 (#5952) * fix: update policy exception CRD description (#5948) (#5951) * chore: fix releaser badge (#5910) (#5947) * Added a time_add() filter to add duration and absolute time (#5817) (#5946) * fix: cleanup policies with user infos in match/exclude should be rejected (#5943) (#5944) * test: add kuttl test for policy exception (#5935) (#5936) * fix: missing user info matching (#5931) (#5934) * chore: add missing gh workflow concurrency statements (#5914) (#5924) * restrict cjs by PSS restricted checks (#5904) (#5922) * fix: Configure webhook to add ephemeralcontainers for policies matching on Pod (#5886) (#5919) * fix: golangci-lint workflow (#5913) (#5917) * set resourceVersion before update (#5906) (#5916) * fix: configure gh workflow permission (#5909) (#5915) * chore: make check actions pinned by hash a standalone ci job (#5907) (#5911) * feat: add violation details to report.results.properties for PSa policies (#5908) (#5912) * Adds JMESPath filter for returning cron expression for absolute time (#5814) (#5905) * chore: add setup test env gh action (#5897) (#5899) * chore: add setup-build-env gh action (#5892) (#5896) * fix cleanup var 'target.*' (#5888) (#5895) * add kuttl assert file (#5870) (#5894) * chore: small gh workflows improvements (#5883) (#5887) * chore: use gh composite actions (#5885) (#5893) * fix: Add group to subresources declaration in value.yaml file for CLI (#5881) (#5884) * refactor: improve background scan reconciliation (#5871) (#5882) * fix: Add subresources support to policy exceptions (#5839) (#5880) * fix validation checks for foreach and nested foreach (#5875) (#5877) * fix: force background scan recomputation (#5865) (#5868) * fix: background scan events (#5807) (#5874) * feat: cleanup enhancements-1 (cherry-pick #5796) (#5867) * fix mutate targets variable (#5862) (#5866) * chore: move ConvertToUnstructured from engine utils to kube utils (#5847) (#5863) * cleanup new validate webhooks (#5851) (#5857) * Walk back change in PSS policy to send to to_upper (#5823) (#5856) * cherry-pick #5846 (#5855) * feat: improve background scan reports enqueue logic (#5810) (#5853) * chore: cleanup a couple workflows (#5844) (#5854) * fix: improve cli help message (#5843) (#5849) * chore: bump a couple of deps (#5840) (#5850) * refactor: move utils into sub packages (#5828) (#5845) * chore: add a couple unit tests (#5834) (#5842) * chore: cleanup codecov workflow (#5829) (#5838) * fix: enum values for ValidationFailureActionOverride (#5835) (#5836) * fix: default value for validationFailureAction (#5832) (#5833) * Adds JMESPath filter for returning current time (#5813) (#5831) * add source archive checksum into the checksums.txt (#5819) (#5827) * Adds notes to functions (#5824) (#5826) * fix: error handling in last scan time parsing (#5808) (#5809) * fix arguments passed to DeepEqual (#5801) (#5806) * refactor: policy controller package (#5747) (#5803) * enhance logging, fix pull flag description (#5797) (#5798) * chore: switch to kyverno/kuttl (#5504) (#5794) * fix cli output adjustments (#5787) (#5793) * redirect stderr to get digest successfully (#5782) (#5791) * chore: update publicKey description (#5789) (#5792) * fix delete policy (#5776) (#5790) * fix helm chart version (#5775) * bump dep (#5765) * fix image digest (#5762) * tag v1.9.0-beta.1 (#5761) * chore(deps): bump JasonEtco/create-an-issue from 2.8.2 to 2.9.0 (#5760) * chore(deps): bump fluxcd/flux2 from 0.37.0 to 0.38.1 (#5759) * chore(deps): bump actions/cache from 3.0.11 to 3.2.0 (#5758) * refactor: move util funcs in sub packages (#5754) * refactor: cleanup controller validating webhook (#5756) * test: add unit test for GetResourceName util (#5752) * refactor: auth package and add full unit test coverage (#5749) * chore: bump deps including k8s ones (#5751) * refactor: remove common package (#5750) * refactor: use typed client in auth (#5743) * refactor: remove a couple of old util funcs (#5746) * chore: remove e2e tests (#5742) * Issue_templates (#5741) * chore: remove autogen internals tests (#5740) * fix: cleanup controller image build (#5739) * chore: build cleanup controller image (#5737) * generate SLSA provenance on releases (#5735) * run conformance tests on different k8s versions (#5733) * Allows {{image}} var to be used in policies (#5122) * refactor: split CLI jp command (#5566) * chore: update k8s versions test grid (#5732) * feat: add exception logic (#5712) * fix: remove all category from all our CRDs (#5731) * feat: force background scan regularly (#5727) * add rule type pkg/metrics/parsers.go (#5729) * bump Go 1.19.4 (#5728) * Revert "chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724)" (#5725) * chore(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.1 (#5724) * feat: propagate psa checks results (#5719) * fix: add back install.yaml manifest (#5721) * refactor: supress usage of kustomize in build (#5691) * Require predicate type (#5713) * fix logger panic (#5715) * fix: interface conversion panic (#5708) * fix missing assignment (#5710) * feat: add kuttl tests for #5704 (#5707) * fix: allow policies from stdin in apply again (#5668) * initialize configmap resolver in background components (#5705) * feat: Implement PolicyException (#5680) * fix digest and verify logic (#5703) * fix: block policy admission if kyverno is down (#5677) * fix info kind error (#5701) * fix: exception validation follow up (#5697) * chore(deps): bump github/codeql-action from 2.1.36 to 2.1.37 (#5696) * feat: add policy exception validation webhook (#5679) * chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#5695) * chore: bump a couple of deps (#5688) * chore(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 (#5694) * chore(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#5683) * fix: bump log level for autogen debug logs (#5687) * chore: remove deprecated flag splitPolicyReport (#5686) * chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (#5684) * chore(deps): bump JasonEtco/create-an-issue from 2.8.1 to 2.8.2 (#5685) * chore: remove secrets client from webhook controller (#5682) * chore: rename exclude into match in policy exception (#5681) * fix: case where deny message is not a string (#5678) * feat: Introduce PolicyException CRD (#5662) * feat: add certs controller to cleanup policies (#5671) * chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 (#5666) * Update version drop-downs in issue templates (#5674) * fix AllNotIn operator (#5636) * chore(deps): bump go.uber.org/multierr from 1.8.0 to 1.9.0 (#5663) * chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#5667) * feat: add engine traces (#5463) * use camel case for ForEach naming (#5660) * feat: add metrics service and service monitor to cleanup controller (#5653) * Support existing imagePullSecrets for image verify functionality (#5627) * Nested foreach (#5589) * chore(deps): bump github.com/sigstore/sigstore from 1.4.6 to 1.5.0 (#5652) * chore(deps): bump github.com/go-git/go-git/v5 from 5.4.2 to 5.5.1 (#5650) * feat: add dev config with support for prom loki and tempo (#5647) * fix: grafana dashboard (#5645) * fix: missing permission in cleanup controller role (#5646) * refactor: tracing package (#5643) * added Arrikto and Trendyol as adopters (via Google Form) (#5644) * feat: improve cleanup policies controller and chart (#5628) * feat: add support for subresources to validating and mutating policies (#4916) * fix: Improve helm-test workflow (#5640) * feat: propagate context through engine (#5639) * chore(deps): bump github/codeql-action from 2.1.35 to 2.1.36 (#5631) * feat: add conditions matching to cleanup controller (#5626) * fix: setup tracing and minor cleanup in tracing and metrics code (#5629) * feat: add http clients tracing (#5630) * chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 (#5632) * chore(deps): bump k8s.io/cli-runtime from 0.25.4 to 0.25.5 (#5635) * Add api docs (#5605) * feat: use lister in registry client (#5620) * fix: registry client not propagated correctly (#5622) * fix: don't create orphan spans in instrumented clients (#5624) * feat: introduce v2alpha1 (#5625) * feat: implement cleanup policy matching (#5614) * fix nil error panic (#5619) * chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#5618) * add 1.8.3 to version drop-downs (#5616) * fix: mutation of cached object in bg scan controller (#5608) * refactor: registry client (#5596) * use helm values for crd labels (#5594) * chore: bump a couple of deps (#5611) * chore(deps): bump reviewdog/action-golangci-lint from 1.25.0 to 2.2.2 (#5603) * chore(deps): bump azure/setup-helm from 1.1 to 3.4 (#5604) * refactor: improve color management in cli test (#5609) * chore: bump a couple of deps (#5610) * chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.0.0 to 1.1.0 (#5601) * feat: add cleanup handler (#5576) * chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 (#5602) * Fix: handling unexpected global-anchor-variable for the apply command (#5590) * chore: bump a couple of deps (#5593) * fix: use lister for CA secret (#5598) * add logging guideline (#5406) * Delete category all from CRDs (#5557) * refactor: update otlp packages (#5367) * chore: bump flux action (#5578) * chore(deps): bump aquasecurity/trivy-action from 0.2.3 to 0.8.0 (#5584) * fix: replace + symbol with _ symbol on the Chart.Version field (#5591) * chore(deps): bump helm/chart-testing-action from 2.0.1 to 2.3.1 (#5586) * chore(deps): bump rajatjindal/krew-release-bot from 0.0.38 to 0.0.43 (#5588) * chore(deps): bump ossf/scorecard-action from 2.0.4 to 2.0.6 (#5587) * chore(deps): bump actions/setup-go from 2.1.5 to 3.4.0 (#5585) * chore(deps): bump actions/setup-python from 2.3.1 to 4.3.0 (#5562) * chore(deps): bump sonarsource/sonarcloud-github-action from 1.7 to 1.8 (#5563) * chore(deps): bump codecov/codecov-action from 2.1.0 to 3.1.1 (#5573) * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#5559) * adding --warn-exit-code flag (#5577) * feat: add cleanup controller BYOSA and RBAC extensions (#5580) * chore(deps): bump goreleaser/goreleaser-action from 2.8.0 to 3.2.0 (#5572) * chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#5574) * chore(deps): bump JasonEtco/create-an-issue from 2.8.0 to 2.8.1 (#5571) * chore: disable dependabot auto rebase (#5567) * chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 (#5560) * refactor: jmespath arithmetic operations (#5544) * chore(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.1 (#5561) * chore(deps): bump actions/checkout from 2.4.0 to 3.1.0 (#5564) * chore(deps): bump actions/cache from 3.0.8 to 3.0.11 (#5565) * refactor: cli test command (#5550) * refactor: cli jp command (#5552) * add Wayfair to adopters (#5547) * Kyverno CLI: added method to detect duplicate resource in kyverno test (#3612) * To support gitURLs for "apply" command (#4502) * issue-4613: Add support for cache enhancements with informers (#5484) * chore(deps): bump stefanprodan/helm-gh-pages from 1.5.0 to 1.7.0 (#5534) * chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#5532) * chore(deps): bump github/codeql-action from 1.0.26 to 2.1.35 (#5536) * bump slsa GH generator to 1.4.0 (#5530) * chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 (#5535) * chore(deps): bump sigstore/cosign-installer from 2.8.0 to 2.8.1 (#5533) * chore: enable dependabot (#5531) * refactor: make policy context immutable and fields private (#5523) * configure opentelemetry logger (#5513) * feat: support attestations with multiple signatures (#5409) * fix: bug in report resource watcher (#5525) * Adding Rafay Systems to Kyverno Adopters list. (#5524) * feat: Add default CI test values for helm charts (#5518) * feat(policies chart): Add ability to set autogen behavior (#5517) * fix: cleanup policy validation (#5514) * fix: pod anti affinity (#5516) * chore: improve cleanup controller (#5509) * feat: use admission review v1 (#5464) * refactor: use internal cmd package in kyverno (#5507) * chore: bump a few deps (#5512) * chore: stop using set-output in gh actions (#5500) * refactor: add controller helper to internal package (#5506) * chore: use builtin slices.Clone (#5510) * feat: add webhook type to admission metrics (#5493) * feat: propagate context to dynamic client (#5495) * chore: bump a couple of deps (#5503) * feat: add controller metrics (#5494) * fix: panic when response is nil (#5502) * fix: report deletion fighting with garbage collection (#5486) * feat: add dynamic client support to internal cmd package (#5477) * Migrate all mutate e2e tests to kuttl and expand (#5491) * chore: replace utils.ContainsString with builtin slices.Contains (#5496) * fix: add image extractor for ReplicationController (#5497) * refactor: move metrics closer to the code that use them (#5492) * chore: refactor metrics namespace check (#5489) * Migrate validate e2e tests to kuttl tests (#5483) * Fix: handled skip rule processing in anyPattern field (#5191) * feat: propagate context to the metrics package (#5479) * fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374) * feat: add allowed label to admission metrics (#5478) * chore: bump kyverno version in argo lab (#5482) * fix: typo in autogen package (#5480) * chore: improve tracing instrumented clients (#5474) * refactor: metrics configuration code (#5475) * feat: create a policy utils package (#5473) * Add reconciling logic for creating cronjobs whenever a new cleanup policy is created (#5385) * feat: add new filtering handlers (#5472) * fix: remove filtering for policy admission handlers (#5462) * fix: add clone check before validating namespace policy (#5459) * fix: issue when calling kustomize concurrently (#5465) * feat: support flagsets in internal cmd package (#5461) * chore: add instrumented clients codegen verification (#5460) * fix: reading policies for oci command and pushing image (#5435) * fix: admission reports stacking up (#5457) * docs: add controllers README (#5434) * fix: log watcher error in reports controller (#5449) * ci: cancel redundant builds of workflow on push (#5427) * feat: use client funcs from internal cmd package (#5443) * docs: add reports troubleshooting tips (#5448) * fix: argocd lab monitoring namespace (#5446) * fix: mutate existing policy does not get applied when background=false (#5439) * feat: add signal in internal cmd package (#5444) * feat: improve handlers tracing code (#5442) * chore: bump a bunch of deps (#5440) * feat: add logging support to instrumented clients (#5438) * feat: add discovery support in instrumented clients (#5437) * refactor: dynamic client use instrumented clients (#5436) * fix request.operation in globalValues is always set to CREATE (#5423) * chore: remove obsolete metrics client code (#5401) * refactor: improve instrumented clients code and support dynamic/metadata client (#5428) * refactor: split argocd lab into multiple steps (#5410) * Fix multi attestor keyless (#5432) * Handle Match resources kind (#5421) * udpate slsa to v1.3.0 (#5419) * chore: bump sigstore deps (#5376) * fix blank lines in crds (#5422) * refactor: improve instrumented clients creation (#5417) * logging action (#5416) * adding --audit-warn flag (#5321) * Update version drop-downs; bump Trivy (#5425) * Add most basic kuttl tests for generate rules, clone and sync (#5413) * fix: typo (#5415) * feat: make traces better (#5412) * refactor: introduce cmd internal package (#5404) * refactor: generated instrumented client code part 2 (#5398) * feat: add tracing middleware (#5397) * Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) * add os.Exit (#5402) * Complete all basic kuttl tests for generate rules, clone and no-sync (#5400) * refactor: generate instrumented client code (#5362) * refactor: propagate context through admission handlers (#5392) * refactor: improve tracing package (#5391) * [Bug]: Fix wildcard any/all issue (#5387) * Fix incorrect step ID reference (#5388) * fix the entry length validation for the verify image rule (#5384) * Add more kuttl generate test cases (#5364) * fix: set correct logger in profiling server (#5358) * fix closed watchers in the resource-report-controller (#5350) * fix: set logger in metrics server (#5319) * fixed dryrun option to handle changes caused by mutating policy (#4899) * fix: add validation for generate namespace policy (#5346) * chore: add tempo to argocd lab (#5365) * chore: add performance tests tool (#5241) * fix: panic when disable metrics is true (#5366) * feat: add CleanupPolicy validation code to CleanupPolicyHandler (#5338) * test: simplify autogen kuttl tests (#5343) * chore: enable json logs in argocd lab (#5349) * fix digest variable (#5356) * chore: add helm ci values with cleanup controller (#5357) * fix: add some missing options in cleanup helm chart (#5351) * add test cases for yaml verification feature (#5326) * refactor: optimise and use kuttl TestStep with tests (#5328) * test: add rbac kuttl test (#5337) * Update SLSA generator workflow to v1.2.2 (#5323) * test: add kuttl debug failure (#5339) * fix: add replicaset and replicationController kinds in podsecurity validation (#5336) * feat: add cleanup controller to helm chart (#5329) * chore: remove docker support (#5324) * chore: add cli binary to gitignore (#5331) * test: add test to check expected webhooks are created (#5330) * feat: add cleanup controller makefile targets (#5327) * feat: add replicaset and replicationcontroller to autogen (#4975) * feat: add cleanupPolicy validation code (#5279) * fix: synchronize source resource update to clone list resource (#5317) * allow list with policies in test (#5227) * test: add kuttl tests for jmespath special chars (#5310) * Fix issue where CLI test command ignores failures (#5189) * fix: wrong logger used (#5311) * fix: send notification when stoping watching resource in reports system (#5298) * fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767) * fix: set rule response status as skip if precondition failed (#5162) * Update kuttl test scaffolding (#5303) * fix: reduce startup probe delay (#5296) * tests: add kuttl tests for multiple clone generate (#5280) * fix: allow delete of clone target resource with synchronize false (#5161) * fix: image extractor kuttl tests (#5293) * fix: check policy is ready in kuttl tests (#5286) * fix: kuttl test external-service (#5287) * chore: update kuttl (#5285) * fix: make zapr compatible with klog's -v argument (#5166) * feat: add flag to control leader election frequency (#5172) * refactor: admission metrics (counter and latency) (#5245) * fix: resource schema validation in policies under any/all match (#5246) * fix: keep admission warnings (#5269) * add test instructions (#5271) * chore: add kuttl autogen tests (#5253) * fix: add missing test suite to kuttl (#5268) * fix: account for error rules in mutation webhook (#5264) * refactor: admission response utils (#5234) * feat: create cleanup new CRDs (#5233) * chore: remove old conformance tests files (#5260) * fix: add warning when using deprecated validation failure action (#5219) * Kuttl updates (#5257) * chore: use conditions in kuttl tests to check ready policies (#5252) * chore: add kuttl in makefile (#5254) * More kuttl tests (#5238) * fix: remove unused code in config (#5242) * feat: separate webhook rules per GVK/rule (#4986) * fix: kyverno Dockerfile base image tag and sha256 hash (#5248) * refactor: move all middlewares in handlers sub package (#5244) * fix generateName mutation (#5146) * Fix Keda policy installation issue (#5239) * fix: remove /approve from prow actions (#5243) * [Feature] Pin Dependencies by Hash (#5168) * chore: add loki to argocd lab (#5231) * Fixed description for secret name (#5228) * feat: add grafana dashboard to helm chart (#5230) * add remainder of e2e verifyImages tests (#5229) * add kuttl tests (#5204) * [BUG] Fix foreach deletion issue (#5224) * feat: add policy label to policy reports (#5198) * fix: too much information for the Policy Rule Execution Latency metric (#5208) * chore: server side apply in argo lab (#5209) * refactor: health check system (#5176) * fix: early return in policy validation (#5200) * feat: support disabling schema validation on the patched resource (#5197) * fix: deletion of reports not belonging to kyverno (#5194) * Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) * refactor: remove policyreport package (#5174) * fix: use pagination to aggregate reports (#5190) * fix: check resource version on update notification (#5179) * fix: do not cancel context when loosing the lead (#5180) * chore: add kind config file (#5178) * fix: content type in log (#5177) * feat: run leader election in loop (#5173) * refactor: support Audit and Enforce validation failure actions (#5152) * Corrected Kubernetes spelling (#5134) * fix 5151 issue (#5170) * Add ability to use commands in comments (#5154) * fix: configure klog and global logger to use zapr in json mode (#5144) * feature: SLSA Level 3 provenance generation for Kyverno images: kyverno init, kyverno and kyvernopre (#4268) * Fixed issue-5102: Show rule count and type in output (#5106) * skip generating events on empty rule response (#5158) * reset resource version on update (#5157) * fix: mutation policy inconsistent patching for ephemeralContainers (#5121) * feat: remove policy mutation for auto-gen rules (#5123) * chore: remove old docs (#5130) * fix finalizers mutation with patchesJson6902 (#5132) * Add AGE in printer columns of CRDs (#5119) * feat: oci pull/push support for policie(s) (#5026) * feat: add categories support to our CRDs (#5112) * Remove old version of golang.org/x/sys (#5125) * fix: conformance tests (#5118) * [Feature] create command line option to set failurePolicy globally (#4991) * clean conformance (#5089) * feat: enable/disable Debug mode which shows entire AdmissionReview payload (#5024) * docs: separate dev and user docs (#5114) * ci: Fix install manifests publishing with Flux (#5110) * fix: use correct side effects in validating webhooks (#5080) * refactor: simplify variables regex (#5075) * feat: add flag to configure the number of background scan workers (#5088) * fix: allow delete of target resource with synchronize false (#5081) * ci: Use the Docker login action for GHCR auth (#5091) * fix: handle resource cleanup when policy is deleted (#5021) * test: add best practices policies in conformance tests (#5082) * fix: use correct logger in webhook controller (#5083) * feat: add simple conformance tests (#5073) * fix: make reponse order predictable (#5079) * added apiCalls support in kyverno-apply command (#4938) * feat: add webhook server logger (#5063) * fix: configure idle timeout in server (#5062) * fix: image verification reports missing in admission mode (#5037) * fix: setup max procs with correct logger (#5059) * fix: detection of kyverno going down (#5055) * fix: do not update reports when they are identical (#5056) * fix: go routines not gracefully shut down in controllers (#5022) * fix: account for policy/rule deletion in aggregated reports (#5048) * Created configuration file for Openssf scorecard (#4778) * feat: add image verification support to background scan (#5047) * feat: add controller logger helper (#5029) * fix env (#5046) * fix: lease log message (#5030) * feat: make shutdown more graceful (#5031) * fix: lower default qps/burst (#5034) * fix: Attempt to fix the CI failure, extract CI job push-sign-install-manifest (#5035) * Fixed issue-4655: verifyImages is executed before mutate (#4996) * fix: add more infos in reports printers (#5027) * Enable adding annotations to configmaps in the helm chart (#4984) * validate patchJSON6902 (#4469) * remove RBACInfo check (#5015) * fix: policy not denied when kinds set is empty (#5016) * fix: global anchor warning (#4962) * fix: don't process non background policies in background scan (#5008) * fix: update policy status (#5006) * fix: use default retry with retryfunc for a conflict (#4973) * updates with case insensitivity guarantee (#4954) * refactor: add update status helper (#4985) * fix principal and role variables are not substituted (#5000) * fix: skip admission in dry run requests (#4994) * fix: webhooks not registering when using name override (#4992) * feat: add metrics server and kube-prometheus-stack to argocd lab (#4995) * feat: add startup probes support (#4896) * feat: add policy-reporter to argocd lab (#4988) * docs: add resource exclusions note in helm docs (#4989) * chore: add myself in approvers (#4990) * feat: Add container registry setting on Helm Chart (#4281) * fix: config reloading not working correctly (#4951) * fix: missing autogen rules in status (#4971) * fix: add user info in admission request logs (#4969) * fix: don't produce empty admission reports (#4966) * fix: improve banned types management in reports (#4953) * fix: missing watchers in resource report controller (#4967) * chore: Push and sign install manifests to GHCR (#4895) * Fixed issue-4530: Added separate attestor type for secrets and KMS (#4733) * fix: admission reports printer (#4950) * chore: bump a few deps (#4943) * Added support to specify key signature algorithm in verifyImages (#4855) * fix: don't report ready until certs are valid (#4934) * Update issue templates and scan for vulns action (#4952) * Fix background scan with request.operation (#4947) * fix: consider generateName when matching resources (#4945) * fix: probes should work in debug mode (#4926) * fix: set operation in context when necessary (#4940) * chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922) * fix: panic when bad variable substitution (#4928) * feat: make cert renewer private and add server name support (#4904) * chore: bump a couple of deps (#4925) * [Cleanup] Disable PolicySkipped events (#4913) * add filter for validation policies when ValidationFailureActionOverrides is used (#4809) * chore: update controller-tools to v0.10.0 (#4918) * fix: use constants defined in openapi controller (#4919) * chore: signing helm releases (#4801) * fix: openapi controller discovery (#4912) * refactor: openapi controller part 2 (#4910) * fix: clean background scan reports (#4908) * fix: don't specify rules when aggregationRule is set (#4867) * refactor: openapi controller part 1 (#4901) * fix: remove unnecessary dependencies from tls package (#4903) * fix: reduce webhook controller logs (#4897) * chore: add argocd lab (#4884) * refactor: manage webhooks with webhook controller (#4846) * fix: auto gen enabled when using names (#4863) * fix: non watchable resources in report controller (#4888) * Fix result colour (#4885) * fix: background scan labels (#4865) * fix: hardening policy validation for generate cloneList (#4881) * docs: add section in helm docs to install with argocd (#4878) * fix test output numbering (#4853) * feature: use cert extension oid as key (#4854) * chore: add launch.json for vscode debugging (#4856) * Add workflow to detect and report on image vulns (#4850) * docs: add debug instructions (#4843) * e2e test for mutate policy (#3383) * fix: replace AbsPath with RequestURI to support query params (#4849) * refactor: make cert manager a real controller (#4792) * refactor: add config support to webhook controller (#4838) * feat: use a dedicated policy metrics controller (#4818) * chore: bump a couple of deps (#4842) * Update PSa images dsecription (#4840) * refactor: leader controllers management (#4832) * fix extension checks (#4836) * fix: call depth in logging package and global logger support for call depth (#4834) * upgrade controller-runtime dependency (#4829) * refactor: non leader controllers management (#4831) * refactor: make tls cert func not depending on cert controller (#4820) * fix: use new client in tls package (#4746) * fix: debug mode (#4785) * fix: add policy validation for ValidationFailureActionOverride field (#4784) * update helm doc * Fix CRD format issue * Bump k8s libraries to v0.25.2 * Fix PSa the control name validation * fix: validationFailureAction default value (#4822) * refactor: split main into sub funcs (#4821) * chore: use concurrent map v2 (generics) (#4803) * fix: controllers start in loop (#4815) * refactor: split main into sub func (#4810) * feat: add context support to leader election (#4811) * feat: add context funcs to logging package (#4812) * skip succeed rules when building the blocked return message (#4804) * fix: subject and issuer validation when attestations are present (#4786) * refactor: split main func for metrics (#4796) * fix: remove error prone debug field (#4794) * chore: bump a couple of deps (#4802) * refactor: split main into funcs (#4795) * fix: logger panic (#4793) * fix: publish yaml manifests in release instead of repo (#4738) * fix: remove explicit wait for cache sync (#4791) * Add security context and resource block to test (#4712) * fix: new cert manager controller never returns error (#4789) * chore: bump a few deps (#4790) * refact:update script of generate-self-signed-cert-and-k8secrets.sh to supports custom namespace (#4758) * refactor: introduce webhook controller (#4749) * fix: remove reference to controller runtime log (#4779) * refactor: more context less chans (#4764) * Fix: Typo in x509_decode JMESPath function's note (#4773) * fix: add workers to the controller interface (#4776) * update cosign and k8s-manifest-sigstore (#4781) * chore: change charts registry url (#4768) * add package logger in files (#4766) * fix: parse flags error handling (#4775) * refactor: make server owner of the cleanup chan (#4765) * refactor: use context in openapi controller (#4760) * refactor: use context in controllers instead of chan (#4761) * refactor: use context in dynamic client instead of chan (#4756) * refactor: move from io/ioutil to io and os packages (#4752) * refactor: split main in a couple of funcs and use local loggers (#4754) * fix: helm self signed cert (#4745) * add and use package level logger (#4750) * fix: watch error in resource controller (#4751) * chore: use constant in cert manager controller (#4747) * feat: add typed client support and metrics wrapper (#4724) * chore: speed up helm docs gen on mac (#4742) * fix: reports not generated (#4743) * feat: allow users enable JSON logging with a --loggingFormat=json flag (#4661) * fix: use a single leader election (#4722) * fix: containerd dependency vulnerability (#4629) * Add PSa policy validations (#4735) * Added `x509_decode` JMESPath function (#4664) * feat: add matchlabel selector support with multiple clone (#4713) * docs: add policy cache controller docs (#4714) * fix: output make messages to stderr (#4727) * feat: reports v2 implementation (#4608) * Support PSa integration by `controlName` only (#4710) * chore: update client code generator (#4711) * chore: group unit and cli tests targets and separate sections (#4693) * fix: remove deprecation notice (#4635) * chore: enable overriding images repo (#4694) * fix: change key used in test (#4718) * chore: refactor manifests related makefile targets (#4706) * fix: missing client wrapper (#4703) * refactor: use pod name as leader id (#4680) * fix: split webhook handlers per failure policy (#4650) * fix: shutdown controllers workers gracefully (#4681) * fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) * refactor: replace signal package by signal.NotifyContext (#4691) * fix: jmespath random error handling (#4697) * chore: simplify go mod (#4692) * fix: bump net standard lib (#4685) * fix: handle auth permission for cloneList validation (#4684) * fix: namespaced policy not validated in engine (#4653) * chore: bump minimum go version (#4677) * Fix issue for wildcard versions (#4670) * chore: publish sbom result to a different repositry from an image (#4665) * added kubeconfig and context flag to kyverno apply (#4524) * feat: add feature flag to disable background scan (#4638) * feat: add explicit key support to controller utils (#4628) * refactor: update log based on the policy types (#4646) * refactor: split policyreport api files (#4641) * fix: missing elements in v2beta1 api (#4654) * refactor: add a couple of constants in api (#4640) * feat: introduce RCR interface (#4642) * fix: incorrect namespace in report controller (#4637) * fix: remove RCR from mutation webhook (#4636) * feat: add controller utils tools (#4639) * chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) * chore: add makefile target to deploy metrics server (#4627) * chore: add target to deploy policy reporter (#4621) * Integrate Sonarcloud and Nancy github action (#3491) * fix: background printer column (#4617) * enhance jmespath random-filter (#4591) * fix: lock in policy report mapper (#4601) * refactor: simplify RCR creator queue (#4578) * chore: add messages in makefile kind targets (#4588) * refactor: info in policyreport package (#4598) * Fix multiple crd slowness issue (#4275) * update helm releases path (#4596) * enable autogen for validate.podsecurity with no exclude (#4594) * chore: add a codegen-quick makefile target (#4583) * chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) * allow PSa validation with no exceptions (#4558) * fix: typo (#4582) * fix: split policy report flag (#4576) * update version drop-down (#4579) * chore: add toggle package unit tests (#4577) * chore: preserve pr title in cherry picks (#4573) * refactor: move generation handler out of webhooks package (#4570) * refactor: move image verification handler out of webhooks package (#4569) * refactor: move mutation handler out of webhooks package (#4567) * refactor: move validation audit out of webhooks package (#4562) * chore: add kocache (#4482) * docs: add help on fetching tags (#4560) * refactor: move validation handler out of webhooks package (#4556) * refactor: make webhook metrics helpers static (#4554) * add new patterns for releases (#4552) * refactor: move webhook events utils in utils package (#4545) * chore: add unit test for updating ur status (#4541) * fix: defer ur update until validation passes (#4540) * refactor: introduce ur updater (#4535) ------------------------------------------------------------------- Tue Dec 20 12:22:22 UTC 2022 - kastl@b1-systems.de - Update to version 1.8.5: * release v1.8.5 (#5726) * tag v1.8.5-rc.1 (#5718) * Cherry-pick Require predicate type (#5717) * cherry-pick: fix digest and verify logic (#5706) * fix: interface conversion panic (#5708) (#5711) * Delete category all from CRDs (cherry-pick #5557) (#5709) ------------------------------------------------------------------- Fri Dec 09 19:49:45 UTC 2022 - kastl@b1-systems.de - Update to version 1.8.4: * release v1.8.4 (#5638) * tag v1.8.4-rc.1 (#5623) * fix nil error panic (#5619) (#5621) * fix: mutation of cached object in bg scan controller (#5608) (#5613) ------------------------------------------------------------------- Tue Dec 06 06:10:10 UTC 2022 - kastl@b1-systems.de - Update to version 1.8.3: * tag v1.8.3 (#5579) * tag v1.8.3-rc.2 (#5529) * feat: support attestations with multiple signatures (cherry-pick #5409) (#5528) * logging action (#5416) (#5527) * fix: bug in report resource watcher (#5525) (#5526) * feat: Add default CI test values for helm charts (#5518) (#5521) * feat(policies chart): Add ability to set autogen behavior (#5517) (#5520) * tag 1.8.3-rc.1 (#5508) * fix: report deletion fighting with garbage collection (#5486) (#5501) * Migrate all mutate e2e tests to kuttl and expand (#5491) (#5499) * Cherry-pick ff9328809b62097895b99d866d0d3c6d6a801ae9 (#5488) * fix: fix mutating the "/metadata/serverAddress" section of a keda.s/v1alpha1/ScaledObject object (#5374) (#5487) * fix: typo in autogen package (#5480) (#5481) * fix: add clone check before validating namespace policy (#5459) (#5471) * fix: issue when calling kustomize concurrently (cherry-pick #5465) (#5470) * fix: admission reports stacking up (#5457) (#5467) * fix: log watcher error in reports controller (#5449) (#5455) * Handle Match resources kind (#5421) (#5450) * fix: mutate existing policy does not get applied when background=false (#5439) (#5447) * Fix multi attestor keyless (#5432) (#5433) * fix validationFailureAction case in kuttl tests (#5426) * Add most basic kuttl tests for generate rules, clone and sync (#5413) (#5424) ------------------------------------------------------------------- Mon Nov 21 09:25:18 UTC 2022 - kastl@b1-systems.de - Update to version 1.8.2: * Tag v1.8.2 (#5418) * tag v1.8.2-rc.2 (#5408) * Fixed issue-3709: Image verify rule gives error for non-existing configmap (#5272) (#5407) * add os.Exit (#5402) (#5405) * Complete all basic kuttl tests for generate rules, clone and no-sync (#5400) (#5403) * tag v1.8.2-rc.1 (#5393) * [Bug]: Fix wildcard any/all issue (#5387) (#5390) * fix: enable policy validation for the verifyImage rule (#5383) * fix: set logger in metrics server (#5319) (#5377) * Add more kuttl generate test cases (#5364) (#5382) * test: add rbac kuttl test (#5337) (#5380) * fix: set correct logger in profiling server (#5358) (#5381) * fix closed watchers in the resource-report-controller (#5350) (#5378) * fix: add validation for generate namespace policy (#5346) (#5373) * fixed dryrun option to handle changes caused by mutating policy (#4899) (#5375) * add test cases for yaml verification feature (#5326) (#5372) * chore: add tempo to argocd lab (#5365) (#5370) * chore: add performance tests tool (#5241) (#5369) * fix: panic when disable metrics is true (#5366) (#5368) * chore: enable json logs in argocd lab (#5349) (#5359) * refactor: optimise and use kuttl TestStep with tests (#5328) (#5353) * test: add kuttl debug failure (#5339) (#5341) * chore: add cli binary to gitignore (#5331) (#5333) * test: add test to check expected webhooks are created (#5330) (#5332) * fix: synchronize source resource update to clone list resource (#5317) (#5320) * Fix issue where CLI test command ignores failures (#5189) (#5313) * fix: add parsing of json pointers to support special chars (#3578 #3616) (#4767) (#5315) * test: add kuttl tests for jmespath special chars (#5310) (#5316) * fix: wrong logger used (#5311) (#5314) * chore: Fix policy installation issue (cherry-pick #5239) (#5308) * fix: reduce startup probe delay (#5296) (#5302) * fix: send notification when stoping watching resource in reports system (#5298) (#5309) * fix: set rule response status as skip if precondition failed (#5162) (#5306) * Update kuttl test scaffolding (#5303) (#5304) * tests: add kuttl tests for multiple clone generate (#5280) (#5299) * add a note to 1.8.2-rc1 release (#5291) * fix: allow delete of clone target resource with synchronize false (#5161) (#5297) * fix: check policy is ready in kuttl tests (#5286) (#5292) * fix: image extractor kuttl tests (#5293) (#5295) * fix: kuttl test external-service (#5287) (#5290) * chore: update kuttl (#5285) (#5288) * refactor: admission metrics (counter and latency) (#5245) (#5282) * chore: use conditions in kuttl tests to check ready policies (#5252) (#5281) * fix: make zapr compatible with klog's -v argument (#5166) (#5283) * fix: keep admission warnings (#5269) (#5275) * chore: add kuttl autogen tests (#5253) (#5274) * fix: add missing test suite to kuttl (#5268) (#5273) * fix: early return in policy validation (cherry-pick #5200) (#5213) * chore: remove old conformance tests files (#5260) (#5263) * fix: account for error rules in mutation webhook (#5264) (#5267) * refactor: admission response utils (#5234) (#5265) * chore: add kuttl in makefile (#5254) (#5258) * Kuttl updates (#5257) (#5261) * More kuttl tests (#5238) (#5259) * add remainder of e2e verifyImages tests (#5229) (#5256) * add kuttl tests (cherry-pick #5204) (#5255) * refactor: move all middlewares in handlers sub package (cherry-pick #5244) (#5250) * chore: add loki to argocd lab (#5231) (#5240) * feat: add grafana dashboard to helm chart (#5230) (#5232) * feat: add policy label to policy reports (#5198) (#5225) * Merge 396593d8997f218270a398e18e956d892f004bc3 into b3c5a9c74165d573aab9928dd8ac1187e8d8fc3a (#5216) * chore: server side apply in argo lab (#5209) (#5210) * refactor: health check system (#5176) (#5207) * feat: support disabling schema validation on the patched resource (#5197) (#5206) * Helm chart: add extraCRDAnnotations value and set ArgoCD sync option by default (#4964) (#5195) * fix: deletion of reports not belonging to kyverno (#5194) (#5196) * fix: use pagination to aggregate reports (#5190) (#5192) * fix: check resource version on update notification (#5179) (#5186) * chore: add kind config file (#5178) (#5183) * fix: content type in log (#5177) (#5182) * fix: configure klog and global logger to use zapr in json mode (#5144) (#5181) * skip generating events on empty rule response (#5158) (#5160) * reset resource version on update (#5157) (#5159) * feat: add categories support to our CRDs (#5112) (#5137) * fix: mutation policy inconsistent patching for ephemeralContainers (#5121) (#5145) * Fixed issue-4655: verifyImages is executed before mutate (#4996) (#5143) * fix finalizers mutation with patchesJson6902 (#5132) (#5135) ------------------------------------------------------------------- Tue Oct 25 18:44:22 UTC 2022 - kastl@b1-systems.de - Update to version 1.8.1: * Tag v1.8.1 (#5133) * Tag v1.8.1-rc.4 (#5128) * remove the empty add entry in Hehlm chart manifest (#5127) * Remove old version of golang.org/x/sys (#5125) (#5126) * docs: separate dev and user docs (cherry-pick #5114) (#5117) * ci: Fix install manifests publishing with Flux (#5110) (#5111) * Tag v1.8.1-rc.3 (#5108) * fix: use correct side effects in validating webhooks (#5080) (#5105) * refactor: simplify variables regex (#5075) (#5104) * fix: allow delete of target resource with synchronize false (#5081) (#5095) * test: add best practices policies in conformance tests (#5082) (#5097) * fix: use correct logger in webhook controller (#5083) (#5098) * feat: add flag to configure the number of background scan workers (#5088) (#5096) * ci: Use the Docker login action for GHCR auth (#5091) (#5094) * fix: handle resource cleanup when policy is deleted (#5021) (#5093) * Cherry pick 5035, 5046 (#5090) * fix: make reponse order predictable (#5079) (#5087) * feat: add simple conformance tests (#5073) (#5086) * feat: add webhook server logger (#5063) (#5085) * release 1.8.1-rc.2 (#5072) * fix: image verification reports missing in admission mode (cherry-pick #5037) (#5066) * fix: configure idle timeout in server (#5062) (#5067) * fix: setup max procs with correct logger (#5059) (#5065) * fix: do not update reports when they are identical (#5056) (#5061) * fix: detection of kyverno going down (#5055) (#5064) * fix: go routines not gracefully shut down in controllers (#5022) (#5060) * fix: account for policy/rule deletion in aggregated reports (#5048) (#5058) * feat: add metrics server and kube-prometheus-stack to argocd lab (#4995) (#5052) * feat: add image verification support to background scan (#5047) (#5049) * feat: add controller logger helper (#5029) (#5050) * feat: add policy-reporter to argocd lab (#4988) (#5051) * feat: make shutdown more graceful (#5031) (#5040) * Enable adding annotations to configmaps in the helm chart (#4984) (#5039) * fix: wrong controller logger names (#5043) * chore: add argocd lab (#4884) (#5041) * fix: lease log message (#5030) (#5045) * fix: lower default qps/burst (#5034) (#5038) * fix: add more infos in reports printers (#5027) (#5033) * Tag v1.8.1-rc1 (#5020) * remove RBACInfo check (#5015) (#5019) * fix: policy not denied when kinds set is empty (#5016) (#5017) * fix: global anchor warning (#4962) (#5013) * feat: add startup probes support (#4896) (#5012) * fix: webhooks not registering when using name override (#4992) (#5010) * fix: don't process non background policies in background scan (#5008) (#5009) * fix principal and role variables are not substituted (#5000) (#5001) * fix: update policy status (#5006) (#5007) * fix: use default retry with retryfunc for a conflict (#4973) (#5005) * updates with case insensitivity guarantee (#4954) (#5003) * refactor: add update status helper (#4985) (#5002) * fix: skip admission in dry run requests (#4994) (#4999) * fix: improve banned types management in reports (#4953) (#4997) * docs: add resource exclusions note in helm docs (#4989) (#4993) * feat: Add container registry setting on Helm Chart (cherry-pick #4281) (#4987) * fix: config reloading not working correctly (#4951) (#4982) * fix: missing autogen rules in status (#4971) (#4978) * fix: missing watchers in resource report controller (#4967) (#4974) * fix: add user info in admission request logs (#4969) (#4976) * fix: don't produce empty admission reports (#4966) (#4972) * chore: Push and sign install manifests to GHCR (#4895) (#4970) * fix: admission reports printer (#4950) (#4961) * fix: consider generateName when matching resources (#4945) (#4960) * chore: bump a few deps (#4943) (#4958) * fix: don't report ready until certs are valid (#4934) (#4957) * Fix background scan with request.operation (#4947) (#4949) * fix: probes should work in debug mode (#4926) (#4944) * fix: set operation in context when necessary (#4940) (#4942) * chore: add COSIGN_REPOSITORY env to ko-publish-dev step (#4922) (#4936) * add filter for validation policies when ValidationFailureActionOverrides is used (#4809) (#4932) * fix: panic when bad variable substitution (#4928) (#4935) * feat: make cert renewer private and add server name support (#4904) (#4933) * [Cleanup] Disable PolicySkipped events (#4913) (#4931) * chore: bump a couple of deps (#4925) (#4929) * chore: update controller-tools to v0.10.0 (#4918) (#4923) * fix: use constants defined in openapi controller (#4919) (#4921) * chore: signing helm releases (#4801) (#4920) * fix: openapi controller discovery (#4912) (#4917) * fix: don't specify rules when aggregationRule is set (#4867) (#4915) * refactor: openapi controller part 2 (#4910) (#4914) * refactor: openapi controller part 1 (#4901) (#4906) * fix: clean background scan reports (#4908) (#4911) * fix: remove unnecessary dependencies from tls package (#4903) (#4905) * fix: reduce webhook controller logs (#4897) (#4900) * refactor: manage webhooks with webhook controller (#4846) (#4893) * fix: auto gen enabled when using names (#4863) (#4892) * fix: non watchable resources in report controller (#4888) (#4890) * Fix result colour (#4885) (#4887) * fix: background scan labels (#4865) (#4886) * cherry-pick (#4794 #4812 #4815 #4821 #4784 #4820 #4831 #4834 #4818 #4838 #4792 #4843 #4878) (#4882) * fix: hardening policy validation for generate cloneList (#4881) (#4883) * cherry-pick (#4811 #4849 #4842 #4829) (#4877) * fix test output numbering (#4853) (#4875) * cherry-pick (#4790 #4791 #4795 #4796 #4802 #4803) (#4861) * cherry-pick (#4749 #4766 #4773 #4775 #4779 #4785 #4789) (#4860) * cherry-pick (#4754 #4756 #4760 #4761 #4764 #4765 #4776) (#4859) * cherry-pick (#4745 #4746 #4747 #4750 #4752) (#4858) * cherry-pick (#4661 #4712 #4722 #4724 #4742) (#4857) ------------------------------------------------------------------- Mon Oct 10 11:59:03 UTC 2022 - kastl@b1-systems.de - Update to version 1.8.0: * release: 1.8 (#4851) * Update PSa images dsecription (#4840) (#4841) * tag v1.8.0-rc6 (#4839) * fix extension checks (#4836) (#4837) * Cherry pick #4814 (#4826) * update helm doc (#4824) * fix: validationFailureAction default value (#4822) (#4823) * Cherry-pick #4815 (#4817) * tag v1.8.0-rc5 (#4807) * fix: subject and issuer validation when attestations are present (#4786) (#4805) * skip succeed rules when building the blocked return message (#4804) (#4806) * cherry-pick #4738 (#4799) * cherry-pick #4793 (#4800) * update cosign (#4797) * chore: change charts registry url (#4768) (#4780) * tag v1.8.0-rc4 (#4759) * fix: watch error in resource controller (#4751) (#4753) * fix: reports not generated (#4743) (#4744) * tag v1.8.0-rc3 (#4741) * fix: containerd dependency vulnerability (#4629) (#4740) * Add PSa policy validations (#4735) (#4739) * Added `x509_decode` JMESPath function (#4664) (#4737) * feat: add matchlabel selector support with multiple clone (#4713) (#4734) * fix: output make messages to stderr (#4727) * fix crds yaml conflicts * feat: reports v2 implementation (#4608) * docs: add policy cache controller docs (#4714) (#4730) * chore: update client code generator (#4711) (#4728) * Support PSa integration by `controlName` only (#4710) (#4725) * chore: group unit and cli tests targets and separate sections (#4693) (#4723) * chore: enable overriding images repo (#4694) (#4721) * chore: refactor manifests related makefile targets (#4706) (#4720) * fix: change key used in test (#4718) (#4719) * fix: missing client wrapper (#4703) (#4709) * refactor: use pod name as leader id (#4680) (#4708) * fix: split webhook handlers per failure policy (#4650) (#4707) * fix: shutdown controllers workers gracefully (#4681) (#4704) * fix: namespaced policy targets namespace validation and scoping them to the policy's namespace (#4671) (#4702) * refactor: replace signal package by signal.NotifyContext (#4691) (#4701) * fix: jmespath random error handling (#4697) (#4699) * chore: simplify go mod (#4692) (#4696) * fix: bump net standard lib (#4685) (#4690) * fix: handle auth permission for cloneList validation (#4684) (#4687) * fix: namespaced policy not validated in engine (#4653) (#4682) * chore: bump minimum go version (#4677) (#4678) * Fix issue for wildcard versions (#4670) (#4673) * chore: publish sbom result to a different repositry from an image (#4665) (#4667) * refactor: update log based on the policy types (#4646) (#4658) * feat: add explicit key support to controller utils (#4628) (#4659) * feat: add feature flag to disable background scan (#4638) (#4660) * refactor: split policyreport api files (#4641) (#4657) * fix: missing elements in v2beta1 api (#4654) (#4656) * refactor: add a couple of constants in api (#4640) (#4652) * feat: introduce RCR interface (#4642) (#4651) * fix: incorrect namespace in report controller (#4637) (#4649) * fix: remove RCR from mutation webhook (#4636) (#4647) * chore: bump cosign 1.12.0 to fix vulnerabilities (#4631) (#4633) * feat: add controller utils tools (#4639) (#4645) * fix: background printer column (#4617) (#4620) * enhance jmespath random-filter (#4591) (#4619) * fix: lock in policy report mapper (#4601) (#4611) * release v1.8.0-rc2 (#4607) * refactor: simplify RCR creator queue (#4578) (#4606) * chore: add messages in makefile kind targets (#4588) (#4604) * refactor: info in policyreport package (#4598) (#4603) * Fix multiple crd slowness issue (#4275) (#4600) * update helm releases path (#4596) (#4599) * enable autogen for validate.podsecurity with no exclude (#4594) (#4595) * chore: add a codegen-quick makefile target (#4583) (#4587) * chore: switch to github.com/IGLOU-EU/go-wildcard (#4563) (#4586) * allow PSa validation with no exceptions (#4558) (#4585) * fix: typo (#4582) (#4584) * fix: split policy report flag (#4576) (#4581) * chore: add toggle package unit tests (#4577) (#4580) * chore: preserve pr title in cherry picks (#4573) (#4574) * refactor: move generation handler out of webhooks package (#4570) (#4572) * refactor: move image verification handler out of webhooks package (#4569) (#4571) * refactor: move mutation handler out of webhooks package (#4567) (#4568) * refactor: move validation audit out of webhooks package (#4562) (#4566) * chore: add kocache (#4482) (#4564) * refactor: move validation handler out of webhooks package (#4556) (#4561) * refactor: make webhook metrics helpers static (#4554) (#4555) * refactor: move webhook events utils in utils package (#4545) (#4548) * add new patterns for releases (#4551) * chore: add unit test for updating ur status (#4541) (#4544) * - tag v1.8.0-rc1; - remove "v" from Helm charts versions (#4538) * fix: defer ur update until validation passes (#4540) (#4543) * refactor: introduce ur updater (#4535) (#4539) * Support V2beta1 Version (#4514) * refactor: webhook block and unit tests (#4531) * refactor: webhook propagate start time along handlers (#4529) * refactor: webhook exclusion and unit tests (#4528) * feat: allow cloning multiple resource from a namespace (#4384) * add random filter (#4527) * chore: add protectManagedResources flag to changelog (#4522) * refactor: utils for warnings and unit tests (#4523) * refactor: use generics in client wrappers (#4525) * refactor: add auth interface and unit tests (#4518) * fix: api reference docs (#4490) * refactor: client wrappers (#4519) * feat: add kyverno managed resources protection (#4414) * fix: load policy and add tests (#4515) * chore: test for k8s 1.25 (#4503) * chore: add unit tests for pkg/utils/json (#4516) * chore: add unit tests for pkg/utils/yaml (#4512) * chore: add unit tests for pkg/utils/wildcard (#4510) * chore: add unit tests for pkg/utils/os (#4509) * chore: add unit tests for pkg/utils/image (#4508) * chore: update maintainers (#4511) * docs: add section for generating helm docs and crds (#4507) * chore: add wildcard unit test (#4506) * chore: upgrade golang to 1.18 (#4505) * docs: add section about switching between docker and ko (#4501) * Auto-detect Kyverno version in policies chart (#4460) * chore: refactor helm targets in makefile (#4498) * feat: support switchin build with docker or ko (#4492) * fix: incorrect kustomize call in makefile (#4493) * refactor: verify codegen targets in makefile (#4494) * fix: fetch history in pre-checks job (#4491) * Improve printer column name for validationFailureAction (#4488) * chore: Bump helm-docs version to v1.11.0 (#4489) * chore: publish helm charts to ghcr.io (#4479) * chore: bump cache action and improve paths (#4485) * chore: relax auto update PRs conditions (#4486) * fix: release workflow (#4483) * refactor: clean webhooks logs (#4484) * refactor: webhook policy context creation (#4480) * docs: add api docs generation (#4476) * fix: auto update pr workflow (#4478) * chore: add makefile help comments (#4477) * refactor: to remove generate cleanup controller (#4041) * Add PodSecurity description (#4475) * feat: remove context api call constraints (#4389) * fix logger format (#4474) * feat: enable autogen from makefile (#4467) * chore: speed up local image builds (#4468) * chore: enable cherry-pick bot (#4470) * docs: add section for generated code (#4465) * fix: local image build with docker (#4462) * fix: warning in all makefile targets (#4464) * Extend Pod Security Admission (#4364) * docs: add section for deploying a local build (#4458) * refactor: make toggles easier to define and use (#4456) * Add the metric "kyverno_client_queries_total" (#4359) * skip validate rules if conditional anchor key doesn't exist in the resource (#4451) * refactor: clearly separate makefile docker targets for build and publish (#4454) * Yaml signing and verification (#4235) * docs: add pushing images section (#4452) * refactor: clearly separate makefile ko targets for build and publish (#4450) * chore: fix workflows related to ko recent changes (#4441) * docs: add local image build section (#4449) * chore: fix workflows related to ko recent changes (#4438) * Update issue template drop-down version numbers (#4446) * docs: add section for local builds (#4445) * [Feature] Add ability to get additional policies from restricted (#4416) * fix: update go-wildcard to v1.5.0 (#4444) * docs: add section for dev tools (#4443) * chore: remove godownloader and install-cli script (#4442) * Added kubeconfig flag support (#4308) * fix: ko login (#4427) * fix: ko login (#4425) * fix: ko login (#4424) * fix: ko login (#4423) * fix: ko login (#4422) * fix: make ldflags optional in .ko.yaml (#4419) * refactor: makefile build targets (#4418) * fix: Add --bare for ko-build-dev targets (#4417) * Use ko to build images (#4366) * refactor: makefile (#4403) * [Feature] Add posibility to set validationFailureAction by Policy (#4400) * feat: enable autogen internals by default (#4381) * bump golang 1.18.5 version digest in Dockerfile (#4413) * bump cosign deps version to 1.11.1 (#4408) * chore: improve docker image tagging (#4409) * refactor: introduce wildcard utils package (#4406) * fix: chart docs for generatecontrollerExtraResources (#4405) * chore: enable asasalint linter (#4396) * bump cosign version to 1.11.0 (#4398) * Sync 1.7.3 Helm versions (#4395) * fix: goimports check not working in ci job (#4387) * chore: fix golangcilint timeout (#4388) * fix: duration metrics precision (#4393) * chore: add workflow to ensure github actions are pinned to a commit SHA (#4390) * feat: add raw api call support (#3820) * chore: update maintainers md (#4380) * chore: fix fossa ci job (#4382) * fix: missing aggregated role for UR (#4378) * fix: exclude autogen rules when autogen internals is enabled (#4370) * fix: prevent installing helm chart in namespace kube-system (#4368) * fix: fix the verbosity of reconciling logs in the config controller (#4362) * Update wgpolicyk8s.io CRDs (#4355) * Update pr_documentation.md (#4361) * Added remove-color flag for CLI-test (#4345) * Added appropriate logging levels to log.Info() calls wherever necessary (#4341) * update apply help message (#4344) * Fix deprecated api policy issue (#4349) * Treat normal and precondition variable equally (#4217) * fix: image verify logs (#4348) * Remove myself as codeowner (#4333) * Fix PEM delimiter parse (#4331) * [Helm] Added ability to remove namespaces from default resourceFilters list (#4299) * chore(deps): bump github.com/sigstore/cosign from 1.10.0 to 1.10.1 (#4328) * support failurePolicy in kyverno-policies helm chart (#4323) * Context vars substitution in CLI (#4290) * Replaced status with message (#4315) * Changed resource names to plurals (#4312) * Fix pr image verify blocked (#4297) * feat: use tombstone helper (#4273) * Tightened scope on apiGroups for Kyverno:events Clusterrole (#4292) * trivial typo update (#4291) * use failurePolicy to block or allow requests, on policy errors (#4183) * update log levels (#4286) * added additional init and sidecar container config (#4283) * feat: auto optimize GOMAXPROCS (#4277) * add applyRules to control whether one or all rules are applied (#4196) * feature: added new type of event, PolicySkipped (#4251) * Reset policy status on termination (#4269) * fix: use an absolute path in docker entrypoint (#4263) * Add shutdown methods for exporters and controllers (#4214) * sync Helm versions (#4262) * fix: use only 1 kubernetes client (#4256) * Add Techcombank to adopters (#4260) * Implementing flag to show all failing tests only through the test command (#4227) * fix split policyreport name with background scan (#4237) * chore: use new distroless base image provided by distroless org (#4219) * fix check depreciated api issue (#4243) * Cherry-pick #4233 (#4236) * Revert "fix: metrics with invalid validationMode (#4198)" (#4241) * fix: metrics with invalid validationMode (#4198) * Corrected description for UpdateRequest struct (#4215) * Removed confusing output message for the apply and replaced no of policies by no of policy rules count in the output message (#4229) * fix kyverno cli policy-report typo (#4224) * feat: improve flag message for disableMetricsExport (#4194) * precondition failure will skip rule independent of audit or enforce mode (#4163) * Make method public (#4207) * Fix UpdateRequest labeling (from pull #4199) (#4212) * use the unstructured list instead of interface type (#4210) * feat: Opentelemetry support for metrics and traces (#3910) * Use non-blocking channel send for UpdateWebhookChan (#4204) * Fix merging JSON patches (#4202) * Resolve conflict introduced to contributing page (#4192) * return helpful error message on invalid patched resources. (#4129) * docs(contributing): add how to cherry-pick section (#4127) * refactor: finish refactoring generate e2e tests (#4090) * feat: policy status for autogen rules (#4173) * fix: use official controller-gen (#4171) * fix external.metrics.k8s.io/v1beta1 issue (#4139) * fix: add seccompProfile (#4178) * fix: add more verify images e2e test for bool fields (#4172) * delete policy reports on policy deletion (#4174) * chore: add myself into owners (#4170) * feat: split policy report per policy bases (#4147) * Clean up RCRs if the count exceeds the threshold (#4148) * Wait for informers' cache to be synced before starting controllers (#4155) * - Disable events generation on DELETE; - Reduce event generation retry from 10 to 3 (#4159) * Use kyverno namespace informer to list pods while processing URs (#4156) * Template updates (#4150) * release event memory (#4138) * fix: use dev tag for init container local build target (#4142) * added resource lists for test cli (#4082) * update contributing guide (#4119) * sync release versions (#4133) * bump cosign to 1.9.1 to fix fulcio panic (#4117) * fix: use policyName key to get the policy name (#4114) * fix imageVerify validation checks and conversion logic (#4038) * fix: Stop incorrect any block condition logging (#4107) * set test.namespace value implict as resource namespace until and unless explict value is added (#4100) * remove TUF initialization from main (#4098) * Update CODEOWNERS to include treydock (#4097) * feat: add e2e framework and verify image new test (#4094) * add chipzoller to CODEOWNERS (#4096) * refactor: generate e2e GeneratePolicyDeletionforCloneTests (#4071) * Exclude Kyverno namespace by default (#4079) * docs(chart): fix deadlink in NOTES.txt (#4085) * Updated jp command flags and also added URL for help. (#4084) * update drop-downs (#4081) * refactor: generate e2e tests (#4068) * refactor: use t.Cleanup in e2e tests (#4067) * Remove s390X (#4063) * fix: add missing release notes in helm chart (#4057) * fix: bool fields in image verification types (#4053) * Print for failed test cases (#4048) * Sync v1.7.0 release manifests (#4051) * refactor: bump KIND version to use v1.24.0 k8s release (#3877) * feat: add aggregated cluster role support (#3845) * chore(dockerfile): use buildx features for cross-compilation (#4023) * Ensure preconditions are present with default values (#4046) * Fix handling of kyverno-policies version check when port in image tag (#4042) * fix policy typo (#4039) * Fix labels with invalid charrs (#4034) * refactor: used typed admission request in ur (#4022) * fix vulnerable (#4027) * feat: Extend CLI to cover generate policies (#3456) * Request operation value by default to CREATE (#3894) * Feature: Add support for allowing insecure registries. (#3983) * refactor: move policy deletion code from policy controller to ur controller (#4013) * fix: bypass policy mutation if autogen internals enabled (#4007) * fix: use background helper in ur generator (#4009) * fix: remove update ur status in generator (#4008) * refactor: add policy event listener in ur controller (#4012) * chore: remove unused ur errors (#4011) * refactor: ur cleaner controller (#3974) * add validation check to ensure the annotations quoted (#3976) * Support `@` for mutate targets (#3998) * fix: stop mutation policies when autogen internals is enabled (#4004) * refactor: background controllers cleanup (#4001) * fix: stop mutating cached resource in ur controller (#4003) * refactor: move label helper utils from policy package to background package (#3996) * fix attestation checks (#3999) * fix: init container gr copy (#3995) * refactor: clean updaterequest generator (#3949) * chore: enable nosprintfhostport linter (#3989) * feat: add controller utils package (#3952) * refactor: make registry client variables private (#3975) * fix: ur is nil in ur controller (#3986) * chore: add previous pod logs in case of job failure (#3978) * fix: remove unused field (#3971) * fix: release ur when handler pod is gone (#3973) * fix: move ur controller filtering in reconciler (#3964) * fix: mark ur retry on conflict (#3961) * chore: enable paralleltest linter (#3946) * chore: enable goimports linter (#3959) * chore: make kyverno informers and listers import aliases consistent (#3958) * chore: enable ifshort linter (#3945) * fix: add helmignore (#3948) * fix: replica count in helm chart (#3954) * fix panic issue for ur (#3953) * Cleanup URs on trigger deletion (#3955) * chore: make kube informers and listers import aliases consistent (#3957) * chore: make clients import aliases consistent (#3956) * chore: make dclient import aliases consistent (#3951) * chore: make k8s api import aliases consistent (#3950) * fix: use admissionrequest subresource to filter webhooks (#3944) * chore: make kyverno api import aliases consistent (#3939) * chore: enable nolintlint linter (#3941) * chore: enable grouper linter (#3940) * fix: cache warmup log message (#3943) * fix: use patch to update handler status in UR (#3928) * chore: enable makezero linter (#3937) * fix: handle UR delete once trigger namespace deleted (#3934) * chore: enable gofmt and gofumpt linters (#3931) * chore: enble gci linter (#3930) * fix: return type changed to bool in jpfCompare fn (#3924) * refactor: separate policy cache and controller (#3925) * refactor: separate resource mutation/validation handlers from server (#3908) * chore: enable misspell linter (#3932) * chore: enable errname linter (#3926) * chore: enable decorder linter (#3920) * refactor: policy cache (#3919) * chore: enable dogsled linter (#3921) * Cleanup the UR for mutate policies once it's completed (#3912) * [Bugbash] Kceu22 bugbash/fix staticcheck warnings (#3917) * fix: gosec G304 file inclusion error (#3916) * refactor: separate policy mutation/validation handlers from server (#3905) * fix: docker build (#3907) * refactor: webhooks server logger (#3904) * feat: gracefull certificates rotation support (#3890) * chore: remove ca-certificates from our repository (#3859) * chore: enable wastedassign linter (#3898) * chore: enable goprintffuncname linter (#3899) * chore: remove unused function (#3902) * Remove permissions in helm-release workflow (#3901) * Timeout and init (#3893) * fix: write secret (#3891) * Fix subject match selector issue in cli (#3887) * refactor: remove deployment hash on certs secrets (#3886) * chore: enable noctx linter (#3888) * chore: enable importas linter (#3882) * skip var checks in attestations (#3876) * chore: enable gochecknoinits linter (#3874) * refactor: cleanup tls package (#3854) * chore: enable containedctx linter (#3873) * fix: include ca key in secret (#3804) * refactor: make config vars private (#3823) * fix: undo length validation check for generate rule resource name (#3865) * fix subjects in test cli (#3743) * chore: enable exportloopref linter (#3869) * chore: enable tenv thelper and tparallel linters (#3868) * chore: enable durationcheck linter (#3870) * chore: enable asciicheck and bidichk linters (#3871) * chore: add unconvert linter (#3867) * chore: enable whitespace linter (#3864) * Handle errors properly for mutate and generate on existing resources (#3863) * fix: remove code to load CA from kubeconfig (#3860) * chore: enable more linters (#3862) * chore: enable deadcode and unused linters (#3861) * chore: increase golangci-lint timeout (#3855) * refactor: init certs with certs renewer directly (#3853) * tests: add unit tests for utils functions (#3857) * chore: enable golangci-lint in ci (#3852) * feat: fetch tls certificate dynamically (#3851) * fix: golangci-lint warnings in pkg (#3846) * refactor: remove the need for self-signed annotation on cert secret (#3850) * handle subresources (#3841) * fix: golangci-lint warnings in cmd (#3843) * refactor: webhookconfig package (part 4) (#3835) * refactor: webhookconfig package (part 3) (#3834) * refactor: remove unused functions (#3840) ------------------------------------------------------------------- Tue Sep 27 06:32:11 UTC 2022 - kastl@b1-systems.de - Update to version 1.7.4: * fix: update github action to use current workflow path (#4705) * tag v1.7.4 (#4698) * fix: incorrect namespace in report controller (#4637) (#4688) * Fix issue for wildcard versions (#4670) (#4674) ------------------------------------------------------------------- Wed Sep 07 06:59:32 UTC 2022 - kastl@b1-systems.de - Update to version 1.7.3: * Cherry-pick #4398 - bump cosign to 1.11.0 (#4399) * Release v1.7.3 (#4394) * Fix deprecated api policy issue (#4349) (#4350) * precondition failure will skip rule independent of audit or enforce mode (#4163) (#4296) ------------------------------------------------------------------- Mon Jul 25 11:08:18 UTC 2022 - kastl@b1-systems.de - Update to version 1.7.2: * tag v1.7.2 (#4261) * Use non-blocking channel send for UpdateWebhookChan (#4204) (#4247) * Release v1.7.2-rc2 (#4246) * fix split policyreport name with background scan (#4237) (#4245) * fix check depreciated api issue (#4243) (#4244) * fix kyverno cli policy-report typo (#4224) (#4232) * Limit queued events (#4233) * update cosign to v1.9.0 (#4231) * Only set up logging context if it will be used (#4213) * use the unstructured list instead of interface type (#4211) * Fix UpdateRequest labeling (#4199) * Release 1.7 (#4200) * external.metrics.k8s.io/v1beta1 issue (#4182) * delete policy reports on policy deletion (#4174) (#4175) * tag v1.7.2-rc1 (#4167) * feat: split policy report per policy bases (#4147) (#4166) * Re-implement #4159 (#4165) * Cherry pick #4155 (#4164) * Cherry-pick #4148 * Use kyverno namespace informer to list pods while processing URs (#4156) * Cherry-pick #4138 to 1.7 (#4160) * fix: use dev tag for init container local build target (#4141) ------------------------------------------------------------------- Wed Jun 22 08:17:51 UTC 2022 - kastl@b1-systems.de - Update to version 1.7.1: * tag v1.7.1 (#4132) * fix build failures * fix: bool fields in image verification types (#4053) * cherry-pick #4013 * Release 1.7 (#4130) * fix: use policyName key to get the policy name (#4113) * chore(dockerfile): use buildx features for cross-compilation (#4023) (#4123) * Updated jp command flags and also added URL for help. (#4122) * fix: handle nil ur while retry (#4109) * Release 1.7 (#4099) * Bump Charts version to 2.5.0 (#4092) * bump chart versions to v2.4.2 (#4089) * cherry-pick #4079 (#4088) * Remove s390X (#4063) (#4064) * Bump charts version to 2.4.1 (#4061) * Ensure preconditions are present with default values (#4046) * Fix handling of kyverno-policies version check when port in image tag (#4042) ------------------------------------------------------------------- Sat Jun 04 18:55:18 UTC 2022 - kastl@b1-systems.de - Update to version 1.7.0: * Tag v1.7.0 (#4050) * refactor: bump KIND version to use v1.24.0 k8s release (#4049) * fix policy typo (#4039) (#4045) * Tag 1.7.0-rc3 (#4036) * Fix labels with invalid charrs (#4034) (#4035) * Cherry-pick #4022 (#4033) * fix vulnerable (#4027) (#4028) * Request operation value by default to CREATE (#3894) (#4026) * Release v1.7.0-rc2 (#4021) * Cherry pick #4007 #4008 (#4020) * fix: stop mutation policies when autogen internals is enabled (#4004,#4009,#3996) (#4016) * cherry-pick fix attestation checks https://github.com/kyverno/kyverno/pull/3999 (#4015) * refactor: add policy event listener in ur controller (#4012) (#4014) * Support `@` for mutate targets (#3998) (#4010) * fix: stop mutating cached resource in ur controller (#4003) (#4006) * fix: move ur controller filtering in reconciler (#3964) (#3994) * fix: release ur when handler pod is gone (#3993) * fix: mark ur retry on conflict (#3961) (#3963) * fix: replica count in helm chart (#3954) (#3962) * Cherry pick #3953 #3955 (#3960) * fix: handle UR delete once trigger namespace deleted (#3934) (#3938) * fix: use patch to update handler status in UR (#3927) * Cleanup the UR for mutate policies once it's completed (#3923) * Remove permissions in helm-release workflow (#3901) (#3903) * Release v1.7.0-rc1 (#3896) * cherry-pick #3893 (#3895) * Fix subject match selector issue in cli (#3887) (#3892) * skip var checks in attestations (#3876) (#3885) * fix: undo length validation check for generate rule resource name (#3865) (#3872) * Handle errors properly for mutate and generate on existing resources (#3863) (#3866) * refactor: remove unused functions (#3844) * handle subresources (#3841) (#3848) * feat: trigger generate on existing matched resource (#3819) * refactor: webhook config package (part 2) (#3833) * refactor: webhookconfig package (part 1) (#3831) * fix check and add logs (#3838) * Allow variables of any kind to be defined (#3828) * fix: policy deletion in webhookconfig (#3832) * refactor: imported pkg redeclared and a few other unused func (#3827) * refactor: shell to prevent globbing and word splitting (#3829) * CLI should respect scored annotation for warnings (#3821) * Add an object_from_lists function (#3824) * Improve logging and error handling in json context (#3825) * Relax JMESPath variable validation (#3826) * Load `mutate.targets` via dclient (#3797) * Cert attestor (#3809) * handle duplicate images; use container name as key (#3779) * fix: autogen rules in status (#3728) * refact: disable leader for update request controller (#3807) * chore: remove broken .ca from helm chart (#3811) * fix: remove k8s apiserver from self-generated cert (#3803) * Policy Validation check for onPolicyUpdate flag (#3814) * Add `handler` to `UR.status` (#3791) * fix: remove kubeconfig (#3802) * fix: cleanup old dependencies from go.sum and go.mod (#3806) * feat: parse all root CA certs (#3808) * removed kubeconfig flags (#3744) * Fix issue with image registry when decoding OCI descriptors with out of spec keys (#3799) * refactor: move config controller in controllers package (#3790) * chore: add informer util (#3796) * chore: remove useless util NewKubeClient (#3795) * fix: pod stay in terminating when scaling to 0 (#3793) * Add JMESPath Function `items` (#3777) * Fix Cli test for image verification (#3760) * Add rule to PolicyViolation event messages (#3787) * chore: remove config flags (#3786) * fix: add missing tombstone calls (#3784) * refactor: create a package for controllers and move certmanager in it (#3782) * refactor: policycache package logger (#3783) * refactor: move ImageExtractorConfigs in api package (#3781) * refactor: dclient package logger (#3778) * Fix PR update flow and allow updates from release branches (#3780) * fix: cert manager duplicate event handler (#3772) * webhookconfig: if services resource, add services/status as well (#3740) * refactor: dclient package (#3775) * refactor: replace clientset by inteface (#3774) * refactor: cosign package logger (#3773) * Bump cosign and sigstore version (#3771) * Auto-update PRs which are enabled for auto-merging (#3766) * refactor: wait for cache sync (#3765) * Allow kyverno jp to take yaml files as inputs (#3768) * Allow non-object type elements for foreach rules (#3763) * fix: logger call depth (#3759) * Reduce log verbosity for image extractors (#3764) * chore: remove unused resourcecache package (#3762) * refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig (#3736) * Remove YAML multiline support in CM values (#3721) * cleanup event messages and sources (#3741) * Add tests for required checks for image verify (#3755) * Add error handling and log for image extractor errors (#3724) * Fix verify all images (#3748) * Retry policy creation to avoid flaky CRD readiness (#3752) * Fix test Summary printing for failure test cases (#3749) * Enable tests in makefile (#3699) * refactor: metrics package logger (#3734) * Use inclusive language (#3738) * fix: block policy for missing matched kind (#3733) * fix: missing image verification rules in autogen (#3729) * Convert GenerateRequest to UpdateRequest for backward compatibility (#3730) * refactor: autogen package logger (#3727) * fix: correct tombstone usage (#3718) * refactor: remove some api unnecessary pointers (4) (#3713) * Set policy kind to generate events in the webhook (#3726) * Create UR for both mutate and generate policies (#3717) * fix: remove supported from autogen status (#3714) * fix: generated api reference docs (#3711) * refactor: remove some api unnecessary pointers (3) (#3707) * Optimize UR listing on policy events (#3712) * - Create events for imageVerify rules (#3710) * refactor: remove some api unnecessary pointers (2) (#3705) * fix: remove unused type TargetMutation (#3706) * refactor: remove some api unnecessary pointers (#3704) * add e2e tests for mutate existing policies (#3703) * Verify digest (#3679) * fix: kind wash in mutate policy helper (#3698) * refactor: auth package logger (#3696) * chore: remove unused custom expansions from client (#3697) * refactor: client gen code (#3695) * Fix test command git issue (#3692) * Enable verifyImages and CLI registry tests (#3684) * Cherry-pick release-1.6 Helm changes (#3689) * Show warnings in Helm chart installation; update issue templates (#3673) * refactor: use typed k8s client in tls package (#3678) * refactor: config package logger (#3683) * Fix flaky e2e tests for generate policies (#3681) * Fix regression in wildcard matches in In/AnyIn operators (#3686) * feat: remove deprecated flags (#3680) * Logic of match service account is fixed for namespace (#3662) * fix test cli CI failures from main (#3682) * Fix issue pod should not be ready until the policy cache loaded (#3646) * bug: fix nil pointer when generating events (#3677) * remove Validate Cmd (#3674) * Support context variables when using foreach CLI (#3637) * fix: webhooks are not configured correctly (#3660) * bump to Go 1.17.9 (#3671) * fix: api reference docs link (#3664) * feat: mutate existing resources (#3669) * fix: pass logger by value (#3666) * Allow definition of inline variables in context (#3658) * fix: add char length validation for generate rule resource name (#3640) * chore: remove e2e tests for kube 1.20 (#3665) * chore: add support for artifacthub.io/changes in helm charts (#3652) * fix: policy controller missing GVK (#3659) * [imageVerify]: adding `digestMutate` to simplify tag-to-digest mutation (#3531) * Multiple keys (#3636) * fix: do not remove webhooks during initialization (#3641) * fix: prevent installing chart with 2 replicas (#3647) * fix: print helm install warnings (#3648) * chore: warn if kube version is too old in helm notes (#3650) * chore: add artifacthub operator and prerelease annotations (#3649) * refactor: use the typed ns informer in GR controller (#3554) * refactor: image utils (#3630) * Remove helm mode setting (#3628) * refact: remove unused Run function from generate (#3638) * Fix race condition in pCache (#3632) * Allow defining imagePullSecrets (#3633) * Image verify attestors (#3614) * Allow kyverno-policies to have preconditions defined (#3606) * updating version in Chart.yaml (#3618) * Update vulnerable dependencies (#3577) * Add support for custom image extractors (#3596) * add-kms-libraries for cosign (#3603) * refactor cli code from pkg to cmd (#3591) * fix missing policy.kyverno.io/policy-name label (#3599) * refactor generate controller (#3589) * change/suppress warning messages (#3593) * Feat - add the new CR UpdateRequest for post mutation (#3592) * Update to cosign 1.7.1 (#3587) * Update GH workflow config (#3588) * Update CODEOWNER folders for @samj1912 (#3586) * Update hash of dependencies instead of mutable version (#3582) * add support for roles, cluster roles and subjects (#3188) * fix imageVerify rule conversion (#3583) * update imageVerify schema (#3574) * Refactor image extraction to allow extracting custom resources (#3572) * chore: remove dead code (#3561) * Add returnType for regexMatch in kyverno jp output (#3575) * refactor: engine context (#3563) * Fixes #3555 (#3558) * update image pull policy for YAML install which uses :latest (#3565) * add @eddycharly as a maintainer! (#3566) * chore: add some make help comments (#3560) * refactor: switch to admission v1 (#3526) * refactor: make response type (RuleType) typed (#3556) * refactor: metrics package (#3549) * refactor: webhooks metrics reporting (#3548) * test: pass lock by value (#3481) * refactor: simplify autogen package (#3532) * refactor: move common utils (#3553) * refactor: add engine utils sub package (#3552) * fix: checkEngineResponse in webhooks (#3551) * Do not generate preconditions not met warning for audit policies (#3487) * refactor: reduce policy mutations (#3550) * fix: annotation path (#3547) * refactor: use GetFailurePolicy method (#3545) * refactor: use BackgroundProcessingEnabled method (#3544) * refactor: move some helpers in utils package (#3539) * refactor: use GetValidationFailureAction method (#3546) * fix: disallow all in autogen annotation (#3537) * refactor: use existing ContainsString util (#3543) * Create `poddisruptionbudget.yaml` when `mode=ha` (#3536) * fix wildcards in value arrays (#3486) * refactor: separate yaml utils package (#3520) * refactor: separate kube utils package (#3527) * refactor: add os utils sub package (#3528) * refactor: add a json patch util and use it in autogen package (#3524) * fix: tls min version (#3521) * refactor: separate json utils package (#3523) * refactor: webhooks package (#3516) * refactor: use policy interface and introduce admission utils package (#3512) * fix: use github repo env instead of hardcoded repo name (#3513) * fix: reduce dependency to ns lister (#3509) * refactor: use more policy interface (#3510) * refactor: use policy interface in policycache package (#3503) * refactor: make use of policy interface (#3499) * refactor: improve policycache package (#3495) * chore: add autogen internals e2e tests (#3492) * refactor: factorize policy interface (#3496) * feat: add webhooks object selector support (#3413) * feat: generate support for namespace policy (#3472) * chore: simplify validation with named return (#3493) * add missing namespace to role and rolebinding (#3389) (#3429) (#3485) * chore(deps): add renovate.json (#3471) * feat: stop mutating rules (#3410) * use mutex as field instead of embedded (#3480) * refactor: create e2e infra using make to speed up e2e tests (#3470) * fix ordering of mutate element (#3468) * refactor: use abstract policy interface in webhookconfig (#3466) * adds lease objects for storing last-request-time and set-status annotations in deployment (#3447) * clean up dependencies (#3469) * fix: use RWMutex lock while concurrent read/write (#3462) * refactor: match and exclude conflict validation (#3454) * refactor: add ValidationFailureAction to the api (#3451) * refactor: remove ns lister from webhookconfig (#3452) * refactor: add IsNamespaced() method to API policy types (#3450) * fix: use PodControllersAnnotation constant (#3448) * Update MAINTAINERS.md (#3449) * support for deprecated API's (#3439) * Drop v1alpha1 PolicyReport CRD (#3437) * refactor: ExcludeResources validation (#3445) * refactor: replace ExcludeResources by MatchResources (#3444) * refactor: ResourceDescription validation (#3446) * Fix incorrectly renamed file (#3443) * Remove support for test.yaml (#3442) * fix cli panic for --cluster flag (#3436) * Fix check for generated webhook rules being equal to what the API server has (#3407) * refactor: MatchResources validation (#3422) * feat: use IsReady method (#3426) * refactor: ValidationFailureActionOverrides validation (#3421) * PR and issue template updates per contributors' meetings (#3428) * [imageVerify]: correcting error msg (#3398) * feat: add toggle package for feature flags (#3419) * feat: move GetRules() at the policy level (#3420) * feat: add conditions support (#3378) * feat: stop adding autogen annotation (#3379) * fix webhook configuration issue when auto update is disabled (#3417) * Ignore test files that do not end in test.yaml (#3402) * refactor: Policy name validation (#3409) * Replace `ToUnstructured()` with Marshal/Unmarshal (#3150) * [ImageVerify] Verify additional certificate-extensions (#3404) * fix: filter resources names with helm custom release name (#3361) * refactor: Rule names validation (#3406) * refactor: Rule type validation (#3400) * chore: remove check-helm-docs workflow (#3408) * refactor: UserInfo validation (#3399) * Fix webhook re-creation error (#3403) * chore: add make help target (#3405) * Only queue one retry if webhook update fails (#3353) * chore: add more codegen target and verifications (#3393) * Return warning on admission response when mutating pods (#3272) * Add a registry flag to allow direct access to container registries in the CLI (#3396) * feat: add rules to status (#3376) * chore: makefile should not makefile go.mod (#3394) * refactor: ImageVerification validation (#3372) * Cli Apply command support Dir as resources (#3391) * chore: add helm crds to make codegen target (#3375) * fix: metrics config defaults (#3387) * fix for gvk not working for existing resources policy (#3384) * e2e test for mutate global anchor Policy (#2574) * Add `codecov` to CI (#3382) * Update cosign to v1.6.0 (#3341) * fix: generate api reference docs (#3377) * fix PodExecOptions issue (#3373) * Update OWNERS.md (#3371) * feat: add autogen controllers to policy status (#3332) * chore: gen helm crds from config crds (#3356) * refactor: introduce api common types (#3365) * adding emptyDir vol for keyless signing (#3366) * refactor: move api functions closer to the struct they belong to (#3363) * refactor: introduce rules getters and setters (#3350) * refactor: move controller autogen annotation in api package (#3364) * Add new test-case-selector flag to test command (#3183) * support RSA, ECDSA and EDDSA public key verification (#3362) * fix: configmap resource filters generated by helm does not account for namespace (#3358) * chore: check helm docs are up to date (#3310) * Fix any_all wildcard issue (#3352) * fix: invalid path in helm-test workflow (#3344) * Add Bloomberg to adopters (#3348) * updated description field of foreach (#3157) * chore: verify codegen in CI (#3343) * Update generate clusterrole (#3336) * fix: CRD generation (#3334) * refactor: reduce usage of reflect.DeepEqual (#3328) * fix: update codegen (#3329) * fix: naming typos (#3327) * refactor: introduce autogen package (#3316) * refactor: pass only spec instead of whole policy when possible (#3315) * fetch tag across all branches instead of current branch (#3324) * add separate step for digest (#3321) * adding check for digest and update git command * correcting makefile latest tag (#3314) * fix: helm install docs (#3312) * fix: seccomp profile (#3313) * chore: drop helm v2 (#3311) * feat: gen kyverno helm chart docs (#3309) * feat: gen kyverno-policies helm chart docs (#3301) * Fix workflow using regex in `main` (#3306) * arranging permissions (#3293) * fix: helm chart broken when use generatecontrollerExtraResources (#3302) * feat: support background mode configuration in kyverno-policies chart (#3299) * Improve CLI test times by instantiating openapi controller once (#3297) * Fix namespace typo (#3298) * fix: add support for other platforms before executing docker buildx (#3296) * validate and block policy based on the matched kind cache (#3283) * fix: comma separated lists in config (#3290) * Run E2E tests on all supported k8s versions (#3256) * latest will point to main (#3285) * Shallow clone git repositories for kyverno test command * update trivy scanning (#3284) * feat: add linux/s390x builds (#3277) * Fix label mutation while updating the secret (#3273) * Modify capabilities for compatibility with Pod Security (#3274) * Fix Helm releasing to preserve creation timestamps (#3268) * Added `kyverno test` subcommand for test manifest file (#3264) * Clean up commented out lines of code (#3263) * Add .DS_store to gitignore (#3255) * fix mutate wildcard issue (#3193) * Fix foreach validations precondition issue (#3228) * Fix policy report OwnerReference (#3249) * Improve E2E test CI timings (#3250) * Add openssf badge (#3246) * Fix old object validation check (#3248) * Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229) * add helm pre-delete hook which deletes all the webhooks (#3148) * Skip updating webhook configs if namespaceSelector is nil (#3237) * Sync latest changes to release/install.yaml (#3239) * add aggregated role for generaterequest (#3240) * Remove abstraction that doesn't work anyway (#3209) * Fix image parsing for image referenced as digests (#3196) * feat: ha mode support in helm chart (#3207) * Fix keyless attest (#3219) * update dependencies (#3221) * Issue forms and PR template adjustment (#3213) * add prateekpandey14 to codeowners (#3205) * Added e2e test for JSON patch mutate policy (#2966) * fixing bug to handle two different types of rules (#2954) * Allow setting validationFailureActionOverrides for policies (#3201) * feat: fix app version in NOTES.txt (#3189) * Indentation fix (#3179) * Fix unused tagTest in helm chart tests (#3174) * Update kyverno-policies chart with latest pod-security policies (#3126) * Add a kyverno jp command to test jmespath expressions (#3169) * test-cases for wildcard match label selector (#3165) * Filter kyverno resources instead of entire kyverno namespace (#3170) * Fix panic for provides a set to the key of a precondition and deny condition (#3162) * Bump up verbosity for `patched resource mismatch` (#3127) * bump chart versions (#3160) * Update dev image tag in Make targets (#3159) * Add sam (#3155) * add missing patch verbs in event clusterrole (#3151) * fix filtered and sort patches index (#3146) * Fix kyverno panic with `PodSpec.containers` JSON merge patch w/o image (#3143) * Relax rule context validation to follow JMESPath grammar (#3129) * Fixed kyverno panic at JMESPath zero division (#3137) * Fix variable substitution when curly braces are used in jmespath (#3133) * Fix parsing of resources in preconditions (#3108) * Add cloud provider keychains to DefaultKeychain (#3116) * improve antiAffinity and add podAffinity and nodeAffinity for kyverno helm chart (#3067) * fixing and adding tests (#3112) * update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * Add b/w compat support for K8s version 1.20 and below for Kyverno 1.6 (#3100) * Fix the kyverno default keychain value to be the ggcr default keychain (#3096) * fix: typo Cluter to Cluster (#3092) * Fix memory leak when updating ggcr keychain (#3088) * Support registry keychain from cloud providers (#3036) * Updates Changelog to add note for anyPattern issue due to k8s v1.23 (#3045) * Add KYVERNO_DEPLOYMENT to initContainer (#3086) * apply patches cumulatively (#3083) * Fix CLI test/apply when any/all use namespaceSelector (#3050) * fix mutating ownerReferenecs (#3061) * update workflow configurations to fix CI failure (#3060) * Fix documentation for helm charts (#3056) ------------------------------------------------------------------- Fri Apr 01 07:04:47 UTC 2022 - kastl@b1-systems.de - Update to version 1.6.2: * tag v1.6.2 (#3511) * Cherry-pick #3111 and release v1.6.2-rc3 (#3506) * tag v1.6.2-rc2 (#3500) * feat: generate support for namespace policy (#3498) * use mutex as field instead of embedded (#3480) (#3489) * release v1.6.2-rc1 (#3482) * Cherry-pick #3477 (#3479) * adds lease objects for storing last-request-time and set-status annotations in deployment (#3447) (#3478) * fix: use RWMutex lock while concurrent read/write (#3462) (#3467) * support for deprecated API's (#3439) (#3453) * fix cli panic for --cluster flag (#3436) (#3438) * add missing namespace to role and rolebinding (#3389) (#3429) * fix webhook configuration issue when auto update is disabled (#3417) (#3418) * Cli Apply command support Dir as resources (#3391) (#3392) * fix for gvk not working for existing resources policy (#3384) (#3386) * Cherry pick/3366 (#3367) * Update generate clusterrole (#3336) (#3359) * fixing bug to handle two different types of rules (#2954) (#3357) * Fix any_all wildcard issue (#3352) ------------------------------------------------------------------- Wed Mar 02 05:51:37 UTC 2022 - kastl@b1-systems.de - Update to version 1.6.1: * fix release tag command (#3323) * fetching proper digest for release images (#3319) * update release v1.6.1 manifest (#3318) * changing git command to fetch the tag (#3317) * release v1.6.1-rc2 * cherry-pick c4075af3d17c59fe73b50083bb206d85a1cb38ba * Run E2E tests on all supported k8s versions (#3256) * Fix namespace typo (#3298) * feat: support background mode configuration in kyverno-policies chart (#3299) * fix: helm chart broken when use generatecontrollerExtraResources (#3302) * Shallow clone git repositories for kyverno test command * fix: add support for other platforms before executing docker buildx (#3296) * latest pointing to main * added condition * using regex * updated workflows * validate and block policy based on the matched kind cache (#3283) (#3291) * Filter kyverno resources instead of entire kyverno namespace (#3170) (#3171) * update trivy scanning (#3284) * tag v1.6.1-rc1 * Fix label mutation while updating the secret (#3273) (#3278) * Modify capabilities for compatibility with Pod Security (#3274) (#3275) * Fix Helm releasing to preserve creation timestamps (#3268) * fix mutate wildcard issue (#3193) * Fix foreach validations precondition issue (#3228) * Fix policy report OwnerReference (#3249) (#3257) * Fix old object validation check (#3248) * Skip updating webhook configs if namespaceSelector is nil (#3237) (#3243) * bump chart versions to v2.3.0 * cherry-pick #3209 * Fix image parsing for image referenced as digests (#3196) (#3233) * Fix keyless attest (#3219) * update dependencies (#3221) * release Helm chart v2.2.1 * Allow setting validationFailureActionOverrides for policies (#3201) ------------------------------------------------------------------- Fri Feb 18 15:07:52 UTC 2022 - Johannes Kastl - link /usr/bin/kyverno to /usr/bin/kubectl-kyverno to make this usable as a kubectl plugin ------------------------------------------------------------------- Fri Feb 18 13:02:16 UTC 2022 - Johannes Kastl - new package kyverno: CLI and kubectl plugin for the Kyverno Policy engine