Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kyverno for openSUSE:Factory checked in at 2025-02-07 23:06:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kyverno (Old) and /work/SRC/openSUSE:Factory/.kyverno.new.2316 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kyverno" Fri Feb 7 23:06:29 2025 rev:42 rq:1244092 version:1.13.3 Changes: -------- --- /work/SRC/openSUSE:Factory/kyverno/kyverno.changes 2024-12-10 23:46:17.835469580 +0100 +++ /work/SRC/openSUSE:Factory/.kyverno.new.2316/kyverno.changes 2025-02-07 23:11:28.101500690 +0100 @@ -1,0 +2,37 @@ +Fri Feb 07 08:23:32 UTC 2025 - [email protected] + +- Update to version 1.13.3: + * feat: release v1.13.3 (#12105) + * replace ghcr.io to reg.kyverno.io (#12031) (#12106) + * chore: bump golang.org/x/net to 0.33.0 for release-1.13 + (#12040) + * Fix default value for apiCall context (#11733) (#11988) + * log non fatal parsing errors (#11932) (#11949) + * feat: update annotations of kyverno images (#11935) (#11938) + * chore: bump opa 0.68.0 (#11786) + * fix(reports-controller): add a flag to disable reports sanity + checks (#11867) (#11875) + * remove policy exception dependancy from globalcontext and add + some tests (#11788) (#11854) + * fix global context error message logic error (#11815) (#11853) + * Fix: Policy with failureActionOverrides not applying desired + failure actions in desired namespaces (#11811) (#11850) + * fix panic when rules are empty (#11821) (#11848) + * Fix panic in background controller when updating Generate rule + (#11835) (#11846) + * fix: [Helm] mergeOverwrite overwrites nested objects #11536 + (#11584) (#11797) + * fix: remove extra line in configmsp (#11762) (#11776) + * chore: bump python to 3.13.1 (#11801) + * fix: update chainsaw test apply timeout to 30s (cherry-pick + #11794) (#11802) + * fix: copy all the fields of public keys when splitting (#11770) + (#11798) + * fix: exemption error caused by convertChecks function (#11780) + (#11787) + * fix: pin sigstore (#11777) + * fix: revert default background scan interval to 1h (#11754) + (#11756) + * chore: bump golang.org/x/crypto 0.31.0 (#11753) + +------------------------------------------------------------------- Old: ---- kyverno-1.13.2.obscpio New: ---- kyverno-1.13.3.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kyverno.spec ++++++ --- /var/tmp/diff_new_pack.G7KLJW/_old 2025-02-07 23:11:29.861573128 +0100 +++ /var/tmp/diff_new_pack.G7KLJW/_new 2025-02-07 23:11:29.865573293 +0100 @@ -1,7 +1,7 @@ # # spec file for package kyverno # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: kyverno -Version: 1.13.2 +Version: 1.13.3 Release: 0 Summary: CLI and kubectl plugin for Kyverno License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.G7KLJW/_old 2025-02-07 23:11:29.901574774 +0100 +++ /var/tmp/diff_new_pack.G7KLJW/_new 2025-02-07 23:11:29.905574939 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/kyverno/kyverno</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.13.2</param> + <param name="revision">v1.13.3</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.G7KLJW/_old 2025-02-07 23:11:29.921575597 +0100 +++ /var/tmp/diff_new_pack.G7KLJW/_new 2025-02-07 23:11:29.925575762 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/kyverno/kyverno</param> - <param name="changesrevision">a96b1a4794b4d25cb0c6d72c05fc6355e95cf65c</param></service></servicedata> + <param name="changesrevision">425ff9dff6472a15bd46b322606b97f84247525e</param></service></servicedata> (No newline at EOF) ++++++ kyverno-1.13.2.obscpio -> kyverno-1.13.3.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/.chainsaw.yaml new/kyverno-1.13.3/.chainsaw.yaml --- old/kyverno-1.13.2/.chainsaw.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/.chainsaw.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -4,6 +4,7 @@ name: configuration spec: timeouts: + apply: 30s assert: 90s error: 90s parallel: 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/.github/workflows/conformance.yaml new/kyverno-1.13.3/.github/workflows/conformance.yaml --- old/kyverno-1.13.2/.github/workflows/conformance.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/.github/workflows/conformance.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -595,7 +595,7 @@ verify: true # create cluster - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@3c79cb2714d1c724551ae859bcbde1a3204ff8ac # v0.7.11 + uses: sigstore/scaffolding/actions/setup@7dd406abbfb07599b10ad048a397a4904d3e40cc with: version: main k8s-version: ${{ matrix.k8s-version }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/.github/workflows/helm-release.yaml new/kyverno-1.13.3/.github/workflows/helm-release.yaml --- old/kyverno-1.13.2/.github/workflows/helm-release.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/.github/workflows/helm-release.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -25,9 +25,9 @@ - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 - - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: - python-version: 3.7 + python-version: 3.13.1 - name: Set up chart-testing uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run chart-testing (lint) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/.github/workflows/helm-test.yaml new/kyverno-1.13.3/.github/workflows/helm-test.yaml --- old/kyverno-1.13.2/.github/workflows/helm-test.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/.github/workflows/helm-test.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -33,9 +33,9 @@ uses: ./.github/actions/setup-build-env timeout-minutes: 10 - name: Setup python - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: - python-version: 3.7 + python-version: 3.13.1 - name: Set up chart-testing uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run chart-testing (lint) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/Makefile new/kyverno-1.13.3/Makefile --- old/kyverno-1.13.2/Makefile 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/Makefile 2025-02-06 11:56:16.000000000 +0100 @@ -60,7 +60,7 @@ HELM_DOCS ?= $(TOOLS_DIR)/helm-docs HELM_DOCS_VERSION ?= v1.11.0 KO ?= $(TOOLS_DIR)/ko -KO_VERSION ?= v0.14.1 +KO_VERSION ?= v0.17.1 KUBE_VERSION ?= v1.25.0 TOOLS := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(DEFAULTER_GEN) $(APPLYCONFIGURATION_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) ifeq ($(GOOS), darwin) @@ -333,32 +333,38 @@ .PHONY: ko-publish-kyverno-init ko-publish-kyverno-init: ko-login ## Build and publish kyvernopre image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) \ - $(KO) build ./$(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + $(KO) build ./$(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) \ + --image-annotation 'org.opencontainers.image.authors'='The Kyverno team','org.opencontainers.image.source'='github.com/kyverno/kyverno/commit/${GIT_SHA}','org.opencontainers.image.vendor'='Kyverno','org.opencontainers.image.url'='ghcr.io/kyverno/kyvernopre' .PHONY: ko-publish-kyverno ko-publish-kyverno: ko-login ## Build and publish kyverno image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNO) \ - $(KO) build ./$(KYVERNO_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + $(KO) build ./$(KYVERNO_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) \ + --image-annotation 'org.opencontainers.image.authors'='The Kyverno team','org.opencontainers.image.source'='github.com/kyverno/kyverno/commit/${GIT_SHA}','org.opencontainers.image.vendor'='Kyverno','org.opencontainers.image.url'='ghcr.io/kyverno/kyverno' .PHONY: ko-publish-cli ko-publish-cli: ko-login ## Build and publish cli image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLI) \ - $(KO) build ./$(CLI_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + $(KO) build ./$(CLI_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) \ + --image-annotation 'org.opencontainers.image.authors'='The Kyverno Team','org.opencontainers.image.source'='github.com/kyverno/kyverno/commit/${GIT_SHA}','org.opencontainers.image.vendor'='Kyverno','org.opencontainers.image.url'='ghcr.io/kyverno/kyverno-cli' .PHONY: ko-publish-cleanup-controller ko-publish-cleanup-controller: ko-login ## Build and publish cleanup controller image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLEANUP) \ - $(KO) build ./$(CLEANUP_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + $(KO) build ./$(CLEANUP_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) \ + --image-annotation 'org.opencontainers.image.authors'='The Kyverno Team','org.opencontainers.image.source'='github.com/kyverno/kyverno/commit/${GIT_SHA}','org.opencontainers.image.vendor'='Kyverno','org.opencontainers.image.url'='ghcr.io/kyverno/cleanup-controller' .PHONY: ko-publish-reports-controller ko-publish-reports-controller: ko-login ## Build and publish reports controller image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS) \ - $(KO) build ./$(REPORTS_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + $(KO) build ./$(REPORTS_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) \ + --image-annotation 'org.opencontainers.image.authors'='The Kyverno team','org.opencontainers.image.source'='github.com/kyverno/kyverno/commit/${GIT_SHA}','org.opencontainers.image.vendor'='Kyverno','org.opencontainers.image.url'='ghcr.io/kyverno/reports-controller' .PHONY: ko-publish-background-controller ko-publish-background-controller: ko-login ## Build and publish background controller image (with ko) @LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_BACKGROUND) \ - $(KO) build ./$(BACKGROUND_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) + $(KO) build ./$(BACKGROUND_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS) \ + --image-annotation 'org.opencontainers.image.authors'='The Kyverno team','org.opencontainers.image.source'='github.com/kyverno/kyverno/commit/${GIT_SHA}','org.opencontainers.image.vendor'='Kyverno','org.opencontainers.image.url'='ghcr.io/kyverno/background-controller' .PHONY: ko-publish-all ko-publish-all: ko-publish-kyverno-init ko-publish-kyverno ko-publish-cli ko-publish-cleanup-controller ko-publish-reports-controller ko-publish-background-controller ## Build and publish all images (with ko) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/Chart.yaml new/kyverno-1.13.3/charts/kyverno/Chart.yaml --- old/kyverno-1.13.2/charts/kyverno/Chart.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/Chart.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno -version: 3.3.4 -appVersion: v1.13.2 +version: 3.3.5 +appVersion: v1.13.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: @@ -37,10 +37,12 @@ description: fix validation error in validate.yaml - kind: fixed description: fixed global image registry config by introducing *.image.defaultRegistry. + - kind: added + description: added a new option .reportsController.sanityChecks to disable checks for policy reports crds dependencies: - name: grafana - version: 3.3.4 + version: 3.3.5 condition: grafana.enabled - name: crds - version: 3.3.4 + version: 3.3.5 condition: crds.install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/README.md new/kyverno-1.13.3/charts/kyverno/README.md --- old/kyverno-1.13.2/charts/kyverno/README.md 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/README.md 2025-02-06 11:56:16.000000000 +0100 @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -   +   ## About @@ -265,7 +265,7 @@ | crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook | | crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","clusterpolicies.kyverno.io","globalcontextentries.kyverno.io","policies.kyverno.io","policyexceptions.kyverno.io","updaterequests.kyverno.io"]` | Resources to migrate | | crds.migration.image.registry | string | `nil` | Image registry | -| crds.migration.image.defaultRegistry | string | `"ghcr.io"` | | +| crds.migration.image.defaultRegistry | string | `"reg.kyverno.io"` | | | crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository | | crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -406,7 +406,7 @@ | admissionController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.admissionController.caCertificates.data` is defined | | admissionController.imagePullSecrets | list | `[]` | Image pull secrets | | admissionController.initContainer.image.registry | string | `nil` | Image registry | -| admissionController.initContainer.image.defaultRegistry | string | `"ghcr.io"` | | +| admissionController.initContainer.image.defaultRegistry | string | `"reg.kyverno.io"` | | | admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository | | admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag | | admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy | @@ -416,7 +416,7 @@ | admissionController.initContainer.extraArgs | object | `{}` | Additional container args. | | admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. | | admissionController.container.image.registry | string | `nil` | Image registry | -| admissionController.container.image.defaultRegistry | string | `"ghcr.io"` | | +| admissionController.container.image.defaultRegistry | string | `"reg.kyverno.io"` | | | admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository | | admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -475,7 +475,7 @@ | backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | backgroundController.image.registry | string | `nil` | Image registry | -| backgroundController.image.defaultRegistry | string | `"ghcr.io"` | | +| backgroundController.image.defaultRegistry | string | `"reg.kyverno.io"` | | | backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository | | backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -551,7 +551,7 @@ | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. | | cleanupController.image.registry | string | `nil` | Image registry | -| cleanupController.image.defaultRegistry | string | `"ghcr.io"` | | +| cleanupController.image.defaultRegistry | string | `"reg.kyverno.io"` | | | cleanupController.image.repository | string | `"kyverno/cleanup-controller"` | Image repository | | cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -635,7 +635,7 @@ | reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | | reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role | | reportsController.image.registry | string | `nil` | Image registry | -| reportsController.image.defaultRegistry | string | `"ghcr.io"` | | +| reportsController.image.defaultRegistry | string | `"reg.kyverno.io"` | | | reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository | | reportsController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted | | reportsController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | @@ -702,6 +702,7 @@ | reportsController.profiling.port | int | `6060` | Profiling endpoint port | | reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. | | reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. | +| reportsController.sanityChecks | bool | `true` | Enable sanity check for reports CRDs | ### Grafana @@ -849,8 +850,8 @@ | Repository | Name | Version | |------------|------|---------| -| | crds | 3.3.4 | -| | grafana | 3.3.4 | +| | crds | 3.3.5 | +| | grafana | 3.3.5 | ## Maintainers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/charts/crds/Chart.yaml new/kyverno-1.13.3/charts/kyverno/charts/crds/Chart.yaml --- old/kyverno-1.13.2/charts/kyverno/charts/crds/Chart.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/charts/crds/Chart.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -1,3 +1,3 @@ apiVersion: v2 name: crds -version: 3.3.4 +version: 3.3.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/charts/crds/README.md new/kyverno-1.13.3/charts/kyverno/charts/crds/README.md --- old/kyverno-1.13.2/charts/kyverno/charts/crds/README.md 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/charts/crds/README.md 2025-02-06 11:56:16.000000000 +0100 @@ -1,6 +1,6 @@ # crds - + ## Values diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/charts/grafana/Chart.yaml new/kyverno-1.13.3/charts/kyverno/charts/grafana/Chart.yaml --- old/kyverno-1.13.2/charts/kyverno/charts/grafana/Chart.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/charts/grafana/Chart.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -1,3 +1,3 @@ apiVersion: v2 name: grafana -version: 3.3.4 +version: 3.3.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/charts/grafana/README.md new/kyverno-1.13.3/charts/kyverno/charts/grafana/README.md --- old/kyverno-1.13.2/charts/kyverno/charts/grafana/README.md 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/charts/grafana/README.md 2025-02-06 11:56:16.000000000 +0100 @@ -1,6 +1,6 @@ # grafana - + ## Values diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/templates/admission-controller/deployment.yaml new/kyverno-1.13.3/charts/kyverno/templates/admission-controller/deployment.yaml --- old/kyverno-1.13.2/charts/kyverno/templates/admission-controller/deployment.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/templates/admission-controller/deployment.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -94,7 +94,7 @@ image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }} imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }} args: - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride) "logging" ) | nindent 12 }} {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }} @@ -174,7 +174,7 @@ {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }} - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.admissionController.featuresOverride) "reporting" "admissionReports" "autoUpdateWebhooks" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/templates/background-controller/deployment.yaml new/kyverno-1.13.3/charts/kyverno/templates/background-controller/deployment.yaml --- old/kyverno-1.13.2/charts/kyverno/templates/background-controller/deployment.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/templates/background-controller/deployment.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -119,7 +119,7 @@ - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - --resyncPeriod={{ .Values.backgroundController.resyncPeriod | default .Values.global.resyncPeriod }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.backgroundController.featuresOverride) "reporting" "configMapCaching" "deferredLoading" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/templates/cleanup-controller/deployment.yaml new/kyverno-1.13.3/charts/kyverno/templates/cleanup-controller/deployment.yaml --- old/kyverno-1.13.2/charts/kyverno/templates/cleanup-controller/deployment.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/templates/cleanup-controller/deployment.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -131,7 +131,7 @@ - --transportCreds={{ . }} {{- end }} {{- end }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.cleanupController.featuresOverride) "deferredLoading" "dumpPayload" "globalContext" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/templates/config/_helpers.tpl new/kyverno-1.13.3/charts/kyverno/templates/config/_helpers.tpl --- old/kyverno-1.13.2/charts/kyverno/templates/config/_helpers.tpl 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/templates/config/_helpers.tpl 2025-02-06 11:56:16.000000000 +0100 @@ -68,14 +68,14 @@ {{- $newWebhooks = merge $newWebhooks (dict $webhook.name $newWebhook) }} {{- end -}} {{- end -}} - {{- $newWebhooks | toJson | nindent 2 }} + {{- $newWebhooks | toJson }} {{- else -}} {{- $webhook := $webhooks }} {{- $namespaceSelector := default (dict) $webhook.namespaceSelector }} {{- $matchExpressions := default (list) $namespaceSelector.matchExpressions }} {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }} {{- $newWebhook := merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector) }} - {{- $newWebhook | toJson | nindent 2 }} + {{- $newWebhook | toJson }} {{- end -}} {{- end -}} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/templates/reports-controller/deployment.yaml new/kyverno-1.13.3/charts/kyverno/templates/reports-controller/deployment.yaml --- old/kyverno-1.13.2/charts/kyverno/templates/reports-controller/deployment.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/templates/reports-controller/deployment.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -119,7 +119,7 @@ - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }} {{- end }} - --resyncPeriod={{ .Values.reportsController.resyncPeriod | default .Values.global.resyncPeriod }} - {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride) + {{- include "kyverno.features.flags" (pick (mergeOverwrite (deepCopy .Values.features) .Values.reportsController.featuresOverride) "reporting" "admissionReports" "aggregateReports" @@ -140,10 +140,13 @@ - --{{ $key }}={{ $value }} {{- end }} {{- end }} - {{ if .Values.reportsController.profiling.enabled }} + {{- if .Values.reportsController.profiling.enabled }} - --profile=true - --profilePort={{ .Values.reportsController.profiling.port }} {{- end }} + {{- if not .Values.reportsController.sanityChecks }} + - --reportsCRDsSanityChecks=false + {{- end }} env: - name: KYVERNO_SERVICEACCOUNT_NAME value: {{ template "kyverno.reports-controller.serviceAccountName" . }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno/values.yaml new/kyverno-1.13.3/charts/kyverno/values.yaml --- old/kyverno-1.13.2/charts/kyverno/values.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno/values.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -119,7 +119,7 @@ image: # -- (string) Image registry registry: ~ - defaultRegistry: ghcr.io + defaultRegistry: reg.kyverno.io # -- (string) Image repository repository: kyverno/kyverno-cli # -- (string) Image tag @@ -959,7 +959,7 @@ image: # -- Image registry registry: ~ - defaultRegistry: ghcr.io + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/kyvernopre # -- (string) Image tag @@ -1006,7 +1006,7 @@ image: # -- Image registry registry: ~ - defaultRegistry: ghcr.io + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/kyverno # -- (string) Image tag @@ -1224,7 +1224,7 @@ image: # -- Image registry registry: ~ - defaultRegistry: ghcr.io + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/background-controller # -- Image tag @@ -1491,7 +1491,7 @@ image: # -- Image registry registry: ~ - defaultRegistry: ghcr.io + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/cleanup-controller # -- (string) Image tag @@ -1808,7 +1808,7 @@ image: # -- Image registry registry: ~ - defaultRegistry: ghcr.io + defaultRegistry: reg.kyverno.io # -- Image repository repository: kyverno/reports-controller # -- (string) Image tag @@ -2060,3 +2060,6 @@ # -- Service node port. # Only used if `type` is `NodePort`. nodePort: + + # -- Enable sanity check for reports CRDs + sanityChecks: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno-policies/Chart.yaml new/kyverno-1.13.3/charts/kyverno-policies/Chart.yaml --- old/kyverno-1.13.2/charts/kyverno-policies/Chart.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno-policies/Chart.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: 3.3.2 -appVersion: v1.13.2 +version: 3.3.3 +appVersion: v1.13.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/charts/kyverno-policies/README.md new/kyverno-1.13.3/charts/kyverno-policies/README.md --- old/kyverno-1.13.2/charts/kyverno-policies/README.md 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/charts/kyverno-policies/README.md 2025-02-06 11:56:16.000000000 +0100 @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -   +   ## About diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/cmd/background-controller/main.go new/kyverno-1.13.3/cmd/background-controller/main.go --- old/kyverno-1.13.2/cmd/background-controller/main.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/cmd/background-controller/main.go 2025-02-06 11:56:16.000000000 +0100 @@ -137,7 +137,7 @@ signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-background-controller", false) defer sdown() var err error - bgscanInterval := 30 * time.Second + bgscanInterval := time.Hour val := os.Getenv("BACKGROUND_SCAN_INTERVAL") if val != "" { if bgscanInterval, err = time.ParseDuration(val); err != nil { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/cmd/cli/kubectl-kyverno/commands/apply/command.go new/kyverno-1.13.3/cmd/cli/kubectl-kyverno/commands/apply/command.go --- old/kyverno-1.13.2/cmd/cli/kubectl-kyverno/commands/apply/command.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/cmd/cli/kubectl-kyverno/commands/apply/command.go 2025-02-06 11:56:16.000000000 +0100 @@ -403,6 +403,11 @@ } for _, policyYaml := range policyYamls { loaderResults, err := policy.Load(fs, "", policyYaml) + if loaderResults != nil && loaderResults.NonFatalErrors != nil { + for _, err := range loaderResults.NonFatalErrors { + log.Log.Error(err.Error, "Non-fatal parsing error for single document") + } + } if err != nil { continue } @@ -412,6 +417,11 @@ } } else { loaderResults, err := policy.Load(nil, "", path) + if loaderResults != nil && loaderResults.NonFatalErrors != nil { + for _, err := range loaderResults.NonFatalErrors { + log.Log.Error(err.Error, "Non-fatal parsing error for single document") + } + } if err != nil { log.Log.V(3).Info("skipping invalid YAML file", "path", path, "error", err) } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/cmd/kyverno/main.go new/kyverno-1.13.3/cmd/kyverno/main.go --- old/kyverno-1.13.2/cmd/kyverno/main.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/cmd/kyverno/main.go 2025-02-06 11:56:16.000000000 +0100 @@ -40,7 +40,6 @@ runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime" "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy" "github.com/kyverno/kyverno/pkg/validation/exception" - "github.com/kyverno/kyverno/pkg/validation/globalcontext" "github.com/kyverno/kyverno/pkg/webhooks" webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception" webhooksglobalcontext "github.com/kyverno/kyverno/pkg/webhooks/globalcontext" @@ -585,9 +584,7 @@ Enabled: internal.PolicyExceptionEnabled(), Namespace: internal.ExceptionNamespace(), }) - globalContextHandlers := webhooksglobalcontext.NewHandlers(globalcontext.ValidationOptions{ - Enabled: internal.PolicyExceptionEnabled(), - }) + globalContextHandlers := webhooksglobalcontext.NewHandlers() server := webhooks.NewServer( signalCtx, policyHandlers, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/cmd/reports-controller/main.go new/kyverno-1.13.3/cmd/reports-controller/main.go --- old/kyverno-1.13.2/cmd/reports-controller/main.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/cmd/reports-controller/main.go 2025-02-06 11:56:16.000000000 +0100 @@ -196,6 +196,7 @@ aggregateReports bool policyReports bool validatingAdmissionPolicyReports bool + reportsCRDsSanityChecks bool backgroundScanWorkers int backgroundScanInterval time.Duration aggregationWorkers int @@ -219,6 +220,7 @@ flagset.BoolVar(&skipResourceFilters, "skipResourceFilters", true, "If true, resource filters wont be considered.") flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 2*1000*1000, "Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended).") flagset.IntVar(&maxBackgroundReports, "maxBackgroundReports", 10000, "Maximum number of ephemeralreports created for the background policies before we stop creating new ones") + flagset.BoolVar(&reportsCRDsSanityChecks, "reportsCRDsSanityChecks", true, "Enable or disable sanity checks for policy reports and ephemeral reports CRDs.") // config appConfig := internal.NewConfiguration( internal.WithProfiling(), @@ -257,7 +259,9 @@ kyamlopenapi.Schema() if err := sanityChecks(setup.ApiServerClient); err != nil { setup.Logger.Error(err, "sanity checks failed") - os.Exit(1) + if reportsCRDsSanityChecks { + os.Exit(1) + } } setup.Logger.Info("background scan interval", "duration", backgroundScanInterval.String()) // check if validating admission policies are registered in the API server diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/config/install-latest-testing.yaml new/kyverno-1.13.3/config/install-latest-testing.yaml --- old/kyverno-1.13.2/config/install-latest-testing.yaml 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/config/install-latest-testing.yaml 2025-02-06 11:56:16.000000000 +0100 @@ -175,7 +175,7 @@ [Secret,kyverno,kyverno-svc.kyverno.svc.*] [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] updateRequestThreshold: "1000" - webhooks: "\n {\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}" + webhooks: "{\"namespaceSelector\":{\"matchExpressions\":[{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kube-system\"]},{\"key\":\"kubernetes.io/metadata.name\",\"operator\":\"NotIn\",\"values\":[\"kyverno\"]}],\"matchLabels\":null}}" webhookAnnotations: "{\"admissions.enforcer/disabled\":\"true\"}" --- apiVersion: v1 @@ -201,8 +201,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: cleanuppolicies.kyverno.io @@ -2797,8 +2797,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: clustercleanuppolicies.kyverno.io @@ -5393,8 +5393,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: clusterpolicies.kyverno.io @@ -25686,8 +25686,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: globalcontextentries.kyverno.io @@ -25951,8 +25951,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: policies.kyverno.io @@ -46247,8 +46247,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: policyexceptions.kyverno.io @@ -47555,8 +47555,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: updaterequests.kyverno.io @@ -48388,8 +48388,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: clusterephemeralreports.reports.kyverno.io @@ -48730,8 +48730,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: ephemeralreports.reports.kyverno.io @@ -49072,8 +49072,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: clusterpolicyreports.wgpolicyk8s.io @@ -49440,8 +49440,8 @@ app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.3.4 - helm.sh/chart: crds-3.3.4 + app.kubernetes.io/version: 3.3.5 + helm.sh/chart: crds-3.3.5 annotations: controller-gen.kubebuilder.io/version: v0.16.1 name: policyreports.wgpolicyk8s.io @@ -51059,7 +51059,7 @@ serviceAccountName: kyverno-admission-controller initContainers: - name: kyverno-pre - image: "ghcr.io/kyverno/kyvernopre:latest" + image: "reg.kyverno.io/kyverno/kyvernopre:latest" imagePullPolicy: IfNotPresent args: - --loggingFormat=text @@ -51104,7 +51104,7 @@ value: kyverno-svc containers: - name: kyverno - image: "ghcr.io/kyverno/kyverno:latest" + image: "reg.kyverno.io/kyverno/kyverno:latest" imagePullPolicy: IfNotPresent args: - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca @@ -51265,7 +51265,7 @@ serviceAccountName: kyverno-background-controller containers: - name: controller - image: "ghcr.io/kyverno/background-controller:latest" + image: "reg.kyverno.io/kyverno/background-controller:latest" imagePullPolicy: IfNotPresent ports: - containerPort: 9443 @@ -51370,7 +51370,7 @@ serviceAccountName: kyverno-cleanup-controller containers: - name: controller - image: "ghcr.io/kyverno/cleanup-controller:latest" + image: "reg.kyverno.io/kyverno/cleanup-controller:latest" imagePullPolicy: IfNotPresent ports: - containerPort: 9443 @@ -51511,7 +51511,7 @@ serviceAccountName: kyverno-reports-controller containers: - name: controller - image: "ghcr.io/kyverno/reports-controller:latest" + image: "reg.kyverno.io/kyverno/reports-controller:latest" imagePullPolicy: IfNotPresent ports: - containerPort: 9443 @@ -51544,7 +51544,6 @@ - --allowInsecureRegistry=false - --registryCredentialHelpers=default,google,amazon,azure,github - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate - env: - name: KYVERNO_SERVICEACCOUNT_NAME value: kyverno-reports-controller diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/go.mod new/kyverno-1.13.3/go.mod --- old/kyverno-1.13.2/go.mod 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/go.mod 2025-02-06 11:56:16.000000000 +0100 @@ -68,8 +68,8 @@ go.opentelemetry.io/otel/trace v1.30.0 go.uber.org/automaxprocs v1.5.3 go.uber.org/multierr v1.11.0 - golang.org/x/crypto v0.28.0 - golang.org/x/text v0.19.0 + golang.org/x/crypto v0.31.0 + golang.org/x/text v0.21.0 gomodules.xyz/jsonpatch/v2 v2.4.0 google.golang.org/grpc v1.67.0 gopkg.in/inf.v0 v0.9.1 @@ -295,7 +295,7 @@ github.com/oleiade/reflections v1.1.0 // indirect github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 // indirect github.com/open-policy-agent/gatekeeper/v3 v3.17.0 // indirect - github.com/open-policy-agent/opa v0.67.1 // indirect + github.com/open-policy-agent/opa v0.68.0 // indirect github.com/opentracing/opentracing-go v1.2.0 github.com/pborman/uuid v1.2.1 // indirect github.com/pelletier/go-toml/v2 v2.2.3 // indirect @@ -368,11 +368,11 @@ go.uber.org/zap v1.27.0 // indirect golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 golang.org/x/mod v0.20.0 // indirect - golang.org/x/net v0.29.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.26.0 // indirect - golang.org/x/term v0.25.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect golang.org/x/time v0.6.0 // indirect google.golang.org/api v0.195.0 // indirect google.golang.org/genproto v0.0.0-20240827150818-7e3bb234dfed // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/go.sum new/kyverno-1.13.3/go.sum --- old/kyverno-1.13.2/go.sum 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/go.sum 2025-02-06 11:56:16.000000000 +0100 @@ -710,8 +710,8 @@ github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/open-policy-agent/gatekeeper/v3 v3.17.0 h1:8jiY9rgWRofEJeJLm4gyme97fwvqTbv9+QoerMGXCuU= github.com/open-policy-agent/gatekeeper/v3 v3.17.0/go.mod h1:LIk/6du1AV47s+aU1ovKNKzOCHIsEmEImUN/72DL3zw= -github.com/open-policy-agent/opa v0.67.1 h1:rzy26J6g1X+CKknAcx0Vfbt41KqjuSzx4E0A8DAZf3E= -github.com/open-policy-agent/opa v0.67.1/go.mod h1:aqKlHc8E2VAAylYE9x09zJYr/fYzGX+JKne89UGqFzk= +github.com/open-policy-agent/opa v0.68.0 h1:Jl3U2vXRjwk7JrHmS19U3HZO5qxQRinQbJ2eCJYSqJQ= +github.com/open-policy-agent/opa v0.68.0/go.mod h1:5E5SvaPwTpwt2WM177I9Z3eT7qUpmOGjk1ZdHs+TZ4w= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -1000,8 +1000,8 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= -golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA= golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= @@ -1043,8 +1043,8 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= @@ -1056,8 +1056,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1096,8 +1096,8 @@ golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1108,8 +1108,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= -golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -1120,8 +1120,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/engine/apicall/apiCall.go new/kyverno-1.13.3/pkg/engine/apicall/apiCall.go --- old/kyverno-1.13.2/pkg/engine/apicall/apiCall.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/engine/apicall/apiCall.go 2025-02-06 11:56:16.000000000 +0100 @@ -64,6 +64,11 @@ } data, err := a.Execute(ctx, &call.APICall) if err != nil { + if data == nil && a.entry.APICall.Default != nil { + data = a.entry.APICall.Default.Raw + a.logger.V(4).Info("failed to substitute variable data for APICall, using default value", "default", data, "name", a.entry.Name, "URLPath", a.entry.APICall.URLPath, "error", err) + return data, nil + } return nil, err } return data, nil @@ -82,17 +87,15 @@ } func (a *apiCall) transformAndStore(jsonData []byte) ([]byte, error) { - if jsonData == nil { - if a.entry.APICall.Default.Raw == nil { + if a.entry.APICall.Default != nil { + if string(jsonData) == string(a.entry.APICall.Default.Raw) { + err := a.jsonCtx.AddContextEntry(a.entry.Name, jsonData) + if err != nil { + return nil, fmt.Errorf("failed to add resource data to context entry %s: %w", a.entry.Name, err) + } + return jsonData, nil } - jsonData = a.entry.APICall.Default.Raw - err := a.jsonCtx.AddContextEntry(a.entry.Name, jsonData) - if err != nil { - return nil, fmt.Errorf("failed to add resource data to context entry %s: %w", a.entry.Name, err) - } - - return jsonData, nil } if a.entry.APICall.JMESPath == "" { err := a.jsonCtx.AddContextEntry(a.entry.Name, jsonData) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/engine/apicall/apiCall_test.go new/kyverno-1.13.3/pkg/engine/apicall/apiCall_test.go --- old/kyverno-1.13.2/pkg/engine/apicall/apiCall_test.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/engine/apicall/apiCall_test.go 2025-02-06 11:56:16.000000000 +0100 @@ -214,6 +214,43 @@ assert.Equal(t, string(expectedResults)+"\n", string(data)) } +func Test_fallbackToDefault(t *testing.T) { + serverResponse := []byte(`Error from server (NotFound): the server could not find the requested resource`) + defaultResponse := []byte(`{ "day": "Monday" }`) + s := buildTestServer(serverResponse, false) + defer s.Close() + + entry := kyvernov1.ContextEntry{} + ctx := enginecontext.NewContext(jp) + + entry.Name = "test" + entry.APICall = &kyvernov1.ContextAPICall{ + APICall: kyvernov1.APICall{ + Service: &kyvernov1.ServiceCall{ + URL: s.URL, + Headers: []kyvernov1.HTTPHeader{ + {Key: "Authorization", Value: "Bearer 1234567890"}, + {Key: "Content-Type", Value: "application/json"}, + }, + }, + }, + Default: &apiextensionsv1.JSON{ + Raw: defaultResponse, + }, + } + + entry.APICall.Method = "GET" + call, err := New(logr.Discard(), jp, entry, ctx, nil, apiConfig) + assert.NilError(t, err) + + jsonData, err := call.Fetch(context.TODO()) + assert.NilError(t, err) + data, err := call.Store(jsonData) + + assert.NilError(t, err) // no error because it should fallback to default value + assert.Equal(t, string(defaultResponse), string(data)) +} + func buildEchoHeaderTestServer() *httptest.Server { mux := http.NewServeMux() mux.HandleFunc("/resource", func(w http.ResponseWriter, r *http.Request) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/engine/context/loaders/apicall.go new/kyverno-1.13.3/pkg/engine/context/loaders/apicall.go --- old/kyverno-1.13.2/pkg/engine/context/loaders/apicall.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/engine/context/loaders/apicall.go 2025-02-06 11:56:16.000000000 +0100 @@ -54,12 +54,9 @@ } if a.data == nil { var err error - if a.data, err = executor.Fetch(a.ctx); err != nil && a.entry.APICall.Default == nil { + if a.data, err = executor.Fetch(a.ctx); err != nil { return fmt.Errorf("failed to fetch data for APICall: %w", err) } - if err == nil { - a.entry.APICall.Default = nil - } } if _, err := executor.Store(a.data); err != nil { return fmt.Errorf("failed to store data for APICall: %w", err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/engine/context/loaders/globalcontext.go new/kyverno-1.13.3/pkg/engine/context/loaders/globalcontext.go --- old/kyverno-1.13.2/pkg/engine/context/loaders/globalcontext.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/engine/context/loaders/globalcontext.go 2025-02-06 11:56:16.000000000 +0100 @@ -47,7 +47,7 @@ func (g *gctxLoader) HasLoaded() bool { data, ok := g.gctxStore.Get(g.entry.Name) - if ok { + if !ok { g.logger.Error(fmt.Errorf("failed to get data from global context store"), "failed to get data from global context store") return false } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/engine/handlers/validation/validate_pss.go new/kyverno-1.13.3/pkg/engine/handlers/validation/validate_pss.go --- old/kyverno-1.13.2/pkg/engine/handlers/validation/validate_pss.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/engine/handlers/validation/validate_pss.go 2025-02-06 11:56:16.000000000 +0100 @@ -101,8 +101,6 @@ return resource, engineapi.RuleError(rule.Name, engineapi.Validation, "failed to parse pod security api version", err, rule.ReportProperties) } allowed, pssChecks := pss.EvaluatePod(levelVersion, podSecurity.Exclude, pod) - pssChecks = convertChecks(pssChecks, resource.GetKind()) - pssChecks = addImages(pssChecks, policyContext.JSONContext().ImageInfo()) podSecurityChecks := engineapi.PodSecurityChecks{ Level: podSecurity.Level, Version: podSecurity.Version, @@ -131,6 +129,9 @@ logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) return resource, engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exceptions "+strings.Join(keys, ", "), rule.ReportProperties).WithExceptions(matchedExceptions).WithPodSecurityChecks(podSecurityChecks) } + pssChecks = convertChecks(pssChecks, resource.GetKind()) + pssChecks = addImages(pssChecks, policyContext.JSONContext().ImageInfo()) + podSecurityChecks.Checks = pssChecks msg := fmt.Sprintf(`Validation rule '%s' failed. It violates PodSecurity "%s:%s": %s`, rule.Name, podSecurity.Level, podSecurity.Version, pss.FormatChecksPrint(pssChecks)) ruleResponse := engineapi.RuleFail(rule.Name, engineapi.Validation, msg, rule.ReportProperties).WithPodSecurityChecks(podSecurityChecks) var action kyvernov1.ValidationFailureAction diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/engine/internal/imageverifier.go new/kyverno-1.13.3/pkg/engine/internal/imageverifier.go --- old/kyverno-1.13.2/pkg/engine/internal/imageverifier.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/engine/internal/imageverifier.go 2025-02-06 11:56:16.000000000 +0100 @@ -86,7 +86,7 @@ if e.Keys != nil { keys := splitPEM(e.Keys.PublicKeys) if len(keys) > 1 { - moreEntries := createStaticKeyAttestors(keys) + moreEntries := createStaticKeyAttestors(keys, e) entries = append(entries, moreEntries...) continue } @@ -107,15 +107,12 @@ return keys[0 : len(keys)-1] } -func createStaticKeyAttestors(keys []string) []kyvernov1.Attestor { +func createStaticKeyAttestors(keys []string, base kyvernov1.Attestor) []kyvernov1.Attestor { attestors := make([]kyvernov1.Attestor, 0, len(keys)) for _, k := range keys { - a := kyvernov1.Attestor{ - Keys: &kyvernov1.StaticKeyAttestor{ - PublicKeys: k, - }, - } - attestors = append(attestors, a) + a := base.DeepCopy() + a.Keys.PublicKeys = k + attestors = append(attestors, *a) } return attestors } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/policy/generate.go new/kyverno-1.13.3/pkg/policy/generate.go --- old/kyverno-1.13.2/pkg/policy/generate.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/policy/generate.go 2025-02-06 11:56:16.000000000 +0100 @@ -296,6 +296,10 @@ } else { ruleRsrc := ruleResource{rule: oldRule.Name} old, new := oldRule.Generation, newRule.Generation + if old == nil || new == nil { + continue + } + if old.ResourceSpec != new.ResourceSpec || old.Clone != new.Clone { ruleRsrc.kinds = append(ruleRsrc.kinds, old.ResourceSpec.GetKind()) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/policycache/cache.go new/kyverno-1.13.3/pkg/policycache/cache.go --- old/kyverno-1.13.2/pkg/policycache/cache.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/policycache/cache.go 2025-02-06 11:56:16.000000000 +0100 @@ -101,17 +101,22 @@ validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides } - if (ns == "" || len(validationFailureActionOverrides) == 0) && validationFailureAction.Enforce() == enforce { - filteredRules = append(filteredRules, *rule) - continue - } - + // Track if an override matched for the namespace + overrideMatched := false for _, action := range validationFailureActionOverrides { - if action.Action.Enforce() == enforce && wildcard.CheckPatterns(action.Namespaces, ns) { - filteredRules = append(filteredRules, *rule) - break // Changed continue to break since we found a match + if ns != "" && wildcard.CheckPatterns(action.Namespaces, ns) { + overrideMatched = true + if action.Action.Enforce() == enforce { + filteredRules = append(filteredRules, *rule) + } + break // Stop once we find a matching override } } + + // If no override matched for the namespace, apply the default validation failure action + if !overrideMatched && validationFailureAction.Enforce() == enforce { + filteredRules = append(filteredRules, *rule) + } } if len(filteredRules) > 0 { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/policycache/cache_test.go new/kyverno-1.13.3/pkg/policycache/cache_test.go --- old/kyverno-1.13.2/pkg/policycache/cache_test.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/policycache/cache_test.go 2025-02-06 11:56:16.000000000 +0100 @@ -7,6 +7,7 @@ kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/autogen" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" + "github.com/stretchr/testify/require" "gotest.tools/assert" kubecache "k8s.io/client-go/tools/cache" ) @@ -1228,36 +1229,39 @@ } func Test_Get_Policies_Validate_Failure_Action_Overrides(t *testing.T) { + type testCase struct { + name string + action PolicyType + namespace string + expectedPolicies int + } + cache := NewCache() policy1 := newValidateAuditPolicy(t) policy2 := newValidateEnforcePolicy(t) finder := TestResourceFinder{} + key1, _ := kubecache.MetaNamespaceKeyFunc(policy1) cache.Set(key1, policy1, finder) + key2, _ := kubecache.MetaNamespaceKeyFunc(policy2) cache.Set(key2, policy2, finder) - validateAudit := cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "") - if len(validateAudit) != 1 { - t.Errorf("expected 1 validate audit policy, found %v", len(validateAudit)) - } - validateEnforce := cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "") - if len(validateEnforce) != 1 { - t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce)) - } - validateAudit = cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "test") - if len(validateAudit) != 2 { - t.Errorf("expected 2 validate audit policy, found %v", len(validateAudit)) - } - validateEnforce = cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "test") - if len(validateEnforce) != 0 { - t.Errorf("expected 0 validate enforce policy, found %v", len(validateEnforce)) - } - validateAudit = cache.GetPolicies(ValidateAudit, podsGVRS.GroupVersionResource(), "", "default") - if len(validateAudit) != 0 { - t.Errorf("expected 0 validate audit policy, found %v", len(validateAudit)) - } - validateEnforce = cache.GetPolicies(ValidateEnforce, podsGVRS.GroupVersionResource(), "", "default") - if len(validateEnforce) != 2 { - t.Errorf("expected 2 validate enforce policy, found %v", len(validateEnforce)) + + testCases := []testCase{ + {name: "ValidateAudit with no namespace", action: ValidateAudit, namespace: "", expectedPolicies: 1}, + {name: "ValidateEnforce with no namespace", action: ValidateEnforce, namespace: "", expectedPolicies: 1}, + {name: "ValidateAudit with test namespace", action: ValidateAudit, namespace: "test", expectedPolicies: 2}, + {name: "ValidateEnforce with test namespace", action: ValidateEnforce, namespace: "test", expectedPolicies: 0}, + {name: "ValidateAudit with default namespace", action: ValidateAudit, namespace: "default", expectedPolicies: 0}, + {name: "ValidateEnforce with default namespace", action: ValidateEnforce, namespace: "default", expectedPolicies: 2}, + {name: "ValidateEnforce with unmatched namespace in failureActionOverrides", action: ValidateEnforce, namespace: "nonexistent", expectedPolicies: 1}, + {name: "ValidateAudit with unmatched namespace in failureActionOverrides", action: ValidateAudit, namespace: "nonexistent", expectedPolicies: 1}, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + policies := cache.GetPolicies(tc.action, podsGVRS.GroupVersionResource(), "", tc.namespace) + require.Equal(t, tc.expectedPolicies, len(policies), "unexpected number of policies") + }) } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go new/kyverno-1.13.3/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go --- old/kyverno-1.13.2/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go 2025-02-06 11:56:16.000000000 +0100 @@ -114,6 +114,10 @@ func checkRuleCount(spec *kyvernov1.Spec) (bool, string) { var msg string + if len(spec.Rules) == 0 { + msg = "skip generating ValidatingAdmissionPolicy: no rules found." + return false, msg + } if len(spec.Rules) > 1 { msg = "skip generating ValidatingAdmissionPolicy: multiple rules are not applicable." return false, msg diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go new/kyverno-1.13.3/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go --- old/kyverno-1.13.2/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go 2025-02-06 11:56:16.000000000 +0100 @@ -841,6 +841,21 @@ `), expected: true, }, + { + name: "policy-with-no-rules", + policy: []byte(` +{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "empty-policy" + }, + "spec": { + "rules": [] + } +}`), + expected: false, + }, } for _, test := range testCases { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/validation/globalcontext/validate.go new/kyverno-1.13.3/pkg/validation/globalcontext/validate.go --- old/kyverno-1.13.2/pkg/validation/globalcontext/validate.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/validation/globalcontext/validate.go 2025-02-06 11:56:16.000000000 +0100 @@ -7,20 +7,9 @@ kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1" ) -const ( - disabledGctx = "Global context entry would not be processed until it is enabled." -) - -type ValidationOptions struct { - Enabled bool -} - // Validate checks global context entry is valid -func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry, opts ValidationOptions) ([]string, error) { +func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry) ([]string, error) { var warnings []string - if !opts.Enabled { - warnings = append(warnings, disabledGctx) - } errs := gctx.Validate() return warnings, errs.ToAggregate() } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/validation/globalcontext/validate_test.go new/kyverno-1.13.3/pkg/validation/globalcontext/validate_test.go --- old/kyverno-1.13.2/pkg/validation/globalcontext/validate_test.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/validation/globalcontext/validate_test.go 2025-02-06 11:56:16.000000000 +0100 @@ -11,7 +11,6 @@ func Test_Validate(t *testing.T) { type args struct { - opts ValidationOptions resource []byte } tc := []struct { @@ -21,45 +20,41 @@ wantErr bool }{ { - name: "GlobalContextEntry disabled.", + name: "GlobalContextEntry with both KubernetesResource and APICall present", args: args{ - opts: ValidationOptions{ - Enabled: false, - }, - resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"},"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`), }, - want: 1, - wantErr: false, + want: 0, + wantErr: true, }, { - name: "GlobalContextEntry enabled, both KubernetesResource and APICall present", + name: "GlobalContextEntry with neither KubernetesResource nor APICall present", args: args{ - opts: ValidationOptions{ - Enabled: true, - }, - resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"},"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{}}`), }, want: 0, wantErr: true, }, { - name: "GlobalContextEntry enabled, neither KubernetesResource nor APICall present", + name: "GlobalContextEntry with only KubernetesResource present", args: args{ - opts: ValidationOptions{ - Enabled: true, - }, - resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`), }, want: 0, - wantErr: true, + wantErr: false, + }, + { + name: "GlobalContextEntry with a core KubernetesResource present", + args: args{ + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"version":"v1","resource":"namespaces"}}}`), + }, + want: 0, + wantErr: false, }, { - name: "GlobalContextEntry enabled.", + name: "GlobalContextEntry with only APICall present", args: args{ - opts: ValidationOptions{ - Enabled: true, - }, - resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-apicall"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), }, want: 0, wantErr: false, @@ -69,7 +64,7 @@ t.Run(c.name, func(t *testing.T) { gctx, err := admissionutils.UnmarshalGlobalContextEntry(c.args.resource) assert.NilError(t, err) - warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx, c.args.opts) + warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx) if c.wantErr { assert.Assert(t, err != nil) } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.13.2/pkg/webhooks/globalcontext/validate.go new/kyverno-1.13.3/pkg/webhooks/globalcontext/validate.go --- old/kyverno-1.13.2/pkg/webhooks/globalcontext/validate.go 2024-12-10 09:37:07.000000000 +0100 +++ new/kyverno-1.13.3/pkg/webhooks/globalcontext/validate.go 2025-02-06 11:56:16.000000000 +0100 @@ -11,14 +11,10 @@ "github.com/kyverno/kyverno/pkg/webhooks/handlers" ) -type gctxHandlers struct { - validationOptions validation.ValidationOptions -} +type gctxHandlers struct{} -func NewHandlers(validationOptions validation.ValidationOptions) webhooks.GlobalContextHandlers { - return &gctxHandlers{ - validationOptions: validationOptions, - } +func NewHandlers() webhooks.GlobalContextHandlers { + return &gctxHandlers{} } // Validate performs the validation check on global context entries @@ -28,7 +24,7 @@ logger.Error(err, "failed to unmarshal global context entry from admission request") return admissionutils.Response(request.UID, err) } - warnings, err := validation.Validate(ctx, logger, gctx, h.validationOptions) + warnings, err := validation.Validate(ctx, logger, gctx) if err != nil { logger.Error(err, "global context entry validation errors") } ++++++ kyverno.obsinfo ++++++ --- /var/tmp/diff_new_pack.G7KLJW/_old 2025-02-07 23:11:31.929658242 +0100 +++ /var/tmp/diff_new_pack.G7KLJW/_new 2025-02-07 23:11:31.933658407 +0100 @@ -1,5 +1,5 @@ name: kyverno -version: 1.13.2 -mtime: 1733819827 -commit: a96b1a4794b4d25cb0c6d72c05fc6355e95cf65c +version: 1.13.3 +mtime: 1738839376 +commit: 425ff9dff6472a15bd46b322606b97f84247525e ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kyverno/vendor.tar.gz /work/SRC/openSUSE:Factory/.kyverno.new.2316/vendor.tar.gz differ: char 5, line 1
