Merge pull request #149 from nirmata/NDEV-20176-1.11

NDEV-20176: backport allow changes for preexisting resources that vio…

.chainsaw.yaml

@@ -0,0 +1,15 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Configuration
+metadata:
+  name: configuration
+spec:
+  timeouts:
+    assert: 90s
+    error: 90s
+  parallel: 1
+  fullName: true
+  failFast: true
+  excludeTestRegex: '_.+'
+  forceTerminationGracePeriod: 5s
+  delayBeforeCleanup: 3s
+  template: false

.github/actions/setup-build-env/action.yaml

@@ -30,7 +30,7 @@ runs:
         git fetch --prune --unshallow
     - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
       with:
-        go-version: ~1.21.3
+        go-version: ~1.22.2
     - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2
       with:
         path: ~/go/pkg/mod

.github/workflows/conformance.yaml

@@ -513,10 +513,6 @@ jobs:
               - standard
               - custom-sigstore
         k8s-version:
-          - name: v1.25
-            version: v1.25.x
-          - name: v1.26
-            version: v1.26.x
           - name: v1.27
             version: v1.27.x
           - name: v1.28
@@ -534,9 +530,9 @@ jobs:
         with:
           build-cache-key: run-conformance
       - name: Create kind cluster and setup Sigstore Scaffolding
-        uses: sigstore/scaffolding/actions/setup@d120ad89e1f5c9d4a0bbd92959c6874be2a2131d
+        uses: sigstore/scaffolding/actions/setup@26f31cb72ca848bb0273fcbd7a4ebf187ec4d711
         with:
-          version: 'v0.6.8'
+          version: main
           k8s-version: ${{ matrix.k8s-version.version }}
           knative-version: '1.10.0'
       - name: Create TUF values config map
@@ -571,7 +567,7 @@ jobs:
           TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h
           crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL
           cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json
-          COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token `curl -s $ISSUER_URL` -y
+          COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y
           echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV
       - name: Wait for kyverno ready
         uses: ./.github/actions/kyverno-wait-ready
@@ -585,6 +581,74 @@ jobs:
       - name: Debug failure
         if: failure()
         uses: ./.github/actions/kyverno-logs
+
+  chainsaw:
+      runs-on: ubuntu-latest
+      permissions:
+        packages: read
+      strategy:
+        fail-fast: false
+        matrix:
+          k8s-version:
+            - name: v1.27
+              version: v1.27.13
+            - name: v1.28
+              version: v1.28.9
+            - name: v1.29
+              version: v1.29.4
+          tests:
+            - chainsaw
+      needs: prepare-images
+      name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
+      steps:
+        - name: Checkout
+          uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        # install tools
+        - name: Install helm
+          id: helm
+          uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+          with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+        - name: Install chainsaw
+          uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        # create cluster
+        - name: Create kind cluster
+          uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+          with:
+            node_image: kindest/node:${{ matrix.k8s-version.version }}
+            cluster_name: kind
+            config: ./scripts/config/kind/default.yaml
+        # deploy kyverno
+        - name: Download kyverno images archive
+          uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+          with:
+            name: kyverno.tar
+        - name: Load kyverno images archive in kind cluster
+          shell: bash
+          run: |
+            set -e
+            kind load image-archive kyverno.tar --name kind
+        - name: Install kyverno
+          shell: bash
+          run: |
+            set -e
+            export HELM=${{ steps.helm.outputs.helm-path }}
+            export USE_CONFIG=${{ join(matrix.config.values, ',') }}
+            make kind-install-kyverno
+        - name: Wait for kyverno ready
+          uses: ./.github/actions/kyverno-wait-ready
+        # run tests
+        - name: Test with Chainsaw
+          shell: bash
+          env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          run: |
+            set -e
+            cd ./test/conformance/chainsaw/ && chainsaw test --config ../../../.chainsaw.yaml
+        # debug
+        - name: Debug failure
+          if: failure()
+          uses: ./.github/actions/kyverno-logs
 
   # runs conformance test suites with configuration:
   default:

Makefile

@@ -36,7 +36,7 @@ TOOLS_DIR                          := $(PWD)/.tools
 KIND                               := $(TOOLS_DIR)/kind
 KIND_VERSION                       := v0.20.0
 CONTROLLER_GEN                     := $(TOOLS_DIR)/controller-gen
-CONTROLLER_GEN_VERSION             := v0.12.0
+CONTROLLER_GEN_VERSION             := v0.14.0
 CLIENT_GEN                         := $(TOOLS_DIR)/client-gen
 LISTER_GEN                         := $(TOOLS_DIR)/lister-gen
 INFORMER_GEN                       := $(TOOLS_DIR)/informer-gen
@@ -488,12 +488,12 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
 .PHONY: codegen-crds-kyverno
 codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
+	@$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
 
 .PHONY: codegen-crds-report
 codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
 	@echo Generate policy reports crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
+	@$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
 
 .PHONY: codegen-crds-cli
 codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs

api/kyverno/v1/common_types.go

@@ -396,6 +396,11 @@ type Validation struct {
 	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
 	// +optional
 	CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
+
+	// AllowExistingViolations allows prexisting violating resources to continue violating a policy.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	AllowExistingViolations *bool `json:"allowExistingViolations,omitempty" yaml:"allowExistingViolations,omitempty"`
 }
 
 // PodSecurity applies exemptions for Kubernetes Pod Security admission

api/kyverno/v1/rule_types.go

@@ -152,6 +152,17 @@ func (r *Rule) HasValidate() bool {
 	return !datautils.DeepEqual(r.Validation, Validation{})
 }
 
+// HasValidateAllowExistingViolations() checks for allowExisitingViolations under validate rule
+func (r *Rule) HasValidateAllowExistingViolations() bool {
+	var allowExisitingViolations bool
+	if r.Validation.AllowExistingViolations == nil {
+		allowExisitingViolations = true
+	} else {
+		allowExisitingViolations = *r.Validation.AllowExistingViolations
+	}
+	return allowExisitingViolations
+}
+
 // HasGenerate checks for generate rule
 func (r *Rule) HasGenerate() bool {
 	return !datautils.DeepEqual(r.Generation, Generation{})