Merge pull request #89 from nirmata/1.11.2

1.11.4

.vscode/launch.json

@@ -10,6 +10,7 @@
             "args": [
                 "--kubeconfig=${userHome}/.kube/config",
                 "--serverIP=<SERVER-IP>:9443",
+                "--backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller",
                 "-v=2",
                 "--caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca",
                 "--tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair",

api/kyverno/v1/image_verification_test.go

@@ -126,7 +126,24 @@ func Test_ImageVerification(t *testing.T) {
 			},
 		},
 		{
-			name: "valid static key attestor",
+			name: "static key invalid signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha1"},
+					}}},
+				},
+			},
+			errors: func(i *ImageVerification) field.ErrorList {
+				return field.ErrorList{
+					field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
+						i.Attestors[0].Entries[0].Keys, "Invalid signature algorithm provided"),
+				}
+			},
+		},
+		{
+			name: "valid static key default signature algorithm attestor",
 			subject: ImageVerification{
 				ImageReferences: []string{"*"},
 				Attestors: []AttestorSet{
@@ -136,6 +153,39 @@ func Test_ImageVerification(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "valid static key sha224 signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha224"},
+					}}},
+				},
+			},
+		},
+		{
+			name: "valid static key sah256 signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha256"},
+					}}},
+				},
+			},
+		},
+		{
+			name: "valid static key sha384 signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha384"},
+					}}},
+				},
+			},
+		},
 		{
 			name: "invalid keyless attestor",
 			subject: ImageVerification{

api/kyverno/v1/image_verification_types.go

@@ -28,6 +28,14 @@ const (
 	GHCR    ImageRegistryCredentialsProvidersType = "github"
 )
 
+var signatureAlgorithmMap = map[string]bool{
+	"":       true,
+	"sha224": true,
+	"sha256": true,
+	"sha384": true,
+	"sha512": true,
+}
+
 // ImageVerification validates that images that match the specified pattern
 // are signed with the supplied public key. Once the image is verified it is
 // mutated to include the SHA digest retrieved during the registration.
@@ -166,7 +174,7 @@ type StaticKeyAttestor struct {
 	// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
 	PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
 
-	// Specify signature algorithm for public keys. Supported values are sha256 and sha512.
+	// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
 	// +kubebuilder:default=sha256
 	SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
 
@@ -450,8 +458,10 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)
 	if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
 		errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
 	}
-	if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
-		errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
+	if ska.PublicKeys != "" {
+		if _, ok := signatureAlgorithmMap[ska.SignatureAlgorithm]; !ok {
+			errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
+		}
 	}
 	return errs
 }

api/kyverno/v1/rule_types.go

@@ -98,6 +98,13 @@ type Rule struct {
 	// VerifyImages is used to verify image signatures and mutate them to add a digest
 	// +optional
 	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
+
+	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+	// The default value is set to "true", it must be set to "false" to apply
+	// generate and mutateExisting rules to those requests.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
 }
 
 // HasMutate checks for mutate rule

api/kyverno/v1alpha2/admission_report_types.go

@@ -45,8 +45,8 @@ type AdmissionReportSpec struct {
 // +kubebuilder:printcolumn:name="WARN",type=integer,JSONPath=".spec.summary.warn"
 // +kubebuilder:printcolumn:name="ERROR",type=integer,JSONPath=".spec.summary.error"
 // +kubebuilder:printcolumn:name="SKIP",type=integer,JSONPath=".spec.summary.skip"
-// +kubebuilder:printcolumn:name="GVR",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.gvr']",priority=1
-// +kubebuilder:printcolumn:name="REF",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.name']",priority=1
+// +kubebuilder:printcolumn:name="GVR",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.gvr']"
+// +kubebuilder:printcolumn:name="REF",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.name']"
 // +kubebuilder:printcolumn:name="AGGREGATE",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/report\\.aggregate']",priority=1
 
 // AdmissionReport is the Schema for the AdmissionReports API
@@ -80,8 +80,8 @@ func (r *AdmissionReport) SetSummary(summary policyreportv1alpha2.PolicyReportSu
 // +kubebuilder:printcolumn:name="WARN",type=integer,JSONPath=".spec.summary.warn"
 // +kubebuilder:printcolumn:name="ERROR",type=integer,JSONPath=".spec.summary.error"
 // +kubebuilder:printcolumn:name="SKIP",type=integer,JSONPath=".spec.summary.skip"
-// +kubebuilder:printcolumn:name="GVR",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.gvr']",priority=1
-// +kubebuilder:printcolumn:name="REF",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.name']",priority=1
+// +kubebuilder:printcolumn:name="GVR",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.gvr']"
+// +kubebuilder:printcolumn:name="REF",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.name']"
 // +kubebuilder:printcolumn:name="AGGREGATE",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/report\\.aggregate']",priority=1
 
 // ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API

api/kyverno/v1alpha2/background_scan_report_types.go

@@ -36,9 +36,9 @@ type BackgroundScanReportSpec struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:shortName=bgscanr,categories=kyverno
-// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1
-// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1
+// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion"
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind"
+// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name"
 // +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
 // +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
 // +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
@@ -72,9 +72,9 @@ func (r *BackgroundScanReport) SetSummary(summary policyreportv1alpha2.PolicyRep
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:scope=Cluster,shortName=cbgscanr,categories=kyverno
-// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1
-// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1
+// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion"
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind"
+// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name"
 // +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
 // +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
 // +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"

api/kyverno/v1beta1/updaterequest_types.go

@@ -38,6 +38,8 @@ type UpdateRequestStatus struct {
 	// This will track the resources that are updated by the generate Policy.
 	// Will be used during clean up resources.
 	GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
+
+	RetryCount int `json:"retryCount,omitempty" yaml:"retryCount,omitempty"`
 }
 
 // +genclient

api/kyverno/v2beta1/rule_types.go

@@ -65,6 +65,13 @@ type Rule struct {
 	// VerifyImages is used to verify image signatures and mutate them to add a digest
 	// +optional
 	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
+
+	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+	// The default value is set to "true", it must be set to "false" to apply
+	// generate and mutateExisting rules to those requests.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
 }
 
 // HasMutate checks for mutate rule

api/policyreport/v1alpha2/clusterpolicyreport_types.go

@@ -27,13 +27,13 @@ import (
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:path=clusterpolicyreports,scope="Cluster",shortName=cpolr
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
-// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail`
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn`
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".scope.kind"
+// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=".scope.name"
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".summary.pass"
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".summary.fail"
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".summary.warn"
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".summary.error"
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".summary.skip"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 
 // ClusterPolicyReport is the Schema for the clusterpolicyreports API

api/policyreport/v1alpha2/policyreport_types.go

@@ -22,13 +22,13 @@ import (
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
-// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail`
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn`
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".scope.kind"
+// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=".scope.name"
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".summary.pass"
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".summary.fail"
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".summary.warn"
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".summary.error"
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".summary.skip"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:shortName=polr
 

charts/kyverno-policies/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: kyverno-policies
-version: 3.1.1
-appVersion: v1.11.1
+version: 3.1.4
+appVersion: v1.11.4
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Pod Security Standards implemented as Kyverno policies
 keywords:
@@ -21,15 +21,3 @@ kubeVersion: ">=1.16.0-0"
 annotations:
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
-  # valid kinds are: added, changed, deprecated, removed, fixed and security
-  artifacthub.io/changes: |
-    - kind: added
-      description: Add ability to configure autogen behavior
-    - kind: fixed
-      description: Support for customLabels, they were ignored up to now
-    - kind: removed
-      description: "Walk back change in PSS policy to send to to_upper"
-    - kind: fixed
-      description: Skip DELETE requests on policies using deny statements
-    - kind: added
-      description: Add policyKind to allow changing ClusterPolicy to Policy for all policies

charts/kyverno-policies/README.md

@@ -2,7 +2,7 @@
 
 Kubernetes Pod Security Standards implemented as Kyverno policies
 
-![Version: 3.1.1](https://img.shields.io/badge/Version-3.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.1](https://img.shields.io/badge/AppVersion-v1.11.1-informational?style=flat-square)
+![Version: 3.1.4](https://img.shields.io/badge/Version-3.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.4](https://img.shields.io/badge/AppVersion-v1.11.4-informational?style=flat-square)
 
 ## About
 

charts/kyverno/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: kyverno
-version: 3.1.1
-appVersion: v1.11.1
+version: 3.1.4
+appVersion: v1.11.4
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management
 keywords:
@@ -31,54 +31,10 @@ annotations:
   artifacthub.io/links: |
     - name: Documentation
       url: https://kyverno.io/docs
-  # valid kinds are: added, changed, deprecated, removed, fixed and security
-  artifacthub.io/changes: |
-    - kind: added
-      description: support for GrafanaDashboard custom resource
-    - kind: fixed
-      description: rbac templating issues
-    - kind: added
-      description: make sigstore volume configurable
-    - kind: changed
-      description: no deployments can run with 0 replicas
-    - kind: changed
-      description: change dashboard title of kyverno grafana dashboard
-    - kind: added
-      description: view aggregated cluster role support
-    - kind: added
-      description: support for webhook annotations in config map
-    - kind: added
-      description: allow overriding PDB api version
-    - kind: fixed
-      description: missing image pull secrets in helm hooks
-    - kind: added
-      description: support `excludeRoles` and `excludeClusterRoles` in config
-    - kind: added
-      description: define resources for cleanupJobs
-    - kind: changed
-      description: change to enable webhook cleanup hook by default
-    - kind: added
-      description: allow pod labels for cleanup jobs
-    - kind: added
-      description: allow nodeSelector for cleanup jobs
-    - kind: added
-      description: allow nodeSelector, tolerations and affinity settings for webhooksCleanup
-    - kind: added
-      description: allow affinity settings for cleanup jobs
-    - kind: added
-      description: Add helper to handle the labels for cleanup jobs, add component label
-    - kind: added
-      description: allow podSecurityContext and securityContext for webhooksCleanup
-    - kind: added
-      description: match conditions support in webhooks
-    - kind: fixed
-      description: missing image pull policy missing in a couple of deployments
-    - kind: added
-      description: added TUF flags for custom sigstore deployments
 dependencies:
   - name: grafana
     version: "0.0.0"
     condition: grafana.enabled
   - name: crds
-    version: "3.1.1"
+    version: "3.1.4"
     condition: crds.install