Merge branch 'kyverno:main' into issue_5100

.github/workflows/comment-commands.yaml

@@ -16,7 +16,6 @@ jobs:
           prow-commands: '/assign 
             /unassign
             /lgtm 
-            /milestone
-            /approve'
+            /milestone'
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/conformance.yaml

@@ -6,16 +6,20 @@ on:
       - 'release*'
 
 jobs:
-  run-conformace:
+  run-conformance:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # pin@v3
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # pin@v3.1.0
       - name: Unshallow
         run: git fetch --prune --unshallow
       - name: Setup go
-        uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # pin@v3
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # pin@v3.3.1
         with:
           go-version: ~1.18.6
-      - name: Kyverno conformance tests
-        run: go run ./test/conformance/main.go
+      - name: Prepare environment
+        run: make kind-create-cluster kind-deploy-kyverno
+      - name: Wait for Kyverno to start
+        run: sleep 60
+      - name: Test with kuttl
+        run: make test-kuttl

.github/workflows/fossa.yml

@@ -25,6 +25,6 @@ jobs:
         run: |
           export GOPATH=$HOME/go
           export PATH=$PATH:$(go env GOPATH)/bin
-          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/f90d8f6ea32a55bc3b08d557590066b820a7c1b8/install-latest.sh | bash # v3.5.2
           fossa init
           fossa analyze

.github/workflows/tests.yaml

@@ -50,7 +50,7 @@ jobs:
 
       - name: goimports
         run: |
-          go install golang.org/x/tools/cmd/goimports@latest
+          go install golang.org/x/tools/cmd/goimports@f112c43328372460f7ac5bc951711609e22b01cc # v0.2.0
           if [ "$(goimports -l . | wc -l)" -ne 0 ]
           then
            echo "The following files were found to have import formatting issues:"

CHANGELOG.md

@@ -3,6 +3,7 @@
 ### Note
 
 - Flag `autogenInternals` was removed, policy mutation has been removed.
+- Flag `leaderElectionRetryPeriod` was added to control leader election renewal frequency (default value is `2s`).
 - Support upper case `Audit` and `Enforce` in `.spec.validationFailureAction` of the Kyverno policy, failure actions `audit` and `enforce` are deprecated and will be removed in `v1.11.0`.
 
 ## v1.8.1-rc3

CONTRIBUTING.md

@@ -46,7 +46,7 @@ In the process of submitting your PRs, please read and abide by the template pro
 
 1. Provide Proof Manifests allowing the maintainers and other contributors to verify your changes without requiring they understand the nuances of all your code.
 2. For new or changed functionality, this typically requires documentation and so raise a corresponding issue (or, better yet, raise a separate PR) on the [documentation repository](https://github.com/kyverno/website).
-3. Test your change with the [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) and provide a test manifest in the proper format. If your feature/fix does not work with the CLI, a separate issue requesting CLI support must be made.
+3. Test your change with the [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) and provide a test manifest in the proper format. If your feature/fix does not work with the CLI, a separate issue requesting CLI support must be made. For changes which can be tested as an end user, we require conformance/e2e tests by using the `kuttl` tool. See [here](https://github.com/kyverno/kyverno/tree/main/test/conformance/kuttl/README.md) for a specific guide on how and when to write these tests.
 4. Indicate which release this PR is triaged for (maintainers). This step is important especially for the documentation maintainers in order to understand when and where the necessary changes should be made.
 
 #### How to Create a PR

Makefile

@@ -57,7 +57,9 @@ HELM_DOCS                          := $(TOOLS_DIR)/helm-docs
 HELM_DOCS_VERSION                  := v1.11.0
 KO                                 := $(TOOLS_DIR)/ko
 KO_VERSION                         := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
-TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(KUSTOMIZE) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO)
+KUTTL                              := $(TOOLS_DIR)/kubectl-kuttl
+KUTTL_VERSION                      := v0.14.0
+TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(KUSTOMIZE) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
 ifeq ($(GOOS), darwin)
 SED                                := gsed
 else
@@ -116,6 +118,10 @@ $(KO):
 	@echo Install ko... >&2
 	@GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION)
 
+$(KUTTL):
+	@echo Install kuttl... >&2
+	@GOBIN=$(TOOLS_DIR) go install github.com/kudobuilder/kuttl/cmd/kubectl-kuttl@$(KUTTL_VERSION)
+
 .PHONY: install-tools
 install-tools: $(TOOLS) ## Install tools
 
@@ -366,7 +372,7 @@ image-build-all: $(BUILD_WITH)-build-all
 GOPATH_SHIM        := ${PWD}/.gopath
 PACKAGE_SHIM       := $(GOPATH_SHIM)/src/$(PACKAGE)
 OUT_PACKAGE        := $(PACKAGE)/pkg/client
-INPUT_DIRS         := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/policyreport/v1alpha2
+INPUT_DIRS         := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/kyverno/v1alpha1,$(PACKAGE)/api/policyreport/v1alpha2
 CLIENTSET_PACKAGE  := $(OUT_PACKAGE)/clientset
 LISTERS_PACKAGE    := $(OUT_PACKAGE)/listers
 INFORMERS_PACKAGE  := $(OUT_PACKAGE)/informers
@@ -447,7 +453,7 @@ codegen-helm-crds: $(KUSTOMIZE) codegen-crds-all ## Generate helm CRDs
 	@VERSION='"{{.Chart.AppVersion}}"' TOP_PATH=".." envsubst < config/templates/labels.yaml.envsubst > config/.helm/labels.yaml
 	@VERSION=dummy TOP_PATH=".." envsubst < config/templates/kustomization.yaml.envsubst > config/.helm/kustomization.yaml
 	@echo Generate helm crds... >&2
-	@$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' > ./charts/kyverno/templates/crds.yaml
+	@$(KUSTOMIZE) build ./config/.helm | $(KUSTOMIZE) cfg grep kind=CustomResourceDefinition | $(SED) -e "1i{{- if .Values.installCRDs }}" -e '$$a{{- end }}' -e '/^  creationTimestamp: null/i \ \ \ \ {{- trim (include "kyverno.crdAnnotations" .) | nindent 4 }}' > ./charts/kyverno/templates/crds.yaml
 
 .PHONY: codegen-helm-all
 codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs
@@ -575,6 +581,15 @@ kind-test-conformance: kind-deploy-kyverno ## Run conformance tests on a local c
 	@echo Running conformance tests... >&2
 	@go run ./test/conformance --create-cluster=false
 
+###############
+# KUTTL TESTS #
+###############
+
+.PHONY: test-kuttl
+test-kuttl: $(KUTTL) ## Run kuttl tests
+	@echo Running kuttl tests... >&2
+	@$(KUTTL) test --config ./test/conformance/kuttl/kuttl-test.yaml
+
 #############
 # CLI TESTS #
 #############

api/kyverno/v1/clusterpolicy_types.go

@@ -103,6 +103,10 @@ func (p *ClusterPolicy) IsReady() bool {
 	return p.Status.IsReady()
 }
 
+func (p *ClusterPolicy) ValidateSchema() bool {
+	return p.Spec.ValidateSchema()
+}
+
 // Validate implements programmatic validation
 // namespaced means that the policy is bound to a namespace and therefore
 // should not filter/generate cluster wide resources.

api/kyverno/v1/image_verification_types.go

@@ -151,10 +151,10 @@ type StaticKeyAttestor struct {
 }
 
 type SecretReference struct {
-	// name of the secret
+	// Name of the secret. The provided secret must contain a key named cosign.pub.
 	Name string `json:"name" yaml:"name"`
 
-	// namespace name in which secret is created
+	// Namespace name where the Secret exists.
 	Namespace string `json:"namespace" yaml:"namespace"`
 }
 

api/kyverno/v1/policy_interface.go

@@ -19,4 +19,5 @@ type PolicyInterface interface {
 	GetKind() string
 	CreateDeepCopy() PolicyInterface
 	IsReady() bool
+	ValidateSchema() bool
 }

api/kyverno/v1/policy_types.go

@@ -104,6 +104,10 @@ func (p *Policy) IsReady() bool {
 	return p.Status.IsReady()
 }
 
+func (p *Policy) ValidateSchema() bool {
+	return p.Spec.ValidateSchema()
+}
+
 // Validate implements programmatic validation.
 // namespaced means that the policy is bound to a namespace and therefore
 // should not filter/generate cluster wide resources.

api/kyverno/v1/spec_types.go

@@ -75,7 +75,7 @@ type Spec struct {
 	// +kubebuilder:default=true
 	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
 
-	// SchemaValidation skips policy validation checks.
+	// SchemaValidation skips validation checks for policies as well as patched resources.
 	// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
 	// +optional
 	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
@@ -224,6 +224,13 @@ func (s *Spec) GetApplyRules() ApplyRulesType {
 	return *s.ApplyRules
 }
 
+func (s *Spec) ValidateSchema() bool {
+	if s.SchemaValidation != nil {
+		return *s.SchemaValidation
+	}
+	return true
+}
+
 // ValidateRuleNames checks if the rule names are unique across a policy
 func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList) {
 	names := sets.NewString()

api/kyverno/v1alpha1/cleanup_policy_types.go

@@ -0,0 +1,111 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// CleanupPolicy defines a rule for resource cleanup.
+type CleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CleanupPolicyList is a list of ClusterPolicy instances.
+type CleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CleanupPolicy `json:"items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// ClusterCleanupPolicy defines rule for resource cleanup.
+type ClusterCleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
+type ClusterCleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ClusterCleanupPolicy `json:"items"`
+}
+
+// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+// and schedule when the matching resources needs deleted.
+type CleanupPolicySpec struct {
+	// MatchResources defines when cleanuppolicy should be applied. The match
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the user name or role.
+	// At least one kind is required.
+	MatchResources kyvernov1.MatchResources `json:"match,omitempty"`
+
+	// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the name or role.
+	// +optional
+	ExcludeResources kyvernov1.MatchResources `json:"exclude,omitempty"`
+
+	// The schedule in Cron format
+	Schedule string `json:"schedule"`
+
+	// Conditions defines conditions used to select resources which user needs to delete
+	// +optional
+	Conditions *kyvernov1.AnyAllConditions `json:"conditions,omitempty"`
+}
+
+// CleanupPolicyStatus stores the status of the policy.
+type CleanupPolicyStatus struct {
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+}

api/kyverno/v1alpha1/doc.go

@@ -0,0 +1,20 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +kubebuilder:object:generate=true
+// +groupName=kyverno.io
+package v1alpha1

api/kyverno/v1alpha1/register.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +kubebuilder:object:generate=true
+// +groupName=kyverno.io
+package v1alpha1
+
+import (
+	"github.com/kyverno/kyverno/api/kyverno"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v1alpha1"}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// SchemeBuilder builds the scheme
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+
+	// AddToScheme adds all types of this clientset into the given scheme
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CleanupPolicy{},
+		&CleanupPolicyList{},
+		&ClusterCleanupPolicy{},
+		&ClusterCleanupPolicyList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}