From 68c0a4025c109f74499c7e2a3a25f3cf85bbfe9d Mon Sep 17 00:00:00 2001 From: Brad Beck Date: Fri, 16 Jun 2023 18:44:53 -0500 Subject: [PATCH] Update Kyverno attestation verification Signed-off-by: Brad Beck --- Makefile | 1 - .../kyverno/v1/clusterpolicy_types_go_gen.cue | 27 -- .../api/kyverno/v1/common_types_go_gen.cue | 311 ------------------ .../api/kyverno/v1/constants_go_gen.cue | 8 - .../v1/generaterequest_types_go_gen.cue | 124 ------- .../v1/image_verification_types_go_gen.cue | 199 ----------- .../v1/match_resources_types_go_gen.cue | 30 -- .../kyverno/v1/policy_interface_go_gen.cue | 9 - .../api/kyverno/v1/policy_status_go_gen.cue | 40 --- .../api/kyverno/v1/policy_types_go_gen.cue | 29 -- .../v1/resource_description_types_go_gen.cue | 51 --- .../kyverno/v1/resource_spec_types_go_gen.cue | 22 -- .../api/kyverno/v1/rule_types_go_gen.cue | 85 ----- .../api/kyverno/v1/spec_types_go_gen.cue | 76 ----- .../api/kyverno/v1/user_info_types_go_gen.cue | 22 -- .../kyverno/v1/violated_rule_types_go_gen.cue | 21 -- .../api/admission/v1/register_go_gen.cue | 7 - .../k8s.io/api/admission/v1/types_go_gen.cue | 172 ---------- .../api/authentication/v1/register_go_gen.cue | 7 - .../api/authentication/v1/types_go_gen.cue | 184 ----------- dependencies.go | 1 - frsca.cue | 3 +- go.mod | 4 +- go.sum | 14 +- .../admission-control-verify-attestation.cue | 33 +- ...mission-control-verify-image-resources.cue | 22 -- .../admission-control-verify-image.cue | 6 +- .../admission-control-policy/kyverno.cue | 30 +- 28 files changed, 49 insertions(+), 1489 deletions(-) delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/clusterpolicy_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/common_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/constants_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/generaterequest_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/image_verification_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/match_resources_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_interface_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_status_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_description_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_spec_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/rule_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/spec_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/user_info_types_go_gen.cue delete mode 100644 cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/violated_rule_types_go_gen.cue delete mode 100644 cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue delete mode 100644 cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue delete mode 100644 cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue delete mode 100644 cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue delete mode 100644 resources/kyverno/admission-control-policy/admission-control-verify-image-resources.cue diff --git a/Makefile b/Makefile index 9b835954..d1ab7571 100644 --- a/Makefile +++ b/Makefile @@ -202,7 +202,6 @@ vendor: ## vendor upstream projects .PHONY: cue.mod cue.mod: rm -rf cue.mod/gen - cue get go github.com/kyverno/kyverno/api/kyverno/v1 cue get go github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1 cue get go github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1 cue get go k8s.io/api/core/v1 diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/clusterpolicy_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/clusterpolicy_types_go_gen.cue deleted file mode 100644 index daf5b36b..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/clusterpolicy_types_go_gen.cue +++ /dev/null @@ -1,27 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. -#ClusterPolicy: { - metav1.#TypeMeta - metadata?: metav1.#ObjectMeta @go(ObjectMeta) - - // Spec declares policy behaviors. - spec: #Spec @go(Spec) - - // Status contains policy runtime data. - // +optional - status?: #PolicyStatus @go(Status) -} - -// ClusterPolicyList is a list of ClusterPolicy instances. -#ClusterPolicyList: { - metav1.#TypeMeta - metadata: metav1.#ListMeta @go(ListMeta) - items: [...#ClusterPolicy] @go(Items,[]ClusterPolicy) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/common_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/common_types_go_gen.cue deleted file mode 100644 index 8e57cbbb..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/common_types_go_gen.cue +++ /dev/null @@ -1,311 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - -// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. -// +kubebuilder:validation:Enum=Ignore;Fail -#FailurePolicyType: string // #enumFailurePolicyType - -#enumFailurePolicyType: - #Ignore | - #Fail - -// Ignore means that an error calling the webhook is ignored. -#Ignore: #FailurePolicyType & "Ignore" - -// Fail means that an error calling the webhook causes the admission to fail. -#Fail: #FailurePolicyType & "Fail" - -// AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. -// AnyConditions get fulfilled when at least one of its sub-conditions passes. -// AllConditions get fulfilled only when all of its sub-conditions pass. -#AnyAllConditions: { - // AnyConditions enable variable-based conditional rule execution. This is useful for - // finer control of when an rule is applied. A condition can reference object data - // using JMESPath notation. - // Here, at least one of the conditions need to pass - // +optional - any?: [...#Condition] @go(AnyConditions,[]Condition) - - // AllConditions enable variable-based conditional rule execution. This is useful for - // finer control of when an rule is applied. A condition can reference object data - // using JMESPath notation. - // Here, all of the conditions need to pass - // +optional - all?: [...#Condition] @go(AllConditions,[]Condition) -} - -// ContextEntry adds variables and data sources to a rule Context. Either a -// ConfigMap reference or a APILookup must be provided. -#ContextEntry: { - // Name is the variable name. - name?: string @go(Name) - - // ConfigMap is the ConfigMap reference. - configMap?: null | #ConfigMapReference @go(ConfigMap,*ConfigMapReference) - - // APICall defines an HTTP request to the Kubernetes API server. The JSON - // data retrieved is stored in the context. - apiCall?: null | #APICall @go(APICall,*APICall) - - // ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image - // details. - imageRegistry?: null | #ImageRegistry @go(ImageRegistry,*ImageRegistry) - - // Variable defines an arbitrary JMESPath context variable that can be defined inline. - variable?: null | #Variable @go(Variable,*Variable) -} - -// Variable defines an arbitrary JMESPath context variable that can be defined inline. -#Variable: { - // Value is any arbitrary JSON object representable in YAML or JSON form. - // +optional - value?: null | apiextv1.#JSON @go(Value,*apiextv1.JSON) - - // JMESPath is an optional JMESPath Expression that can be used to - // transform the variable. - // +optional - jmesPath?: string @go(JMESPath) - - // Default is an optional arbitrary JSON object that the variable may take if the JMESPath - // expression evaluates to nil - // +optional - default?: null | apiextv1.#JSON @go(Default,*apiextv1.JSON) -} - -// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image -// details. -#ImageRegistry: { - // Reference is image reference to a container image in the registry. - // Example: ghcr.io/kyverno/kyverno:latest - reference: string @go(Reference) - - // JMESPath is an optional JSON Match Expression that can be used to - // transform the ImageData struct returned as a result of processing - // the image reference. - // +optional - jmesPath?: string @go(JMESPath) -} - -// ConfigMapReference refers to a ConfigMap -#ConfigMapReference: { - // Name is the ConfigMap name. - name: string @go(Name) - - // Namespace is the ConfigMap namespace. - namespace?: string @go(Namespace) -} - -// APICall defines an HTTP request to the Kubernetes API server. The JSON -// data retrieved is stored in the context. An APICall contains a URLPath -// used to perform the HTTP GET request and an optional JMESPath used to -// transform the retrieved JSON data. -#APICall: { - // URLPath is the URL path to be used in the HTTP GET request to the - // Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - // The format required is the same format used by the `kubectl get --raw` command. - urlPath: string @go(URLPath) - - // JMESPath is an optional JSON Match Expression that can be used to - // transform the JSON response returned from the API server. For example - // a JMESPath of "items | length(@)" applied to the API server response - // to the URLPath "/apis/apps/v1/deployments" will return the total count - // of deployments across all namespaces. - // +optional - jmesPath?: string @go(JMESPath) -} - -// Condition defines variable-based conditional criteria for rule execution. -#Condition: { - // Key is the context entry (using JMESPath) for conditional rule evaluation. - key?: null | apiextv1.#JSON @go(RawKey,*apiextv1.JSON) - - // Operator is the conditional operation to perform. Valid operators are: - // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - // GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, - // DurationLessThanOrEquals, DurationLessThan - operator?: #ConditionOperator @go(Operator) - - // Value is the conditional value, or set of values. The values can be fixed set - // or can be variables declared using JMESPath. - // +optional - value?: null | apiextv1.#JSON @go(RawValue,*apiextv1.JSON) -} - -// ConditionOperator is the operation performed on condition key and value. -// +kubebuilder:validation:Enum=Equals;NotEquals;In;AnyIn;AllIn;NotIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan -#ConditionOperator: string - -// ResourceFilters is a slice of ResourceFilter -#ResourceFilters: [...#ResourceFilter] - -// ResourceFilter allow users to "AND" or "OR" between resources -#ResourceFilter: { - // UserInfo contains information about the user performing the operation. - // +optional - UserInfo?: #UserInfo - - // ResourceDescription contains information about the resource being created or modified. - resources?: #ResourceDescription @go(ResourceDescription) -} - -// Mutation defines how resource are modified. -#Mutation: { - // Targets defines the target resources to be mutated. - // +optional - targets?: [...#ResourceSpec] @go(Targets,[]ResourceSpec) - - // PatchStrategicMerge is a strategic merge patch used to modify resources. - // See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - // and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - // +optional - patchStrategicMerge?: null | apiextv1.#JSON @go(RawPatchStrategicMerge,*apiextv1.JSON) - - // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - // See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - // +optional - patchesJson6902?: string @go(PatchesJSON6902) - - // ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. - // +optional - foreach?: [...#ForEachMutation] @go(ForEachMutation,[]ForEachMutation) -} - -// ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. -#ForEachMutation: { - // List specifies a JMESPath expression that results in one or more elements - // to which the validation logic is applied. - list?: string @go(List) - - // Context defines variables and data sources that can be used during rule execution. - // +optional - context?: [...#ContextEntry] @go(Context,[]ContextEntry) - - // AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - // set of conditions. The declaration can contain nested `any` or `all` statements. - // See: https://kyverno.io/docs/writing-policies/preconditions/ - // +kubebuilder:validation:XPreserveUnknownFields - // +optional - preconditions?: null | #AnyAllConditions @go(AnyAllConditions,*AnyAllConditions) - - // PatchStrategicMerge is a strategic merge patch used to modify resources. - // See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - // and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - // +optional - patchStrategicMerge?: null | apiextv1.#JSON @go(RawPatchStrategicMerge,*apiextv1.JSON) - - // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. - // See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - // +optional - patchesJson6902?: string @go(PatchesJSON6902) -} - -// Validation defines checks to be performed on matching resources. -#Validation: { - // Message specifies a custom message to be displayed on failure. - // +optional - message?: string @go(Message) - - // ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. - // +optional - foreach?: [...#ForEachValidation] @go(ForEachValidation,[]ForEachValidation) - - // Pattern specifies an overlay-style pattern used to check resources. - // +optional - pattern?: null | apiextv1.#JSON @go(RawPattern,*apiextv1.JSON) - - // AnyPattern specifies list of validation patterns. At least one of the patterns - // must be satisfied for the validation rule to succeed. - // +optional - anyPattern?: null | apiextv1.#JSON @go(RawAnyPattern,*apiextv1.JSON) - - // Deny defines conditions used to pass or fail a validation rule. - // +optional - deny?: null | #Deny @go(Deny,*Deny) -} - -// Deny specifies a list of conditions used to pass or fail a validation rule. -#Deny: { - // Multiple conditions can be declared under an `any` or `all` statement. A direct list - // of conditions (without `any` or `all` statements) is also supported for backwards compatibility - // but will be deprecated in the next major release. - // See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - conditions?: null | apiextv1.#JSON @go(RawAnyAllConditions,*apiextv1.JSON) -} - -// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. -#ForEachValidation: { - // List specifies a JMESPath expression that results in one or more elements - // to which the validation logic is applied. - list?: string @go(List) - - // ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. - // When set to "false", "request.object" is used as the validation scope within the foreach - // block to allow referencing other elements in the subtree. - // +optional - elementScope?: null | bool @go(ElementScope,*bool) - - // Context defines variables and data sources that can be used during rule execution. - // +optional - context?: [...#ContextEntry] @go(Context,[]ContextEntry) - - // AnyAllConditions are used to determine if a policy rule should be applied by evaluating a - // set of conditions. The declaration can contain nested `any` or `all` statements. - // See: https://kyverno.io/docs/writing-policies/preconditions/ - // +kubebuilder:validation:XPreserveUnknownFields - // +optional - preconditions?: null | #AnyAllConditions @go(AnyAllConditions,*AnyAllConditions) - - // Pattern specifies an overlay-style pattern used to check resources. - // +optional - pattern?: null | apiextv1.#JSON @go(RawPattern,*apiextv1.JSON) - - // AnyPattern specifies list of validation patterns. At least one of the patterns - // must be satisfied for the validation rule to succeed. - // +optional - anyPattern?: null | apiextv1.#JSON @go(RawAnyPattern,*apiextv1.JSON) - - // Deny defines conditions used to pass or fail a validation rule. - // +optional - deny?: null | #Deny @go(Deny,*Deny) -} - -// Generation defines how new resources should be created and managed. -#Generation: { - // ResourceSpec contains information to select the resource. - ResourceSpec?: #ResourceSpec - - // Synchronize controls if generated resources should be kept in-sync with their source resource. - // If Synchronize is set to "true" changes to generated resources will be overwritten with resource - // data from Data or the resource specified in the Clone declaration. - // Optional. Defaults to "false" if not specified. - // +optional - synchronize?: bool @go(Synchronize) - - // Data provides the resource declaration used to populate each generated resource. - // At most one of Data or Clone must be specified. If neither are provided, the generated - // resource will be created with default data only. - // +optional - data?: null | apiextv1.#JSON @go(RawData,*apiextv1.JSON) - - // Clone specifies the source resource used to populate each generated resource. - // At most one of Data or Clone can be specified. If neither are provided, the generated - // resource will be created with default data only. - // +optional - clone?: #CloneFrom @go(Clone) -} - -// CloneFrom provides the location of the source resource used to generate target resources. -// The resource kind is derived from the match criteria. -#CloneFrom: { - // Namespace specifies source resource namespace. - // +optional - namespace?: string @go(Namespace) - - // Name specifies name of the resource. - name?: string @go(Name) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/constants_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/constants_go_gen.cue deleted file mode 100644 index f3609f69..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/constants_go_gen.cue +++ /dev/null @@ -1,8 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -//PodControllersAnnotation defines the annotation key for Pod-Controllers -#PodControllersAnnotation: "pod-policies.kyverno.io/autogen-controllers" diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/generaterequest_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/generaterequest_types_go_gen.cue deleted file mode 100644 index df594269..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/generaterequest_types_go_gen.cue +++ /dev/null @@ -1,124 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - admissionv1 "k8s.io/api/admission/v1" - authenticationv1 "k8s.io/api/authentication/v1" -) - -// GenerateRequest is a request to process generate rule. -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// +kubebuilder:object:root=true -// +kubebuilder:subresource:status -// +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy" -// +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind" -// +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name" -// +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace" -// +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state" -// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:resource:shortName=gr -#GenerateRequest: { - metav1.#TypeMeta - metadata?: metav1.#ObjectMeta @go(ObjectMeta) - - // Spec is the information to identify the generate request. - spec: #GenerateRequestSpec @go(Spec) - - // Status contains statistics related to generate request. - // +optional - status: #GenerateRequestStatus @go(Status) -} - -// GenerateRequestSpec stores the request specification. -#GenerateRequestSpec: { - // Specifies the name of the policy. - policy: string @go(Policy) - - // ResourceSpec is the information to identify the generate request. - resource: #ResourceSpec @go(Resource) - - // Context ... - context: #GenerateRequestContext @go(Context) -} - -// GenerateRequestContext stores the context to be shared. -#GenerateRequestContext: { - // +optional - userInfo?: #RequestInfo @go(UserRequestInfo) - - // +optional - admissionRequestInfo?: #AdmissionRequestInfoObject @go(AdmissionRequestInfo) -} - -// AdmissionRequestInfoObject stores the admission request and operation details -#AdmissionRequestInfoObject: { - // +optional - admissionRequest?: string @go(AdmissionRequest) - - // +optional - operation?: admissionv1.#Operation @go(Operation) -} - -// RequestInfo contains permission info carried in an admission request. -#RequestInfo: { - // Roles is a list of possible role send the request. - // +nullable - // +optional - roles: [...string] @go(Roles,[]string) - - // ClusterRoles is a list of possible clusterRoles send the request. - // +nullable - // +optional - clusterRoles: [...string] @go(ClusterRoles,[]string) - - // UserInfo is the userInfo carried in the admission request. - // +optional - userInfo: authenticationv1.#UserInfo @go(AdmissionUserInfo) -} - -// GenerateRequestStatus stores the status of generated request. -#GenerateRequestStatus: { - // State represents state of the generate request. - state: #GenerateRequestState @go(State) - - // Specifies request status message. - // +optional - message?: string @go(Message) - - // This will track the resources that are generated by the generate Policy. - // Will be used during clean up resources. - generatedResources?: [...#ResourceSpec] @go(GeneratedResources,[]ResourceSpec) -} - -// GenerateRequestState defines the state of request. -#GenerateRequestState: string // #enumGenerateRequestState - -#enumGenerateRequestState: - #Pending | - #Failed | - #Completed | - #Skip - -// Pending - the Request is yet to be processed or resource has not been created. -#Pending: #GenerateRequestState & "Pending" - -// Failed - the Generate Request Controller failed to process the rules. -#Failed: #GenerateRequestState & "Failed" - -// Completed - the Generate Request Controller created resources defined in the policy. -#Completed: #GenerateRequestState & "Completed" - -// Skip - the Generate Request Controller skips to generate the resource. -#Skip: #GenerateRequestState & "Skip" - -// GenerateRequestList stores the list of generate requests. -#GenerateRequestList: { - metav1.#TypeMeta - metadata: metav1.#ListMeta @go(ListMeta) - items: [...#GenerateRequest] @go(Items,[]GenerateRequest) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/image_verification_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/image_verification_types_go_gen.cue deleted file mode 100644 index 41dbd2e1..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/image_verification_types_go_gen.cue +++ /dev/null @@ -1,199 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - -// ImageVerification validates that images that match the specified pattern -// are signed with the supplied public key. Once the image is verified it is -// mutated to include the SHA digest retrieved during the registration. -#ImageVerification: { - // Image is the image name consisting of the registry address, repository, image, and tag. - // Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - // Deprecated. Use ImageReferences instead. - // +kubebuilder:validation:Optional - image?: string @go(Image) - - // ImageReferences is a list of matching image reference patterns. At least one pattern in the - // list must match the image for the rule to apply. Each image reference consists of a registry - // address (defaults to docker.io), repository, image, and tag (defaults to latest). - // Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - // +kubebuilder:validation:Optional - imageReferences?: [...string] @go(ImageReferences,[]string) - - // Key is the PEM encoded public key that the image or attestation is signed with. - // Deprecated. Use StaticKeyAttestor instead. - key?: string @go(Key) - - // Roots is the PEM encoded Root certificate chain used for keyless signing - // Deprecated. Use KeylessAttestor instead. - roots?: string @go(Roots) - - // Subject is the identity used for keyless signing, for example an email address - // Deprecated. Use KeylessAttestor instead. - subject?: string @go(Subject) - - // Issuer is the certificate issuer used for keyless signing. - // Deprecated. Use KeylessAttestor instead. - issuer?: string @go(Issuer) - - // AdditionalExtensions are certificate-extensions used for keyless signing. - // Deprecated. - additionalExtensions?: {[string]: string} @go(AdditionalExtensions,map[string]string) - - // Attestors specified the required attestors (i.e. authorities) - // +kubebuilder:validation:Optional - attestors?: [...#AttestorSet] @go(Attestors,[]AttestorSet) - - // Attestations are optional checks for signed in-toto Statements used to verify the image. - // See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the - // OCI registry and decodes them into a list of Statement declarations. - attestations?: [...#Attestation] @go(Attestations,[]Attestation) - - // Annotations are used for image verification. - // Every specified key-value pair must exist and match in the verified payload. - // The payload may contain other key-value pairs. - // Deprecated. Use annotations per Attestor instead. - annotations?: {[string]: string} @go(Annotations,map[string]string) - - // Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. - // If specified Repository will override the default OCI image repository configured for the installation. - // The repository can also be overridden per Attestor or Attestation. - repository?: string @go(Repository) - - // MutateDigest enables replacement of image tags with digests. - // Defaults to true. - // +kubebuilder:default=true - // +kubebuilder:validation:Optional - mutateDigest: bool @go(MutateDigest) - - // VerifyDigest validates that images have a digest. - // +kubebuilder:default=true - // +kubebuilder:validation:Optional - verifyDigest: bool @go(VerifyDigest) - - // Required validates that images are verified i.e. have matched passed a signature or attestation check. - // +kubebuilder:default=true - // +kubebuilder:validation:Optional - required: bool @go(Required) -} - -#AttestorSet: { - // Count specifies the required number of entries that must match. If the count is null, all entries must match - // (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a - // value N, then N must be less than or equal to the size of entries, and at least N entries must match. - // +kubebuilder:validation:Optional - // +kubebuilder:validation:Minimum:=1 - count?: null | int @go(Count,*int) - - // Entries contains the available attestors. An attestor can be a static key, - // attributes for keyless verification, or a nested attestor declaration. - // +kubebuilder:validation:Optional - entries?: [...#Attestor] @go(Entries,[]Attestor) -} - -#Attestor: { - // Keys specifies one or more public keys - // +kubebuilder:validation:Optional - keys?: null | #StaticKeyAttestor @go(Keys,*StaticKeyAttestor) - - // Certificates specifies one or more certificates - // +kubebuilder:validation:Optional - certificates?: null | #CertificateAttestor @go(Certificates,*CertificateAttestor) - - // Keyless is a set of attribute used to verify a Sigstore keyless attestor. - // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - // +kubebuilder:validation:Optional - keyless?: null | #KeylessAttestor @go(Keyless,*KeylessAttestor) - - // Attestor is a nested AttestorSet used to specify a more complex set of match authorities - // +kubebuilder:validation:Optional - attestor?: null | apiextv1.#JSON @go(Attestor,*apiextv1.JSON) - - // Annotations are used for image verification. - // Every specified key-value pair must exist and match in the verified payload. - // The payload may contain other key-value pairs. - annotations?: {[string]: string} @go(Annotations,map[string]string) - - // Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. - // If specified Repository will override other OCI image repository locations for this Attestor. - repository?: string @go(Repository) -} - -#StaticKeyAttestor: { - // Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly - // specified or can be a variable reference to a key specified in a ConfigMap (see - // https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each - // key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of - // attestors and the count is applied across the keys. - publicKeys?: string @go(PublicKeys) - - // Rekor provides configuration for the Rekor transparency log service. If the value is nil, - // Rekor is not checked. If an empty object is provided the public instance of - // Rekor (https://rekor.sigstore.dev) is used. - // +kubebuilder:validation:Optional - rekor?: null | #CTLog @go(Rekor,*CTLog) -} - -#CertificateAttestor: { - // Certificate is an optional PEM encoded public certificate. - // +kubebuilder:validation:Optional - cert?: string @go(Certificate) - - // CertificateChain is an optional PEM encoded set of certificates used to verify - // +kubebuilder:validation:Optional - certChain?: string @go(CertificateChain) - - // Rekor provides configuration for the Rekor transparency log service. If the value is nil, - // Rekor is not checked. If an empty object is provided the public instance of - // Rekor (https://rekor.sigstore.dev) is used. - // +kubebuilder:validation:Optional - rekor?: null | #CTLog @go(Rekor,*CTLog) -} - -#KeylessAttestor: { - // Rekor provides configuration for the Rekor transparency log service. If the value is nil, - // Rekor is not checked and a root certificate chain is expected instead. If an empty object - // is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - // +kubebuilder:validation:Optional - rekor?: null | #CTLog @go(Rekor,*CTLog) - - // Issuer is the certificate issuer used for keyless signing. - // +kubebuilder:validation:Optional - issuer?: string @go(Issuer) - - // Subject is the verified identity used for keyless signing, for example the email address - // +kubebuilder:validation:Optional - subject?: string @go(Subject) - - // Roots is an optional set of PEM encoded trusted root certificates. - // If not provided, the system roots are used. - // +kubebuilder:validation:Optional - roots?: string @go(Roots) - - // AdditionalExtensions are certificate-extensions used for keyless signing. - // +kubebuilder:validation:Optional - additionalExtensions?: {[string]: string} @go(AdditionalExtensions,map[string]string) -} - -#CTLog: { - // URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. - // +kubebuilder:validation:Required - // +kubebuilder:Default:=https://rekor.sigstore.dev - url: string @go(URL) -} - -// Attestation are checks for signed in-toto Statements that are used to verify the image. -// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the -// OCI registry and decodes them into a list of Statements. -#Attestation: { - // PredicateType defines the type of Predicate contained within the Statement. - predicateType?: string @go(PredicateType) - - // Conditions are used to verify attributes within a Predicate. If no Conditions are specified - // the attestation check is satisfied as long there are predicates that match the predicate type. - // +optional - conditions?: [...#AnyAllConditions] @go(Conditions,[]AnyAllConditions) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/match_resources_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/match_resources_types_go_gen.cue deleted file mode 100644 index 80587626..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/match_resources_types_go_gen.cue +++ /dev/null @@ -1,30 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -// MatchResources is used to specify resource and admission review request data for -// which a policy rule is applicable. -#MatchResources: { - // Any allows specifying resources which will be ORed - // +optional - any?: #ResourceFilters @go(Any) - - // All allows specifying resources which will be ANDed - // +optional - all?: #ResourceFilters @go(All) - - // UserInfo contains information about the user performing the operation. - // Specifying UserInfo directly under match is being deprecated. - // Please specify under "any" or "all" instead. - // +optional - UserInfo?: #UserInfo - - // ResourceDescription contains information about the resource being created or modified. - // Requires at least one tag to be specified when under MatchResources. - // Specifying ResourceDescription directly under match is being deprecated. - // Please specify under "any" or "all" instead. - // +optional - resources?: #ResourceDescription @go(ResourceDescription) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_interface_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_interface_go_gen.cue deleted file mode 100644 index cdfb1bf0..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_interface_go_gen.cue +++ /dev/null @@ -1,9 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -// PolicyInterface abstracts the concrete policy type (Policy vs ClusterPolicy) -// +kubebuilder:object:generate=false -#PolicyInterface: _ diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_status_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_status_go_gen.cue deleted file mode 100644 index 3acd45fe..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_status_go_gen.cue +++ /dev/null @@ -1,40 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// Ready means that the policy is ready -#PolicyConditionReady: "Ready" - -// PolicyReasonSucceeded is the reason set when the policy is ready -#PolicyReasonSucceeded: "Succeeded" - -// PolicyReasonSucceeded is the reason set when the policy is not ready -#PolicyReasonFailed: "Failed" - -// PolicyStatus mostly contains runtime information related to policy execution. -// Deprecated. Policy metrics are now available via the "/metrics" endpoint. -// See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/ -#PolicyStatus: { - // Ready indicates if the policy is ready to serve the admission request. - // Deprecated in favor of Conditions - ready: bool @go(Ready) - - // Conditions is a list of conditions that apply to the policy - // +optional - conditions?: [...metav1.#Condition] @go(Conditions,[]metav1.Condition) -} - -// AutogenStatus contains autogen status information. -// It indicates requested and effective autogen controllers used when -// automatically generating rules. -#AutogenStatus: { - // Requested indicates the autogen requested controllers - requested?: [...string] @go(Requested,[]string) - - // Activated indicates the autogen activated controllers - activated?: [...string] @go(Activated,[]string) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_types_go_gen.cue deleted file mode 100644 index 8ac64c7e..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/policy_types_go_gen.cue +++ /dev/null @@ -1,29 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// Policy declares validation, mutation, and generation behaviors for matching resources. -// See: https://kyverno.io/docs/writing-policies/ for more information. -#Policy: { - metav1.#TypeMeta - metadata?: metav1.#ObjectMeta @go(ObjectMeta) - - // Spec defines policy behaviors and contains one or more rules. - spec: #Spec @go(Spec) - - // Status contains policy runtime information. - // +optional - // Deprecated. Policy metrics are available via the metrics endpoint - status?: #PolicyStatus @go(Status) -} - -// PolicyList is a list of Policy instances. -#PolicyList: { - metav1.#TypeMeta - metadata: metav1.#ListMeta @go(ListMeta) - items: [...#Policy] @go(Items,[]Policy) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_description_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_description_types_go_gen.cue deleted file mode 100644 index acd6a4d0..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_description_types_go_gen.cue +++ /dev/null @@ -1,51 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// ResourceDescription contains criteria used to match resources. -#ResourceDescription: { - // Kinds is a list of resource kinds. - // +optional - kinds?: [...string] @go(Kinds,[]string) - - // Name is the name of the resource. The name supports wildcard characters - // "*" (matches zero or many characters) and "?" (at least one character). - // NOTE: "Name" is being deprecated in favor of "Names". - // +optional - name?: string @go(Name) - - // Names are the names of the resources. Each name supports wildcard characters - // "*" (matches zero or many characters) and "?" (at least one character). - // +optional - names?: [...string] @go(Names,[]string) - - // Namespaces is a list of namespaces names. Each name supports wildcard characters - // "*" (matches zero or many characters) and "?" (at least one character). - // +optional - namespaces?: [...string] @go(Namespaces,[]string) - - // Annotations is a map of annotations (key-value pairs of type string). Annotation keys - // and values support the wildcard characters "*" (matches zero or many characters) and - // "?" (matches at least one character). - // +optional - annotations?: {[string]: string} @go(Annotations,map[string]string) - - // Selector is a label selector. Label keys and values in `matchLabels` support the wildcard - // characters `*` (matches zero or many characters) and `?` (matches one character). - // Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that - // using ["*" : "*"] matches any key and value but does not match an empty label set. - // +optional - selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) - - // NamespaceSelector is a label selector for the resource namespace. Label keys and values - // in `matchLabels` support the wildcard characters `*` (matches zero or many characters) - // and `?` (matches one character).Wildcards allows writing label selectors like - // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but - // does not match an empty label set. - // +optional - namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_spec_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_spec_types_go_gen.cue deleted file mode 100644 index 3f62b55d..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/resource_spec_types_go_gen.cue +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -#ResourceSpec: { - // APIVersion specifies resource apiVersion. - // +optional - apiVersion?: string @go(APIVersion) - - // Kind specifies resource kind. - kind?: string @go(Kind) - - // Namespace specifies resource namespace. - // +optional - namespace?: string @go(Namespace) - - // Name specifies the resource name. - // +optional - name?: string @go(Name) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/rule_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/rule_types_go_gen.cue deleted file mode 100644 index 71afa3a7..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/rule_types_go_gen.cue +++ /dev/null @@ -1,85 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" - -#ImageExtractorConfigs: [string]: [...#ImageExtractorConfig] - -#ImageExtractorConfig: { - // Path is the path to the object containing the image field in a custom resource. - // It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. - // Wildcard keys are expanded in case of arrays or objects. - path: string @go(Path) - - // Value is an optional name of the field within 'path' that points to the image URI. - // This is useful when a custom 'key' is also defined. - // +optional - value?: string @go(Value) - - // Name is the entry the image will be available under 'images.' in the context. - // If this field is not defined, image entries will appear under 'images.custom'. - // +optional - name?: string @go(Name) - - // Key is an optional name of the field within 'path' that will be used to uniquely identify an image. - // Note - this field MUST be unique. - // +optional - key?: string @go(Key) -} - -// Rule defines a validation, mutation, or generation control for matching resources. -// Each rules contains a match declaration to select resources, and an optional exclude -// declaration to specify which resources to exclude. -#Rule: { - // Name is a label to identify the rule, It must be unique within the policy. - // +kubebuilder:validation:MaxLength=63 - name?: string @go(Name) - - // Context defines variables and data sources that can be used during rule execution. - // +optional - context?: [...#ContextEntry] @go(Context,[]ContextEntry) - - // MatchResources defines when this policy rule should be applied. The match - // criteria can include resource information (e.g. kind, name, namespace, labels) - // and admission review request information like the user name or role. - // At least one kind is required. - match?: #MatchResources @go(MatchResources) - - // ExcludeResources defines when this policy rule should not be applied. The exclude - // criteria can include resource information (e.g. kind, name, namespace, labels) - // and admission review request information like the name or role. - // +optional - exclude?: #MatchResources @go(ExcludeResources) - - // ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. - // This config is only valid for verifyImages rules. - // +optional - imageExtractors?: #ImageExtractorConfigs @go(ImageExtractors) - - // Preconditions are used to determine if a policy rule should be applied by evaluating a - // set of conditions. The declaration can contain nested `any` or `all` statements. A direct list - // of conditions (without `any` or `all` statements is supported for backwards compatibility but - // will be deprecated in the next major release. - // See: https://kyverno.io/docs/writing-policies/preconditions/ - // +optional - preconditions?: null | apiextv1.#JSON @go(RawAnyAllConditions,*apiextv1.JSON) - - // Mutation is used to modify matching resources. - // +optional - mutate?: #Mutation @go(Mutation) - - // Validation is used to validate matching resources. - // +optional - validate?: #Validation @go(Validation) - - // Generation is used to create new resources. - // +optional - generate?: #Generation @go(Generation) - - // VerifyImages is used to verify image signatures and mutate them to add a digest - // +optional - verifyImages?: [...#ImageVerification] @go(VerifyImages,[]ImageVerification) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/spec_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/spec_types_go_gen.cue deleted file mode 100644 index 8ca87587..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/spec_types_go_gen.cue +++ /dev/null @@ -1,76 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -// ValidationFailureAction defines the policy validation failure action -#ValidationFailureAction: string // #enumValidationFailureAction - -#enumValidationFailureAction: - #Enforce | - #Audit - -// Enforce blocks the request on failure -#Enforce: #ValidationFailureAction & "enforce" - -// Audit indicates not to block the request on failure, but report failures as policy violations -#Audit: #ValidationFailureAction & "audit" - -#ValidationFailureActionOverride: { - // +kubebuilder:validation:Enum=audit;enforce - action?: #ValidationFailureAction @go(Action) - namespaces?: [...string] @go(Namespaces,[]string) -} - -// Spec contains a list of Rule instances and other policy controls. -#Spec: { - // Rules is a list of Rule instances. A Policy contains multiple rules and - // each rule can validate, mutate, or generate resources. - rules?: [...#Rule] @go(Rules,[]Rule) - - // FailurePolicy defines how unrecognized errors from the admission endpoint are handled. - // Rules within the same policy share the same failure behavior. - // Allowed values are Ignore or Fail. Defaults to Fail. - // +optional - failurePolicy?: null | #FailurePolicyType @go(FailurePolicy,*FailurePolicyType) - - // ValidationFailureAction controls if a validation policy rule failure should disallow - // the admission review request (enforce), or allow (audit) the admission review request - // and report an error in a policy report. Optional. The default value is "audit". - // +optional - // +kubebuilder:validation:Enum=audit;enforce - validationFailureAction?: #ValidationFailureAction @go(ValidationFailureAction) - - // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - // +optional - validationFailureActionOverrides?: [...#ValidationFailureActionOverride] @go(ValidationFailureActionOverrides,[]ValidationFailureActionOverride) - - // Background controls if rules are applied to existing resources during a background scan. - // Optional. Default value is "true". The value must be set to "false" if the policy rule - // uses variables that are only available in the admission review request (e.g. user name). - // +optional - background?: null | bool @go(Background,*bool) - - // SchemaValidation skips policy validation checks. - // Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. - // +optional - schemaValidation?: null | bool @go(SchemaValidation,*bool) - - // WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - // After the configured time expires, the admission request may fail, or may simply ignore the policy results, - // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - webhookTimeoutSeconds?: null | int32 @go(WebhookTimeoutSeconds,*int32) - - // MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. - // Default value is "false". - // +optional - mutateExistingOnPolicyUpdate?: bool @go(MutateExistingOnPolicyUpdate) - - // GenerateExistingOnPolicyUpdate controls wether to trigger generate rule in existing resources - // If is set to "true" generate rule will be triggered and applied to existing matched resources. - // Defaults to "false" if not specified. - // +optional - generateExistingOnPolicyUpdate?: bool @go(GenerateExistingOnPolicyUpdate) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/user_info_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/user_info_types_go_gen.cue deleted file mode 100644 index 967fdf9a..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/user_info_types_go_gen.cue +++ /dev/null @@ -1,22 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -import rbacv1 "k8s.io/api/rbac/v1" - -// UserInfo contains information about the user performing the operation. -#UserInfo: { - // Roles is the list of namespaced role names for the user. - // +optional - roles?: [...string] @go(Roles,[]string) - - // ClusterRoles is the list of cluster-wide role names for the user. - // +optional - clusterRoles?: [...string] @go(ClusterRoles,[]string) - - // Subjects is the list of subject names like users, user groups, and service accounts. - // +optional - subjects?: [...rbacv1.#Subject] @go(Subjects,[]rbacv1.Subject) -} diff --git a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/violated_rule_types_go_gen.cue b/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/violated_rule_types_go_gen.cue deleted file mode 100644 index e844fb15..00000000 --- a/cue.mod/gen/github.com/kyverno/kyverno/api/kyverno/v1/violated_rule_types_go_gen.cue +++ /dev/null @@ -1,21 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go github.com/kyverno/kyverno/api/kyverno/v1 - -package v1 - -// ViolatedRule stores the information regarding the rule. -#ViolatedRule: { - // Name specifies violated rule name. - name: string @go(Name) - - // Type specifies violated rule type. - type: string @go(Type) - - // Message specifies violation message. - // +optional - message: string @go(Message) - - // Status shows the rule response status - status: string @go(Status) -} diff --git a/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue deleted file mode 100644 index 597f5b0e..00000000 --- a/cue.mod/gen/k8s.io/api/admission/v1/register_go_gen.cue +++ /dev/null @@ -1,7 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go k8s.io/api/admission/v1 - -package v1 - -#GroupName: "admission.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue deleted file mode 100644 index af26bd06..00000000 --- a/cue.mod/gen/k8s.io/api/admission/v1/types_go_gen.cue +++ /dev/null @@ -1,172 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go k8s.io/api/admission/v1 - -package v1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - authenticationv1 "k8s.io/api/authentication/v1" - "k8s.io/apimachinery/pkg/runtime" -) - -// AdmissionReview describes an admission review request/response. -#AdmissionReview: { - metav1.#TypeMeta - - // Request describes the attributes for the admission request. - // +optional - request?: null | #AdmissionRequest @go(Request,*AdmissionRequest) @protobuf(1,bytes,opt) - - // Response describes the attributes for the admission response. - // +optional - response?: null | #AdmissionResponse @go(Response,*AdmissionResponse) @protobuf(2,bytes,opt) -} - -// AdmissionRequest describes the admission.Attributes for the admission request. -#AdmissionRequest: { - // UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are - // otherwise identical (parallel requests, requests when earlier requests did not modify etc) - // The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. - // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. - uid: types.#UID @go(UID) @protobuf(1,bytes,opt) - - // Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale) - kind: metav1.#GroupVersionKind @go(Kind) @protobuf(2,bytes,opt) - - // Resource is the fully-qualified resource being requested (for example, v1.pods) - resource: metav1.#GroupVersionResource @go(Resource) @protobuf(3,bytes,opt) - - // SubResource is the subresource being requested, if any (for example, "status" or "scale") - // +optional - subResource?: string @go(SubResource) @protobuf(4,bytes,opt) - - // RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). - // If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. - // - // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of - // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, - // an API request to apps/v1beta1 deployments would be converted and sent to the webhook - // with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), - // and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). - // - // See documentation for the "matchPolicy" field in the webhook configuration type for more details. - // +optional - requestKind?: null | metav1.#GroupVersionKind @go(RequestKind,*metav1.GroupVersionKind) @protobuf(13,bytes,opt) - - // RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). - // If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. - // - // For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of - // `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, - // an API request to apps/v1beta1 deployments would be converted and sent to the webhook - // with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), - // and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). - // - // See documentation for the "matchPolicy" field in the webhook configuration type. - // +optional - requestResource?: null | metav1.#GroupVersionResource @go(RequestResource,*metav1.GroupVersionResource) @protobuf(14,bytes,opt) - - // RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") - // If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. - // See documentation for the "matchPolicy" field in the webhook configuration type. - // +optional - requestSubResource?: string @go(RequestSubResource) @protobuf(15,bytes,opt) - - // Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and - // rely on the server to generate the name. If that is the case, this field will contain an empty string. - // +optional - name?: string @go(Name) @protobuf(5,bytes,opt) - - // Namespace is the namespace associated with the request (if any). - // +optional - namespace?: string @go(Namespace) @protobuf(6,bytes,opt) - - // Operation is the operation being performed. This may be different than the operation - // requested. e.g. a patch can result in either a CREATE or UPDATE Operation. - operation: #Operation @go(Operation) @protobuf(7,bytes,opt) - - // UserInfo is information about the requesting user - userInfo: authenticationv1.#UserInfo @go(UserInfo) @protobuf(8,bytes,opt) - - // Object is the object from the incoming request. - // +optional - object?: runtime.#RawExtension @go(Object) @protobuf(9,bytes,opt) - - // OldObject is the existing object. Only populated for DELETE and UPDATE requests. - // +optional - oldObject?: runtime.#RawExtension @go(OldObject) @protobuf(10,bytes,opt) - - // DryRun indicates that modifications will definitely not be persisted for this request. - // Defaults to false. - // +optional - dryRun?: null | bool @go(DryRun,*bool) @protobuf(11,varint,opt) - - // Options is the operation option structure of the operation being performed. - // e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be - // different than the options the caller provided. e.g. for a patch request the performed - // Operation might be a CREATE, in which case the Options will a - // `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. - // +optional - options?: runtime.#RawExtension @go(Options) @protobuf(12,bytes,opt) -} - -// AdmissionResponse describes an admission response. -#AdmissionResponse: { - // UID is an identifier for the individual request/response. - // This must be copied over from the corresponding AdmissionRequest. - uid: types.#UID @go(UID) @protobuf(1,bytes,opt) - - // Allowed indicates whether or not the admission request was permitted. - allowed: bool @go(Allowed) @protobuf(2,varint,opt) - - // Result contains extra details into why an admission request was denied. - // This field IS NOT consulted in any way if "Allowed" is "true". - // +optional - status?: null | metav1.#Status @go(Result,*metav1.Status) @protobuf(3,bytes,opt) - - // The patch body. Currently we only support "JSONPatch" which implements RFC 6902. - // +optional - patch?: bytes @go(Patch,[]byte) @protobuf(4,bytes,opt) - - // The type of Patch. Currently we only allow "JSONPatch". - // +optional - patchType?: null | #PatchType @go(PatchType,*PatchType) @protobuf(5,bytes,opt) - - // AuditAnnotations is an unstructured key value map set by remote admission controller (e.g. error=image-blacklisted). - // MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controller will prefix the keys with - // admission webhook name (e.g. imagepolicy.example.com/error=image-blacklisted). AuditAnnotations will be provided by - // the admission webhook to add additional context to the audit log for this request. - // +optional - auditAnnotations?: {[string]: string} @go(AuditAnnotations,map[string]string) @protobuf(6,bytes,opt) - - // warnings is a list of warning messages to return to the requesting API client. - // Warning messages describe a problem the client making the API request should correct or be aware of. - // Limit warnings to 120 characters if possible. - // Warnings over 256 characters and large numbers of warnings may be truncated. - // +optional - warnings?: [...string] @go(Warnings,[]string) @protobuf(7,bytes,rep) -} - -// PatchType is the type of patch being used to represent the mutated object -#PatchType: string // #enumPatchType - -#enumPatchType: - #PatchTypeJSONPatch - -#PatchTypeJSONPatch: #PatchType & "JSONPatch" - -// Operation is the type of resource operation being checked for admission control -#Operation: string // #enumOperation - -#enumOperation: - #Create | - #Update | - #Delete | - #Connect - -#Create: #Operation & "CREATE" -#Update: #Operation & "UPDATE" -#Delete: #Operation & "DELETE" -#Connect: #Operation & "CONNECT" diff --git a/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue b/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue deleted file mode 100644 index 08256009..00000000 --- a/cue.mod/gen/k8s.io/api/authentication/v1/register_go_gen.cue +++ /dev/null @@ -1,7 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go k8s.io/api/authentication/v1 - -package v1 - -#GroupName: "authentication.k8s.io" diff --git a/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue b/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue deleted file mode 100644 index d4e4c995..00000000 --- a/cue.mod/gen/k8s.io/api/authentication/v1/types_go_gen.cue +++ /dev/null @@ -1,184 +0,0 @@ -// Code generated by cue get go. DO NOT EDIT. - -//cue:generate cue get go k8s.io/api/authentication/v1 - -package v1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" -) - -// ImpersonateUserHeader is used to impersonate a particular user during an API server request -#ImpersonateUserHeader: "Impersonate-User" - -// ImpersonateGroupHeader is used to impersonate a particular group during an API server request. -// It can be repeated multiplied times for multiple groups. -#ImpersonateGroupHeader: "Impersonate-Group" - -// ImpersonateUIDHeader is used to impersonate a particular UID during an API server request -#ImpersonateUIDHeader: "Impersonate-Uid" - -// ImpersonateUserExtraHeaderPrefix is a prefix for any header used to impersonate an entry in the -// extra map[string][]string for user.Info. The key will be every after the prefix. -// It can be repeated multiplied times for multiple map keys and the same key can be repeated multiple -// times to have multiple elements in the slice under a single key -#ImpersonateUserExtraHeaderPrefix: "Impersonate-Extra-" - -// TokenReview attempts to authenticate a token to a known user. -// Note: TokenReview requests may be cached by the webhook token authenticator -// plugin in the kube-apiserver. -#TokenReview: { - metav1.#TypeMeta - - // Standard object's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - // +optional - metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) - - // Spec holds information about the request being evaluated - spec: #TokenReviewSpec @go(Spec) @protobuf(2,bytes,opt) - - // Status is filled in by the server and indicates whether the request can be authenticated. - // +optional - status?: #TokenReviewStatus @go(Status) @protobuf(3,bytes,opt) -} - -// TokenReviewSpec is a description of the token authentication request. -#TokenReviewSpec: { - // Token is the opaque bearer token. - // +optional - token?: string @go(Token) @protobuf(1,bytes,opt) - - // Audiences is a list of the identifiers that the resource server presented - // with the token identifies as. Audience-aware token authenticators will - // verify that the token was intended for at least one of the audiences in - // this list. If no audiences are provided, the audience will default to the - // audience of the Kubernetes apiserver. - // +optional - audiences?: [...string] @go(Audiences,[]string) @protobuf(2,bytes,rep) -} - -// TokenReviewStatus is the result of the token authentication request. -#TokenReviewStatus: { - // Authenticated indicates that the token was associated with a known user. - // +optional - authenticated?: bool @go(Authenticated) @protobuf(1,varint,opt) - - // User is the UserInfo associated with the provided token. - // +optional - user?: #UserInfo @go(User) @protobuf(2,bytes,opt) - - // Audiences are audience identifiers chosen by the authenticator that are - // compatible with both the TokenReview and token. An identifier is any - // identifier in the intersection of the TokenReviewSpec audiences and the - // token's audiences. A client of the TokenReview API that sets the - // spec.audiences field should validate that a compatible audience identifier - // is returned in the status.audiences field to ensure that the TokenReview - // server is audience aware. If a TokenReview returns an empty - // status.audience field where status.authenticated is "true", the token is - // valid against the audience of the Kubernetes API server. - // +optional - audiences?: [...string] @go(Audiences,[]string) @protobuf(4,bytes,rep) - - // Error indicates that the token couldn't be checked - // +optional - error?: string @go(Error) @protobuf(3,bytes,opt) -} - -// UserInfo holds the information about the user needed to implement the -// user.Info interface. -#UserInfo: { - // The name that uniquely identifies this user among all active users. - // +optional - username?: string @go(Username) @protobuf(1,bytes,opt) - - // A unique value that identifies this user across time. If this user is - // deleted and another user by the same name is added, they will have - // different UIDs. - // +optional - uid?: string @go(UID) @protobuf(2,bytes,opt) - - // The names of groups this user is a part of. - // +optional - groups?: [...string] @go(Groups,[]string) @protobuf(3,bytes,rep) - - // Any additional information provided by the authenticator. - // +optional - extra?: {[string]: #ExtraValue} @go(Extra,map[string]ExtraValue) @protobuf(4,bytes,rep) -} - -// ExtraValue masks the value so protobuf can generate -// +protobuf.nullable=true -// +protobuf.options.(gogoproto.goproto_stringer)=false -#ExtraValue: [...string] - -// TokenRequest requests a token for a given service account. -#TokenRequest: { - metav1.#TypeMeta - - // Standard object's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - // +optional - metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt) - - // Spec holds information about the request being evaluated - spec: #TokenRequestSpec @go(Spec) @protobuf(2,bytes,opt) - - // Status is filled in by the server and indicates whether the token can be authenticated. - // +optional - status?: #TokenRequestStatus @go(Status) @protobuf(3,bytes,opt) -} - -// TokenRequestSpec contains client provided parameters of a token request. -#TokenRequestSpec: { - // Audiences are the intendend audiences of the token. A recipient of a - // token must identify themself with an identifier in the list of - // audiences of the token, and otherwise should reject the token. A - // token issued for multiple audiences may be used to authenticate - // against any of the audiences listed but implies a high degree of - // trust between the target audiences. - audiences: [...string] @go(Audiences,[]string) @protobuf(1,bytes,rep) - - // ExpirationSeconds is the requested duration of validity of the request. The - // token issuer may return a token with a different validity duration so a - // client needs to check the 'expiration' field in a response. - // +optional - expirationSeconds?: null | int64 @go(ExpirationSeconds,*int64) @protobuf(4,varint,opt) - - // BoundObjectRef is a reference to an object that the token will be bound to. - // The token will only be valid for as long as the bound object exists. - // NOTE: The API server's TokenReview endpoint will validate the - // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds - // small if you want prompt revocation. - // +optional - boundObjectRef?: null | #BoundObjectReference @go(BoundObjectRef,*BoundObjectReference) @protobuf(3,bytes,opt) -} - -// TokenRequestStatus is the result of a token request. -#TokenRequestStatus: { - // Token is the opaque bearer token. - token: string @go(Token) @protobuf(1,bytes,opt) - - // ExpirationTimestamp is the time of expiration of the returned token. - expirationTimestamp: metav1.#Time @go(ExpirationTimestamp) @protobuf(2,bytes,opt) -} - -// BoundObjectReference is a reference to an object that a token is bound to. -#BoundObjectReference: { - // Kind of the referent. Valid kinds are 'Pod' and 'Secret'. - // +optional - kind?: string @go(Kind) @protobuf(1,bytes,opt) - - // API version of the referent. - // +optional - apiVersion?: string @go(APIVersion) @protobuf(2,bytes,opt) - - // Name of the referent. - // +optional - name?: string @go(Name) @protobuf(3,bytes,opt) - - // UID of the referent. - // +optional - uid?: types.#UID @go(UID) @protobuf(4,bytes,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID) -} diff --git a/dependencies.go b/dependencies.go index d510ac91..f121b110 100644 --- a/dependencies.go +++ b/dependencies.go @@ -2,7 +2,6 @@ package frsca // Declared dependencies for CUE code generation. import ( - _ "github.com/kyverno/kyverno/api/kyverno/v1" _ "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" _ "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" _ "k8s.io/api/core/v1" diff --git a/frsca.cue b/frsca.cue index d95bf983..e01d8fb2 100644 --- a/frsca.cue +++ b/frsca.cue @@ -3,7 +3,6 @@ package frsca import ( k8sCoreV1 "k8s.io/api/core/v1" k8sRbacV1 "k8s.io/api/rbac/v1" - kyvernoV1 "github.com/kyverno/kyverno/api/kyverno/v1" pipelineV1Beta1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1" triggersV1Beta1 "github.com/tektoncd/triggers/pkg/apis/triggers/v1beta1" ) @@ -104,7 +103,7 @@ frsca: persistentVolumeClaim?: [Name=_]: k8sCoreV1.#PersistentVolumeClaim & { metadata: name: *Name | string } -frsca: clusterPolicy?: [Name=_]: kyvernoV1.#ClusterPolicy & { +frsca: clusterPolicy?: [Name=_]: { apiVersion: "kyverno.io/v1" kind: "ClusterPolicy" metadata: name: *Name | string diff --git a/go.mod b/go.mod index 026267e0..38ee1c6f 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,6 @@ module github.com/buildsec/frsca go 1.19 require ( - github.com/kyverno/kyverno v1.7.5 github.com/tektoncd/pipeline v0.41.0 github.com/tektoncd/triggers v0.22.0 k8s.io/api v0.25.3 @@ -37,7 +36,6 @@ require ( github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/kyverno/go-wildcard v1.0.4 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -49,6 +47,7 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/prometheus/statsd_exporter v0.22.7 // indirect + github.com/rogpeppe/go-internal v1.8.1 // indirect go.opencensus.io v0.23.0 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect @@ -76,7 +75,6 @@ require ( k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect knative.dev/pkg v0.0.0-20221011175852-714b7630a836 // indirect - sigs.k8s.io/controller-runtime v0.12.3 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/go.sum b/go.sum index 47bb1c87..54a7853c 100644 --- a/go.sum +++ b/go.sum @@ -37,7 +37,6 @@ contrib.go.opencensus.io/exporter/prometheus v0.4.1/go.mod h1:t9wvfitlUjGXG2IXAZ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/IGLOU-EU/go-wildcard v1.0.3 h1:r8T46+8/9V1STciXJomTWRpPEv4nGJATDbJkdU0Nou0= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -86,7 +85,6 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= -github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -222,10 +220,6 @@ github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kyverno/go-wildcard v1.0.4 h1:uoIWLnywcLED/nXeNVDj4U7OvNW1O3N4+emC5gK90ug= -github.com/kyverno/go-wildcard v1.0.4/go.mod h1:sZkBvzy+au8C1uiqOH+SdN4psOL+0nhfWgsZzzJKwbs= -github.com/kyverno/kyverno v1.7.5 h1:6lxmwUzMWtOS8z953uydJReDLn4Wn4kBpt7GzCUed2E= -github.com/kyverno/kyverno v1.7.5/go.mod h1:+qOQNbGi6p57/QS6HJmlTtD2Uo5eOH+GCdl43pybgdo= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= @@ -243,13 +237,12 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= -github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= -github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo/v2 v2.1.6 h1:Fx2POJZfKRQcM1pH49qSZiYeu319wji004qX+GDovrU= github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/openzipkin/zipkin-go v0.3.0 h1:XtuXmOLIXLjiU2XduuWREDT0LOKtSgos/g7i7RYyoZQ= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -289,6 +282,7 @@ github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg= +github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= @@ -646,7 +640,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -661,7 +654,6 @@ gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -692,8 +684,6 @@ knative.dev/serving v0.30.1-0.20220402124840-21c05dc9d9a4 h1:iRFWsFKsA5ddhi+eKZV rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio= -sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= diff --git a/resources/kyverno/admission-control-policy/admission-control-verify-attestation.cue b/resources/kyverno/admission-control-policy/admission-control-verify-attestation.cue index 23f0785a..adeb1041 100644 --- a/resources/kyverno/admission-control-policy/admission-control-verify-attestation.cue +++ b/resources/kyverno/admission-control-policy/admission-control-verify-attestation.cue @@ -1,9 +1,9 @@ package frsca -frsca: clusterPolicy: "attest-code-review": { +frsca: clusterPolicy: "attest-code-review-prod": { spec: rules: [{ verifyImages: [{ - image: #public.repo + imageReferences: [ #public.repo ] attestations: [{ predicateType: "https://slsa.dev/provenance/v0.2" conditions: [{ @@ -17,10 +17,22 @@ frsca: clusterPolicy: "attest-code-review": { value: "tekton.dev/v1beta1/TaskRun" }] }] + attestors: [{ + entries: [{ + keys: { publicKeys: #kyvernoKeys.ttlsh } + }] + }] }] - key: "{{ keys.data.ttlsh }}" - }, { - image: "gcr.io/tekton-releases/github.com/tektoncd/*" + }] + match: resources: namespaces: ["prod"] + }] + metadata: annotations: "pod-policies.kyverno.io/autogen-controllers": "none" +} + +frsca: clusterPolicy: "attest-code-review-tekton": { + spec: rules: [{ + verifyImages: [{ + imageReferences: [ "gcr.io/tekton-releases/github.com/tektoncd/*" ] attestations: [{ predicateType: "https://slsa.dev/provenance/v0.2" conditions: [{ @@ -31,15 +43,18 @@ frsca: clusterPolicy: "attest-code-review": { }, { key: "{{ buildType }}" operator: "Equals" - value: "https://tekton.dev/attestations/chains@v2" + value: "tekton.dev/v1beta1/TaskRun" + }] + }] + attestors: [{ + entries: [{ + keys: { publicKeys: #kyvernoKeys.tektoncd } }] }] }] - key: "{{ keys.data.tektoncd }}" }] match: resources: namespaces: ["tekton-pipelines", - "tekton-chains", - "prod"] + "tekton-chains"] }] metadata: annotations: "pod-policies.kyverno.io/autogen-controllers": "none" } diff --git a/resources/kyverno/admission-control-policy/admission-control-verify-image-resources.cue b/resources/kyverno/admission-control-policy/admission-control-verify-image-resources.cue deleted file mode 100644 index 919d9850..00000000 --- a/resources/kyverno/admission-control-policy/admission-control-verify-image-resources.cue +++ /dev/null @@ -1,22 +0,0 @@ -package frsca - -frsca: configMap: "\(#keys.name)": { - metadata: namespace: #keys.namespace - data: { - tektoncd: """ - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLNw3RYx9xQjXbUEw8vonX3U4+tB - kPnJq+zt386SCoG0ewIH5MB8+GjIDGArUULSDfjfM31Eae/71kavAUI0OA== - -----END PUBLIC KEY----- - """ - - projectsigstore: """ - -----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt - IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== - -----END PUBLIC KEY----- - """ - - ttlsh: #public.key - } -} diff --git a/resources/kyverno/admission-control-policy/admission-control-verify-image.cue b/resources/kyverno/admission-control-policy/admission-control-verify-image.cue index 08cacea6..c6456923 100644 --- a/resources/kyverno/admission-control-policy/admission-control-verify-image.cue +++ b/resources/kyverno/admission-control-policy/admission-control-verify-image.cue @@ -4,13 +4,13 @@ frsca: clusterPolicy: "verify-image": { spec: rules: [{ verifyImages: [{ image: "gcr.io/tekton-releases/github.com/tektoncd/*" - key: "{{ keys.data.tektoncd }}" + key: #kyvernoKeys.tektoncd }, { image: "gcr.io/projectsigstore/*" - key: "{{ keys.data.projectsigstore }}" + key: #kyvernoKeys.projectsigstore }, { image: "ttl.sh/*" - key: "{{ keys.data.ttlsh }}" + key: #kyvernoKeys.ttlsh }, { image: "ghcr.io/google/ko" subject: "https://github.com/google/ko/*" diff --git a/resources/kyverno/admission-control-policy/kyverno.cue b/resources/kyverno/admission-control-policy/kyverno.cue index e153a7e9..2d28405d 100644 --- a/resources/kyverno/admission-control-policy/kyverno.cue +++ b/resources/kyverno/admission-control-policy/kyverno.cue @@ -1,15 +1,28 @@ package frsca -#keys: { - name: "keys" - namespace: "default" -} - #public: { repo: string @tag(repo) key: string @tag(key) } +#kyvernoKeys: { + tektoncd: """ + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLNw3RYx9xQjXbUEw8vonX3U4+tB + kPnJq+zt386SCoG0ewIH5MB8+GjIDGArUULSDfjfM31Eae/71kavAUI0OA== + -----END PUBLIC KEY----- + """ + + projectsigstore: """ + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt + IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== + -----END PUBLIC KEY----- + """ + + ttlsh: #public.key +} + frsca: clusterPolicy: [Name=_]: spec: { validationFailureAction: "Enforce" background: false @@ -20,12 +33,5 @@ frsca: clusterPolicy: [Name=_]: spec: { match: resources: kinds: [ "Pod", ] - context: [{ - name: #keys.name - configMap: { - name: #keys.name - namespace: #keys.namespace - } - }] }] }