Merge branch 'kyverno:main' into main

ADOPTERS.md

@@ -46,6 +46,7 @@ The list of organizations that have publicly shared the usage of Kyverno:
 | [InfraCloud Technologies](https://www.infracloud.io/) | We have successfully implemented Kyverno as a crucial component of our SOC2 compliance, alongside other essential security hardening measures & best practices. Kyverno's policies offer a significantly streamlined implementation process, far exceeding the complexities associated with cloud services. | 
 | [North IT](https://www.northit.co.uk/) | North IT use Kyverno to help deploy Kubernetes for our pen-testing and SOC platform. | 
 | [Corestream](https://corp.corestream.com/) | At our organization, we've leveraged Kyverno to significantly enhance our Kubernetes-based DevOps practices. We use Kyverno's policy-as-code approach to automate and enforce best practices across our clusters. Our policies cover a wide range of scenarios, from managing Azure Key Vault integrations and secret protections to enforcing image registry restrictions and implementing multi-region deployment strategies. Kyverno allows us to automatically inject configuration, create role-based access controls, and ensure consistent labeling across our resources. This automation not only improves our security posture by preventing misconfigurations and unauthorized changes but also streamlines our deployment processes. By using Kyverno, we've been able to standardize our environments, reduce manual errors, and maintain compliance with our organization's policies. |
+| [Tigera](https://www.tigera.io/) | Kubernetes Policy and Governance |
 <!-- append the line below to the table
 | [name](URL) | brief description of how you are using Kyverno | 
 -->

Makefile

@@ -584,6 +584,7 @@ codegen-cli-crds: codegen-crds-kyverno ## Copy generated CRDs to embed in the CL
 	@cp config/crds/kyverno/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
 	@cp config/crds/kyverno/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
 	@cp config/crds/kyverno/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
+	@cp config/crds/kyverno/kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
 	@cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds
 
 .PHONY: codegen-docs-all
@@ -628,6 +629,7 @@ codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
 	$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
 	$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
 	$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)
+	$(call generate_crd,kyverno.io_validatingpolicies.yaml,kyverno,kyverno.io,kyverno,validatingpolicies)
 	$(call generate_crd,reports.kyverno.io_clusterephemeralreports.yaml,reports,reports.kyverno.io,reports,clusterephemeralreports)
 	$(call generate_crd,reports.kyverno.io_ephemeralreports.yaml,reports,reports.kyverno.io,reports,ephemeralreports)
 	$(call generate_crd,wgpolicyk8s.io_clusterpolicyreports.yaml,policyreport,wgpolicyk8s.io,wgpolicyk8s,clusterpolicyreports)

api/kyverno/v1/clusterpolicy_test.go

@@ -20,8 +20,8 @@ func Test_ClusterPolicy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "name: Too long: may not be more than 63 bytes")
 }
 
 func Test_ClusterPolicy_IsNamespaced(t *testing.T) {

api/kyverno/v1/policy_test.go

@@ -19,8 +19,8 @@ func Test_Policy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "name: Too long: may not be more than 63 bytes")
 }
 
 func Test_Policy_IsNamespaced(t *testing.T) {

api/kyverno/v2/cleanup_policy_test.go

@@ -23,8 +23,8 @@ func Test_CleanupPolicy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "metadata.name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: may not be more than 63 bytes")
 }
 
 func Test_CleanupPolicy_Schedule(t *testing.T) {
@@ -57,8 +57,8 @@ func Test_ClusterCleanupPolicy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "metadata.name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: may not be more than 63 bytes")
 }
 
 func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {

api/kyverno/v2alpha1/validating_policy.go

@@ -0,0 +1,35 @@
+package v2alpha1
+
+import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:scope=Cluster
+
+type ValidatingPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              admissionregistrationv1.ValidatingAdmissionPolicySpec `json:"spec"`
+}
+
+func (s *ValidatingPolicy) GetFailurePolicy() admissionregistrationv1.FailurePolicyType {
+	if s.Spec.FailurePolicy == nil {
+		return admissionregistrationv1.Fail
+	}
+	return *s.Spec.FailurePolicy
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// GlobalContextEntryList is a list of Cached Context Entries
+type ValidatingPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ValidatingPolicy `json:"items"`
+}

api/kyverno/v2beta1/cleanup_policy_test.go

@@ -23,8 +23,8 @@ func Test_CleanupPolicy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "metadata.name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: may not be more than 63 bytes")
 }
 
 func Test_CleanupPolicy_Schedule(t *testing.T) {
@@ -57,8 +57,8 @@ func Test_ClusterCleanupPolicy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "metadata.name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: may not be more than 63 bytes")
 }
 
 func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {

api/kyverno/v2beta1/clusterpolicy_test.go

@@ -20,8 +20,8 @@ func Test_ClusterPolicy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "name: Too long: may not be more than 63 bytes")
 }
 
 func Test_ClusterPolicy_IsNamespaced(t *testing.T) {

api/kyverno/v2beta1/policy_test.go

@@ -19,8 +19,8 @@ func Test_Policy_Name(t *testing.T) {
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "name: Too long: must have at most 63 bytes")
+	assert.Equal(t, errs[0].Detail, "may not be more than 63 bytes")
+	assert.Equal(t, errs[0].Error(), "name: Too long: may not be more than 63 bytes")
 }
 
 func Test_Policy_IsNamespaced(t *testing.T) {

charts/kyverno/Chart.yaml

@@ -37,6 +37,8 @@ annotations:
       description: fix validation error in validate.yaml
     - kind: fixed
       description: fixed global image registry config by introducing *.image.defaultRegistry.
+    - kind: added
+      description: added a new option .reportsController.sanityChecks to disable checks for policy reports crds
 dependencies:
   - name: grafana
     version: v0.0.0

charts/kyverno/README.md

@@ -257,7 +257,7 @@ The chart values are organised per component.
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
-| crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` |
+| crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` |
 | crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
 | crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
 | crds.annotations | object | `{}` | Additional CRDs annotations |
@@ -702,6 +702,7 @@ The chart values are organised per component.
 | reportsController.profiling.port | int | `6060` | Profiling endpoint port |
 | reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
 | reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| reportsController.sanityChecks | bool | `true` | Enable sanity check for reports CRDs |
 
 ### Grafana
 

charts/kyverno/charts/crds/README.md

@@ -6,7 +6,7 @@
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | This field can be overwritten by setting crds.labels in the parent chart |
 | groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
 | groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
 | annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |