Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kyverno for openSUSE:Factory checked in at 2022-12-20 20:21:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kyverno (Old) and /work/SRC/openSUSE:Factory/.kyverno.new.1835 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kyverno" Tue Dec 20 20:21:15 2022 rev:14 rq:1043927 version:1.8.5 Changes: -------- --- /work/SRC/openSUSE:Factory/kyverno/kyverno.changes 2022-12-10 21:18:34.741819852 +0100 +++ /work/SRC/openSUSE:Factory/.kyverno.new.1835/kyverno.changes 2022-12-20 20:21:56.642357312 +0100 @@ -1,0 +2,11 @@ +Tue Dec 20 12:22:22 UTC 2022 - [email protected] + +- Update to version 1.8.5: + * release v1.8.5 (#5726) + * tag v1.8.5-rc.1 (#5718) + * Cherry-pick Require predicate type (#5717) + * cherry-pick: fix digest and verify logic (#5706) + * fix: interface conversion panic (#5708) (#5711) + * Delete category all from CRDs (cherry-pick #5557) (#5709) + +------------------------------------------------------------------- Old: ---- kyverno-1.8.4.tar.gz New: ---- kyverno-1.8.5.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kyverno.spec ++++++ --- /var/tmp/diff_new_pack.DVlVrG/_old 2022-12-20 20:21:57.326361060 +0100 +++ /var/tmp/diff_new_pack.DVlVrG/_new 2022-12-20 20:21:57.330361082 +0100 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: kyverno -Version: 1.8.4 +Version: 1.8.5 Release: 0 Summary: CLI and kubectl plugin for Kyverno License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.DVlVrG/_old 2022-12-20 20:21:57.366361279 +0100 +++ /var/tmp/diff_new_pack.DVlVrG/_new 2022-12-20 20:21:57.366361279 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/kyverno/kyverno</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.8.4</param> + <param name="revision">v1.8.5</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> @@ -17,7 +17,7 @@ <param name="compression">gz</param> </service> <service name="go_modules" mode="disabled"> - <param name="archive">kyverno-1.8.4.tar.gz</param> + <param name="archive">kyverno-1.8.5.tar.gz</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.DVlVrG/_old 2022-12-20 20:21:57.386361389 +0100 +++ /var/tmp/diff_new_pack.DVlVrG/_new 2022-12-20 20:21:57.390361411 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/kyverno/kyverno</param> - <param name="changesrevision">0675d21dd9586a8e55ac2b3796a8db850b996895</param></service></servicedata> + <param name="changesrevision">c19061758dc4203106ab6d87a245045c20192721</param></service></servicedata> (No newline at EOF) ++++++ kyverno-1.8.4.tar.gz -> kyverno-1.8.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/api/kyverno/v1/clusterpolicy_types.go new/kyverno-1.8.5/api/kyverno/v1/clusterpolicy_types.go --- old/kyverno-1.8.4/api/kyverno/v1/clusterpolicy_types.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/api/kyverno/v1/clusterpolicy_types.go 2022-12-20 09:41:43.000000000 +0100 @@ -13,7 +13,7 @@ // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:subresource:status -// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno;all +// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno // +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background" // +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/api/kyverno/v1/image_verification_types.go new/kyverno-1.8.5/api/kyverno/v1/image_verification_types.go --- old/kyverno-1.8.4/api/kyverno/v1/image_verification_types.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/api/kyverno/v1/image_verification_types.go 2022-12-20 09:41:43.000000000 +0100 @@ -192,7 +192,8 @@ // OCI registry and decodes them into a list of Statements. type Attestation struct { // PredicateType defines the type of Predicate contained within the Statement. - PredicateType string `json:"predicateType,omitempty" yaml:"predicateType,omitempty"` + // +kubebuilder:validation:Required + PredicateType string `json:"predicateType" yaml:"predicateType"` // Attestors specify the required attestors (i.e. authorities) // +kubebuilder:validation:Optional @@ -200,7 +201,7 @@ // Conditions are used to verify attributes within a Predicate. If no Conditions are specified // the attestation check is satisfied as long there are predicates that match the predicate type. - // +optional + // +kubebuilder:validation:Optional Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"` } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/api/kyverno/v1alpha2/admission_report_types.go new/kyverno-1.8.5/api/kyverno/v1alpha2/admission_report_types.go --- old/kyverno-1.8.4/api/kyverno/v1alpha2/admission_report_types.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/api/kyverno/v1alpha2/admission_report_types.go 2022-12-20 09:41:43.000000000 +0100 @@ -38,7 +38,7 @@ // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:storageversion -// +kubebuilder:resource:shortName=admr,categories=kyverno;all +// +kubebuilder:resource:shortName=admr,categories=kyverno // +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1 // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1 // +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1 @@ -75,7 +75,7 @@ // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:storageversion -// +kubebuilder:resource:scope=Cluster,shortName=cadmr,categories=kyverno;all +// +kubebuilder:resource:scope=Cluster,shortName=cadmr,categories=kyverno // +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1 // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1 // +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/api/kyverno/v1alpha2/background_scan_report_types.go new/kyverno-1.8.5/api/kyverno/v1alpha2/background_scan_report_types.go --- old/kyverno-1.8.4/api/kyverno/v1alpha2/background_scan_report_types.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/api/kyverno/v1alpha2/background_scan_report_types.go 2022-12-20 09:41:43.000000000 +0100 @@ -35,7 +35,7 @@ // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:storageversion -// +kubebuilder:resource:shortName=bgscanr,categories=kyverno;all +// +kubebuilder:resource:shortName=bgscanr,categories=kyverno // +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1 // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1 // +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1 @@ -71,7 +71,7 @@ // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:storageversion -// +kubebuilder:resource:scope=Cluster,shortName=cbgscanr,categories=kyverno;all +// +kubebuilder:resource:scope=Cluster,shortName=cbgscanr,categories=kyverno // +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1 // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1 // +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/api/kyverno/v1beta1/updaterequest_types.go new/kyverno-1.8.5/api/kyverno/v1beta1/updaterequest_types.go --- old/kyverno-1.8.4/api/kyverno/v1beta1/updaterequest_types.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/api/kyverno/v1beta1/updaterequest_types.go 2022-12-20 09:41:43.000000000 +0100 @@ -51,7 +51,7 @@ // +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace" // +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state" // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:resource:shortName=ur,categories=kyverno;all +// +kubebuilder:resource:shortName=ur,categories=kyverno // UpdateRequest is a request to process mutate and generate rules in background. type UpdateRequest struct { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/api/kyverno/v2beta1/clusterpolicy_types.go new/kyverno-1.8.5/api/kyverno/v2beta1/clusterpolicy_types.go --- old/kyverno-1.8.4/api/kyverno/v2beta1/clusterpolicy_types.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/api/kyverno/v2beta1/clusterpolicy_types.go 2022-12-20 09:41:43.000000000 +0100 @@ -14,7 +14,7 @@ // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:subresource:status -// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno;all +// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno // +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background" // +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/charts/kyverno/Chart.yaml new/kyverno-1.8.5/charts/kyverno/Chart.yaml --- old/kyverno-1.8.4/charts/kyverno/Chart.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/charts/kyverno/Chart.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno -version: 2.6.4 -appVersion: v1.8.4 +version: 2.6.5 +appVersion: v1.8.5 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/charts/kyverno/README.md new/kyverno-1.8.5/charts/kyverno/README.md --- old/kyverno-1.8.4/charts/kyverno/README.md 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/charts/kyverno/README.md 2022-12-20 09:41:43.000000000 +0100 @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -   +   ## About diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/charts/kyverno/templates/crds.yaml new/kyverno-1.8.5/charts/kyverno/templates/crds.yaml --- old/kyverno-1.8.4/charts/kyverno/templates/crds.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/charts/kyverno/templates/crds.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -20,7 +20,6 @@ names: categories: - kyverno - - all kind: AdmissionReport listKind: AdmissionReportList plural: admissionreports @@ -286,7 +285,6 @@ names: categories: - kyverno - - all kind: BackgroundScanReport listKind: BackgroundScanReportList plural: backgroundscanreports @@ -518,7 +516,6 @@ names: categories: - kyverno - - all kind: ClusterAdmissionReport listKind: ClusterAdmissionReportList plural: clusteradmissionreports @@ -784,7 +781,6 @@ names: categories: - kyverno - - all kind: ClusterBackgroundScanReport listKind: ClusterBackgroundScanReportList plural: clusterbackgroundscanreports @@ -1016,7 +1012,6 @@ names: categories: - kyverno - - all kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies @@ -2736,6 +2731,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -4562,6 +4559,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -6329,6 +6328,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -8140,6 +8141,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -10519,6 +10522,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -12345,6 +12350,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -14112,6 +14119,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -15923,6 +15932,8 @@ predicateType: description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -16406,7 +16417,6 @@ names: categories: - kyverno - - all kind: UpdateRequest listKind: UpdateRequestList plural: updaterequests diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/charts/kyverno-policies/Chart.yaml new/kyverno-1.8.5/charts/kyverno-policies/Chart.yaml --- old/kyverno-1.8.4/charts/kyverno-policies/Chart.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/charts/kyverno-policies/Chart.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: 2.6.4 -appVersion: v1.8.4 +version: 2.6.5 +appVersion: v1.8.5 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/charts/kyverno-policies/README.md new/kyverno-1.8.5/charts/kyverno-policies/README.md --- old/kyverno-1.8.4/charts/kyverno-policies/README.md 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/charts/kyverno-policies/README.md 2022-12-20 09:41:43.000000000 +0100 @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -   +   ## About diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_admissionreports.yaml new/kyverno-1.8.5/config/crds/kyverno.io_admissionreports.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_admissionreports.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_admissionreports.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -11,7 +11,6 @@ names: categories: - kyverno - - all kind: AdmissionReport listKind: AdmissionReportList plural: admissionreports diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_backgroundscanreports.yaml new/kyverno-1.8.5/config/crds/kyverno.io_backgroundscanreports.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_backgroundscanreports.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_backgroundscanreports.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -11,7 +11,6 @@ names: categories: - kyverno - - all kind: BackgroundScanReport listKind: BackgroundScanReportList plural: backgroundscanreports diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_clusteradmissionreports.yaml new/kyverno-1.8.5/config/crds/kyverno.io_clusteradmissionreports.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_clusteradmissionreports.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_clusteradmissionreports.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -11,7 +11,6 @@ names: categories: - kyverno - - all kind: ClusterAdmissionReport listKind: ClusterAdmissionReportList plural: clusteradmissionreports diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_clusterbackgroundscanreports.yaml new/kyverno-1.8.5/config/crds/kyverno.io_clusterbackgroundscanreports.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_clusterbackgroundscanreports.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_clusterbackgroundscanreports.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -11,7 +11,6 @@ names: categories: - kyverno - - all kind: ClusterBackgroundScanReport listKind: ClusterBackgroundScanReportList plural: clusterbackgroundscanreports diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_clusterpolicies.yaml new/kyverno-1.8.5/config/crds/kyverno.io_clusterpolicies.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_clusterpolicies.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_clusterpolicies.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -11,7 +11,6 @@ names: categories: - kyverno - - all kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies @@ -2748,6 +2747,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -5789,6 +5790,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -8586,6 +8589,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -11602,6 +11607,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_policies.yaml new/kyverno-1.8.5/config/crds/kyverno.io_policies.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_policies.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_policies.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -2749,6 +2749,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -5791,6 +5793,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -8589,6 +8593,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -11605,6 +11611,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/crds/kyverno.io_updaterequests.yaml new/kyverno-1.8.5/config/crds/kyverno.io_updaterequests.yaml --- old/kyverno-1.8.4/config/crds/kyverno.io_updaterequests.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/crds/kyverno.io_updaterequests.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -11,7 +11,6 @@ names: categories: - kyverno - - all kind: UpdateRequest listKind: UpdateRequestList plural: updaterequests diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/install.yaml new/kyverno-1.8.5/config/install.yaml --- old/kyverno-1.8.4/config/install.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/install.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -28,7 +28,6 @@ names: categories: - kyverno - - all kind: AdmissionReport listKind: AdmissionReportList plural: admissionreports @@ -376,7 +375,6 @@ names: categories: - kyverno - - all kind: BackgroundScanReport listKind: BackgroundScanReportList plural: backgroundscanreports @@ -684,7 +682,6 @@ names: categories: - kyverno - - all kind: ClusterAdmissionReport listKind: ClusterAdmissionReportList plural: clusteradmissionreports @@ -1033,7 +1030,6 @@ names: categories: - kyverno - - all kind: ClusterBackgroundScanReport listKind: ClusterBackgroundScanReportList plural: clusterbackgroundscanreports @@ -1341,7 +1337,6 @@ names: categories: - kyverno - - all kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies @@ -4078,6 +4073,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -7119,6 +7116,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -9916,6 +9915,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -12932,6 +12933,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -16560,6 +16563,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -19602,6 +19607,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -22400,6 +22407,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -25416,6 +25425,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -26115,7 +26126,6 @@ names: categories: - kyverno - - all kind: UpdateRequest listKind: UpdateRequestList plural: updaterequests diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/config/install_debug.yaml new/kyverno-1.8.5/config/install_debug.yaml --- old/kyverno-1.8.4/config/install_debug.yaml 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/config/install_debug.yaml 2022-12-20 09:41:43.000000000 +0100 @@ -26,7 +26,6 @@ names: categories: - kyverno - - all kind: AdmissionReport listKind: AdmissionReportList plural: admissionreports @@ -373,7 +372,6 @@ names: categories: - kyverno - - all kind: BackgroundScanReport listKind: BackgroundScanReportList plural: backgroundscanreports @@ -680,7 +678,6 @@ names: categories: - kyverno - - all kind: ClusterAdmissionReport listKind: ClusterAdmissionReportList plural: clusteradmissionreports @@ -1028,7 +1025,6 @@ names: categories: - kyverno - - all kind: ClusterBackgroundScanReport listKind: ClusterBackgroundScanReportList plural: clusterbackgroundscanreports @@ -1335,7 +1331,6 @@ names: categories: - kyverno - - all kind: ClusterPolicy listKind: ClusterPolicyList plural: clusterpolicies @@ -4072,6 +4067,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -7113,6 +7110,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -9910,6 +9909,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -12926,6 +12927,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -16551,6 +16554,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -19593,6 +19598,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -22391,6 +22398,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -25407,6 +25416,8 @@ description: PredicateType defines the type of Predicate contained within the Statement. type: string + required: + - predicateType type: object type: array attestors: @@ -26104,7 +26115,6 @@ names: categories: - kyverno - - all kind: UpdateRequest listKind: UpdateRequestList plural: updaterequests diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/docs/user/crd/index.html new/kyverno-1.8.5/docs/user/crd/index.html --- old/kyverno-1.8.4/docs/user/crd/index.html 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/docs/user/crd/index.html 2022-12-20 09:41:43.000000000 +0100 @@ -827,7 +827,6 @@ </em> </td> <td> -<em>(Optional)</em> <p>Conditions are used to verify attributes within a Predicate. If no Conditions are specified the attestation check is satisfied as long there are predicates that match the predicate type.</p> </td> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/pkg/engine/imageVerify.go new/kyverno-1.8.5/pkg/engine/imageVerify.go --- old/kyverno-1.8.4/pkg/engine/imageVerify.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/pkg/engine/imageVerify.go 2022-12-20 09:41:43.000000000 +0100 @@ -308,48 +308,68 @@ } if len(imageVerify.Attestors) > 0 { - ruleResp, _, _ := iv.verifyAttestors(imageVerify.Attestors, imageVerify, imageInfo, "") + ruleResp, cosignResp := iv.verifyAttestors(imageVerify.Attestors, imageVerify, imageInfo, "") if ruleResp.Status != response.RuleStatusPass { return ruleResp, "" } + + if len(imageVerify.Attestations) == 0 { + return ruleResp, cosignResp.Digest + } + + if imageInfo.Digest == "" { + imageInfo.Digest = cosignResp.Digest + } + + if len(imageVerify.Attestations) == 0 { + return ruleResp, cosignResp.Digest + } + + if imageInfo.Digest == "" { + imageInfo.Digest = cosignResp.Digest + } } return iv.verifyAttestations(imageVerify, imageInfo) } -func (iv *imageVerifier) verifyAttestors(attestors []kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification, - imageInfo apiutils.ImageInfo, predicateType string, -) (*response.RuleResponse, *cosign.Response, []kyvernov1.AttestorSet) { +func (iv *imageVerifier) verifyAttestors( + attestors []kyvernov1.AttestorSet, + imageVerify kyvernov1.ImageVerification, + imageInfo apiutils.ImageInfo, + predicateType string, +) (*response.RuleResponse, *cosign.Response) { var cosignResponse *cosign.Response - var newAttestors []kyvernov1.AttestorSet image := imageInfo.String() for i, attestorSet := range attestors { var err error path := fmt.Sprintf(".attestors[%d]", i) iv.logger.V(4).Info("verifying attestors", "path", path) - cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path, predicateType) + cosignResponse, err = iv.verifyAttestorSet(attestorSet, imageVerify, imageInfo, path) if err != nil { iv.logger.Error(err, "failed to verify image") - msg := fmt.Sprintf("failed to verify image %s: %s", image, err.Error()) - - // handle registry network errors as a rule error (instead of a policy failure) - var netErr *net.OpError - if errors.As(err, &netErr) { - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), nil, nil - } - - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), nil, nil + return iv.handleRegistryErrors(image, err), nil } - newAttestors = append(newAttestors, attestors[i]) } if cosignResponse == nil { - return ruleError(iv.rule, response.ImageVerify, "invalid response", fmt.Errorf("nil")), nil, nil + return ruleError(iv.rule, response.ImageVerify, "invalid response", fmt.Errorf("nil")), nil } msg := fmt.Sprintf("verified image signatures for %s", image) - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse, newAttestors + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), cosignResponse +} + +// handle registry network errors as a rule error (instead of a policy failure) +func (iv *imageVerifier) handleRegistryErrors(image string, err error) *response.RuleResponse { + msg := fmt.Sprintf("failed to verify image %s: %s", image, err.Error()) + var netErr *net.OpError + if errors.As(err, &netErr) { + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil) + } + + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil) } func (iv *imageVerifier) verifyAttestations(imageVerify kyvernov1.ImageVerification, imageInfo apiutils.ImageInfo) (*response.RuleResponse, string) { @@ -358,62 +378,66 @@ var attestationError error path := fmt.Sprintf(".attestations[%d]", i) - attestors := attestation.Attestors + if attestation.PredicateType == "" { + return ruleResponse(*iv.rule, response.ImageVerify, path+": missing predicateType", response.RuleStatusFail, nil), "" + } + if len(attestation.Attestors) == 0 { - attestors = []kyvernov1.AttestorSet{{}} + // add an empty attestor to allow fetching and checking attestations + attestation.Attestors = []kyvernov1.AttestorSet{{Entries: []kyvernov1.Attestor{{}}}} } - for j, attestor := range attestors { + for j, attestor := range attestation.Attestors { attestorPath := fmt.Sprintf("%s.attestors[%d]", path, j) - requiredCount := getRequiredCount(attestor) verifiedCount := 0 - entries := attestor.Entries - if len(entries) == 0 { - entries = []kyvernov1.Attestor{{}} - } - - for _, a := range entries { + for _, a := range attestor.Entries { entryPath := fmt.Sprintf("%s.entries[%d]", attestorPath, i) - opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, attestation) + opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, &imageVerify.Attestations[i]) cosignResp, err := cosign.FetchAttestations(*opts) if err != nil { iv.logger.Error(err, "failed to fetch attestations") - msg := fmt.Sprintf("failed to fetch attestations %s: %s", image, err.Error()) - // handle registry network errors as a rule error (instead of a policy failure) - var netErr *net.OpError - if errors.As(err, &netErr) { - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusError, nil), "" - } + return iv.handleRegistryErrors(image, err), "" + } - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), "" + if imageInfo.Digest == "" { + imageInfo.Digest = cosignResp.Digest + image = imageInfo.String() } - verifiedCount++ attestationError = iv.verifyAttestation(cosignResp.Statements, attestation, imageInfo) if attestationError != nil { attestationError = errors.Wrapf(attestationError, entryPath+subPath) return ruleResponse(*iv.rule, response.ImageVerify, attestationError.Error(), response.RuleStatusFail, nil), "" } + verifiedCount++ if verifiedCount >= requiredCount { - msg := fmt.Sprintf("image attestations verification succeeded, verifiedCount: %v, requiredCount: %v", verifiedCount, requiredCount) - iv.logger.V(2).Info(msg) - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), "" + iv.logger.V(2).Info("image attestations verification succeeded", "verifiedCount", verifiedCount, "requiredCount", requiredCount) + break } } + + if verifiedCount < requiredCount { + msg := fmt.Sprintf("image attestations verification failed, verifiedCount: %v, requiredCount: %v", verifiedCount, requiredCount) + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusFail, nil), "" + } } + iv.logger.V(4).Info("attestation checks passed", "path", path, "image", imageInfo.String(), "predicateType", attestation.PredicateType) } msg := fmt.Sprintf("verified image attestations for %s", image) iv.logger.V(2).Info(msg) - return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), "" + return ruleResponse(*iv.rule, response.ImageVerify, msg, response.RuleStatusPass, nil), imageInfo.Digest } -func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification, - imageInfo apiutils.ImageInfo, path, predicateType string, +func (iv *imageVerifier) verifyAttestorSet( + attestorSet kyvernov1.AttestorSet, + imageVerify kyvernov1.ImageVerification, + imageInfo apiutils.ImageInfo, + path string, ) (*cosign.Response, error) { var errorList []error verifiedCount := 0 @@ -433,10 +457,10 @@ entryError = errors.Wrapf(err, "failed to unmarshal nested attestor %s", attestorPath) } else { attestorPath += ".attestor" - cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath, predicateType) + cosignResp, entryError = iv.verifyAttestorSet(*nestedAttestorSet, imageVerify, imageInfo, attestorPath) } } else { - opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, kyvernov1.Attestation{PredicateType: predicateType}) + opts, subPath := iv.buildOptionsAndPath(a, imageVerify, image, nil) cosignResp, entryError = cosign.VerifySignature(*opts) if entryError != nil { entryError = errors.Wrapf(entryError, attestorPath+subPath) @@ -511,7 +535,7 @@ return *as.Count } -func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageVerify kyvernov1.ImageVerification, image string, attestation kyvernov1.Attestation) (*cosign.Options, string) { +func (iv *imageVerifier) buildOptionsAndPath(attestor kyvernov1.Attestor, imageVerify kyvernov1.ImageVerification, image string, attestation *kyvernov1.Attestation) (*cosign.Options, string) { path := "" opts := &cosign.Options{ ImageRef: image, @@ -523,8 +547,8 @@ opts.Roots = imageVerify.Roots } - opts.PredicateType = attestation.PredicateType - if attestation.PredicateType != "" { + if attestation != nil { + opts.PredicateType = attestation.PredicateType opts.FetchAttestations = true } @@ -573,14 +597,18 @@ } func (iv *imageVerifier) verifyAttestation(statements []map[string]interface{}, attestation kyvernov1.Attestation, imageInfo apiutils.ImageInfo) error { + if attestation.PredicateType == "" { + return fmt.Errorf("a predicateType is required") + } + image := imageInfo.String() statementsByPredicate, types := buildStatementMap(statements) iv.logger.V(4).Info("checking attestations", "predicates", types, "image", image) statements = statementsByPredicate[attestation.PredicateType] if statements == nil { - iv.logger.Info("attestation predicate type not found", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String()) - return fmt.Errorf("predicate type %s not found", attestation.PredicateType) + iv.logger.Info("no attestations found for predicate", "type", attestation.PredicateType, "predicates", types, "image", imageInfo.String()) + return fmt.Errorf("attestions not found for predicate type %s", attestation.PredicateType) } for _, s := range statements { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/pkg/engine/imageVerify_test.go new/kyverno-1.8.5/pkg/engine/imageVerify_test.go --- old/kyverno-1.8.4/pkg/engine/imageVerify_test.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/pkg/engine/imageVerify_test.go 2022-12-20 09:41:43.000000000 +0100 @@ -42,6 +42,17 @@ "attestations": [ { "predicateType": "https://example.com/CodeReview/v1";, + "attestors": [ + { + "entries": [ + { + "keys": { + "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHMmDjK65krAyDaGaeyWNzgvIu155JI50B2vezCw8+3CVeE0lJTL5dbL3OP98Za0oAEBJcOxky8Riy/XcmfKZbw==\n-----END PUBLIC KEY-----" + } + } + ] + } + ], "conditions": [ { "all": [ @@ -427,28 +438,32 @@ func Test_SignatureGoodSigned(t *testing.T) { policyContext := buildContext(t, testSampleSingleKeyPolicy, testSampleResource, "") + policyContext.Policy.GetSpec().Rules[0].VerifyImages[0].MutateDigest = true cosign.ClearMock() - err, _ := VerifyAndPatchImages(policyContext) - assert.Equal(t, len(err.PolicyResponse.Rules), 1) - assert.Equal(t, err.PolicyResponse.Rules[0].Status, response.RuleStatusPass, err.PolicyResponse.Rules[0].Message) + engineResp, _ := VerifyAndPatchImages(policyContext) + assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1) + assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status, response.RuleStatusPass, engineResp.PolicyResponse.Rules[0].Message) + assert.Equal(t, len(engineResp.PolicyResponse.Rules[0].Patches), 1) + patch := engineResp.PolicyResponse.Rules[0].Patches[0] + assert.Equal(t, string(patch), "{\"op\":\"replace\",\"path\":\"/spec/containers/0/image\",\"value\":\"ghcr.io/kyverno/test-verify-image:signed@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105\"}") } func Test_SignatureUnsigned(t *testing.T) { cosign.ClearMock() unsigned := strings.Replace(testSampleResource, ":signed", ":unsigned", -1) policyContext := buildContext(t, testSampleSingleKeyPolicy, unsigned, "") - err, _ := VerifyAndPatchImages(policyContext) - assert.Equal(t, len(err.PolicyResponse.Rules), 1) - assert.Equal(t, err.PolicyResponse.Rules[0].Status, response.RuleStatusFail, err.PolicyResponse.Rules[0].Message) + engineResp, _ := VerifyAndPatchImages(policyContext) + assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1) + assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status, response.RuleStatusFail, engineResp.PolicyResponse.Rules[0].Message) } func Test_SignatureWrongKey(t *testing.T) { cosign.ClearMock() otherKey := strings.Replace(testSampleResource, ":signed", ":signed-by-someone-else", -1) policyContext := buildContext(t, testSampleSingleKeyPolicy, otherKey, "") - err, _ := VerifyAndPatchImages(policyContext) - assert.Equal(t, len(err.PolicyResponse.Rules), 1) - assert.Equal(t, err.PolicyResponse.Rules[0].Status, response.RuleStatusFail, err.PolicyResponse.Rules[0].Message) + engineResp, _ := VerifyAndPatchImages(policyContext) + assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1) + assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status, response.RuleStatusFail, engineResp.PolicyResponse.Rules[0].Message) } func Test_SignaturesMultiKey(t *testing.T) { @@ -457,9 +472,9 @@ policy = strings.Replace(policy, "KEY2", testVerifyImageKey, -1) policy = strings.Replace(policy, "COUNT", "0", -1) policyContext := buildContext(t, policy, testSampleResource, "") - err, _ := VerifyAndPatchImages(policyContext) - assert.Equal(t, len(err.PolicyResponse.Rules), 1) - assert.Equal(t, err.PolicyResponse.Rules[0].Status, response.RuleStatusPass, err.PolicyResponse.Rules[0].Message) + engineResp, _ := VerifyAndPatchImages(policyContext) + assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1) + assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status, response.RuleStatusPass, engineResp.PolicyResponse.Rules[0].Message) } func Test_SignaturesMultiKeyFail(t *testing.T) { @@ -467,9 +482,9 @@ policy := strings.Replace(testSampleMultipleKeyPolicy, "KEY1", testVerifyImageKey, -1) policy = strings.Replace(policy, "COUNT", "0", -1) policyContext := buildContext(t, policy, testSampleResource, "") - err, _ := VerifyAndPatchImages(policyContext) - assert.Equal(t, len(err.PolicyResponse.Rules), 1) - assert.Equal(t, err.PolicyResponse.Rules[0].Status, response.RuleStatusFail, err.PolicyResponse.Rules[0].Message) + engineResp, _ := VerifyAndPatchImages(policyContext) + assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1) + assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status, response.RuleStatusFail, engineResp.PolicyResponse.Rules[0].Message) } func Test_SignaturesMultiKeyOneGoodKey(t *testing.T) { @@ -478,9 +493,9 @@ policy = strings.Replace(policy, "KEY2", testOtherKey, -1) policy = strings.Replace(policy, "COUNT", "1", -1) policyContext := buildContext(t, policy, testSampleResource, "") - err, _ := VerifyAndPatchImages(policyContext) - assert.Equal(t, len(err.PolicyResponse.Rules), 1) - assert.Equal(t, err.PolicyResponse.Rules[0].Status, response.RuleStatusPass, err.PolicyResponse.Rules[0].Message) + engineResp, _ := VerifyAndPatchImages(policyContext) + assert.Equal(t, len(engineResp.PolicyResponse.Rules), 1) + assert.Equal(t, engineResp.PolicyResponse.Rules[0].Status, response.RuleStatusPass, engineResp.PolicyResponse.Rules[0].Message) } func Test_SignaturesMultiKeyZeroGoodKey(t *testing.T) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.8.4/pkg/utils/controller/handlers.go new/kyverno-1.8.5/pkg/utils/controller/handlers.go --- old/kyverno-1.8.4/pkg/utils/controller/handlers.go 2022-12-09 09:34:04.000000000 +0100 +++ new/kyverno-1.8.5/pkg/utils/controller/handlers.go 2022-12-20 09:41:43.000000000 +0100 @@ -5,6 +5,7 @@ "time" "github.com/go-logr/logr" + kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" @@ -26,16 +27,19 @@ informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ AddFunc: a, UpdateFunc: u, - DeleteFunc: d, + DeleteFunc: func(obj interface{}) { + d(kubeutils.GetObjectWithTombstone(obj)) + }, }) } func AddEventHandlersT[T any](informer cache.SharedInformer, a addFuncT[T], u updateFuncT[T], d deleteFuncT[T]) { - informer.AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { a(obj.(T)) }, - UpdateFunc: func(old, obj interface{}) { u(old.(T), obj.(T)) }, - DeleteFunc: func(obj interface{}) { d(obj.(T)) }, - }) + AddEventHandlers( + informer, + func(obj interface{}) { a(obj.(T)) }, + func(old, obj interface{}) { u(old.(T), obj.(T)) }, + func(obj interface{}) { d(obj.(T)) }, + ) } func AddKeyedEventHandlers(logger logr.Logger, informer cache.SharedInformer, queue workqueue.RateLimitingInterface, parseKey keyFunc) EnqueueFunc { ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kyverno/vendor.tar.gz /work/SRC/openSUSE:Factory/.kyverno.new.1835/vendor.tar.gz differ: char 5, line 1
