Merge branch 'main' into 1298_fix_variable_validation

.github/workflows/image.yaml

@@ -17,9 +17,9 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.14
-          
-      - name: login to docker hub
-        run: echo "${{ secrets.DOCKERIO_PASSWORD }}" | docker login -u "${{ secrets.DOCKERIO_USERNAME }}" --password-stdin
+
+      - name: login to GitHub Container Registry
+        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
       - name: docker images publish
         run: |

.github/workflows/release.yaml

@@ -21,8 +21,8 @@ jobs:
           go-version: 1.14
       - uses: creekorful/[email protected]
 
-      - name: login to docker hub
-        run: echo "${{ secrets.DOCKERIO_PASSWORD }}" | docker login -u "${{ secrets.DOCKERIO_USERNAME }}" --password-stdin
+      - name: login to GitHub Container Registry
+        run: echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ github.repository_owner }} --password-stdin
 
       - name :  docker images publish
         run: |
@@ -45,37 +45,41 @@ jobs:
           echo ">>> Run Kyverno e2e test"
           make test-e2e
 
-  kyvernocli-and-helm:
+  create-release-gh-helm-krew:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
+      - name: Checkout
         uses: actions/checkout@v2
-      -
-        name: Unshallow
-        run: git fetch --prune --unshallow
-      -
-        name: Set up Go
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
         uses: actions/setup-go@v2
         with:
           go-version: 1.14
-      - uses: creekorful/[email protected]
 
-      -
-        name: Run GoReleaser
+      - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
           args: release --rm-dist
         env:
-          GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: J12934/helm-gh-pages-action@master
-        name: Run Helm Publish
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v1
         with:
-          access-token: ${{ secrets.ACCESS_TOKEN }}
-          deploy-branch: gh-pages
-          charts-folder: charts
+          version: v3.4.0
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Update new version in krew-index
         uses: rajatjindal/[email protected]

.github/workflows/test.yaml

@@ -50,7 +50,7 @@ jobs:
           version: latest
           args: --rm-dist --skip-publish --snapshot
         env:
-          GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Kyverno Test
         run: |

Makefile

@@ -8,8 +8,8 @@ GIT_BRANCH := $(shell git branch | grep \* | cut -d ' ' -f2)
 GIT_HASH := $(GIT_BRANCH)/$(shell git log -1 --pretty=format:"%H")
 TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
 
-REGISTRY?=index.docker.io
-REPO=$(REGISTRY)/nirmata/kyverno
+REGISTRY?=ghcr.io
+REPO=$(REGISTRY)/kyverno
 IMAGE_TAG?=$(GIT_VERSION)
 GOOS ?= $(shell go env GOOS)
 PACKAGE ?=github.com/kyverno/kyverno
@@ -38,14 +38,14 @@ docker-publish-initContainer: docker-build-initContainer docker-tag-repo-initCon
 docker-build-initContainer:
 	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go
 	echo $(PWD)/$(INITC_PATH)/
-	@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REGISTRY)/nirmata/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)/
+	@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)/
 
 docker-tag-repo-initContainer:
-	@docker tag $(REGISTRY)/nirmata/$(INITC_IMAGE):$(IMAGE_TAG) $(REGISTRY)/nirmata/$(INITC_IMAGE):latest
+	@docker tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(REPO)/$(INITC_IMAGE):latest
 
 docker-push-initContainer:
-	@docker push $(REGISTRY)/nirmata/$(INITC_IMAGE):$(IMAGE_TAG)
-	@docker push $(REGISTRY)/nirmata/$(INITC_IMAGE):latest
+	@docker push $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG)
+	@docker push $(REPO)/$(INITC_IMAGE):latest
 
 ##################################
 # KYVERNO CONTAINER
@@ -65,15 +65,15 @@ docker-publish-kyverno: docker-build-kyverno  docker-tag-repo-kyverno  docker-pu
 
 docker-build-kyverno:
 	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go
-	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(PWD)/$(KYVERNO_PATH)
+	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(PWD)/$(KYVERNO_PATH)
 
 docker-tag-repo-kyverno:
-	@echo "docker tag $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):latest"
-	@docker tag $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):latest
+	@echo "docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_IMAGE):latest"
+	@docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_IMAGE):latest
 
 docker-push-kyverno:
-	@docker push $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):$(IMAGE_TAG)
-	@docker push $(REGISTRY)/nirmata/$(KYVERNO_IMAGE):latest
+	@docker push $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG)
+	@docker push $(REPO)/$(KYVERNO_IMAGE):latest
 
 ##################################
 
@@ -98,15 +98,15 @@ docker-publish-cli: docker-build-cli  docker-tag-repo-cli  docker-push-cli
 
 docker-build-cli:
 	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)/main.go
-	@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(PWD)/$(CLI_PATH)
+	@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(PWD)/$(CLI_PATH)
 
 docker-tag-repo-cli:
-	@echo "docker tag $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):latest"
-	@docker tag $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):latest
+	@echo "docker tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_CLI_IMAGE):latest"
+	@docker tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_CLI_IMAGE):latest
 
 docker-push-cli:
-	@docker push $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG)
-	@docker push $(REGISTRY)/nirmata/$(KYVERNO_CLI_IMAGE):latest
+	@docker push $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG)
+	@docker push $(REPO)/$(KYVERNO_CLI_IMAGE):latest
 
 ##################################
 docker-publish-all: docker-publish-initContainer docker-publish-kyverno docker-publish-cli

charts/kyverno/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: kyverno
-version: v1.3.0-rc4
-appVersion: v1.3.0-rc4
+version: v1.3.0-rc5
+appVersion: v1.3.0-rc5
 icon: https://github.com/kyverno/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png
 description: Kubernetes Native Policy Management
 keywords:

charts/kyverno/README.md

@@ -73,10 +73,10 @@ Parameter | Description | Default
 `generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]`
 `image.pullPolicy` | Image pull policy | `IfNotPresent`
 `image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods)
-`image.repository` | Image repository | `nirmata/kyverno`
+`image.repository` | Image repository | `ghcr.io/kyverno/kyverno`
 `image.tag` | Image tag | `nil`
 `initImage.pullPolicy` | Init image pull policy | `nil`
-`initImage.repository` | Init image repository | `nirmata/kyvernopre`
+`initImage.repository` | Init image repository | `ghcr.io/kyverno/kyvernopre`
 `initImage.tag` | Init image tag | `nil`
 `livenessProbe` | liveness probe configuration | `{}`
 `nameOverride` | override the name of the chart | `nil`

charts/kyverno/values.yaml

@@ -11,14 +11,14 @@ rbac:
     #   example.com/annotation: value
 
 image:
-  repository: nirmata/kyverno
+  repository: ghcr.io/kyverno/kyverno
   # Defaults to appVersion in Chart.yaml if omitted
   tag:
   pullPolicy: IfNotPresent
   pullSecrets: []
   # - secretName
 initImage:
-  repository: nirmata/kyvernopre
+  repository: ghcr.io/kyverno/kyvernopre
   # If initImage.tag is missing, defaults to image.tag
   tag:
   # If initImage.pullPolicy is missing, defaults to image.pullPolicy

definitions/install.yaml

@@ -2993,7 +2993,7 @@ spec:
               fieldPath: metadata.namespace
         - name: KYVERNO_SVC
           value: kyverno-svc
-        image: nirmata/kyverno:v1.3.0-rc4
+        image: ghcr.io/kyverno/kyverno:v1.3.0-rc5
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 4
@@ -3036,7 +3036,7 @@ spec:
           runAsNonRoot: true
           runAsUser: 1000
       initContainers:
-      - image: nirmata/kyvernopre:v1.3.0-rc4
+      - image: ghcr.io/kyverno/kyvernopre:v1.3.0-rc5
         imagePullPolicy: Always
         name: kyverno-pre
         securityContext:

definitions/kustomization.yaml

@@ -6,9 +6,9 @@ resources:
 - ./manifest/
 - ./k8s-resource/
 images:
-- name: nirmata/kyverno
-  newName: nirmata/kyverno
-  newTag: v1.3.0-rc4
-- name: nirmata/kyvernopre
-  newName: nirmata/kyvernopre
-  newTag: v1.3.0-rc4
+- name: ghcr.io/kyverno/kyverno
+  newName: ghcr.io/kyverno/kyverno
+  newTag: v1.3.0-rc5
+- name: ghcr.io/kyverno/kyvernopre
+  newName: ghcr.io/kyverno/kyvernopre
+  newTag: v1.3.0-rc5

definitions/manifest/deployment.yaml

@@ -21,7 +21,7 @@ spec:
         runAsNonRoot: true
       initContainers:
         - name: kyverno-pre
-          image: nirmata/kyvernopre:v1.1.9
+          image: ghcr.io/kyverno/kyvernopre:latest
           imagePullPolicy: Always
           securityContext:
             runAsUser: 1000
@@ -34,7 +34,7 @@ spec:
                 - all
       containers:
         - name: kyverno
-          image: nirmata/kyverno:latest
+          image: ghcr.io/kyverno/kyverno:latest
           imagePullPolicy: Always
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]"

definitions/release/install.yaml

@@ -2993,7 +2993,7 @@ spec:
               fieldPath: metadata.namespace
         - name: KYVERNO_SVC
           value: kyverno-svc
-        image: nirmata/kyverno:v1.3.0-rc4
+        image: ghcr.io/kyverno/kyverno:v1.3.0-rc5
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 4
@@ -3036,7 +3036,7 @@ spec:
           runAsNonRoot: true
           runAsUser: 1000
       initContainers:
-      - image: nirmata/kyvernopre:v1.3.0-rc4
+      - image: ghcr.io/kyverno/kyvernopre:v1.3.0-rc5
         imagePullPolicy: Always
         name: kyverno-pre
         securityContext:

pkg/policy/validate.go

@@ -302,6 +302,17 @@ func doMatchAndExcludeConflict(rule kyverno.Rule) bool {
 		return false
 	}
 
+	if rule.MatchResources.Annotations != nil && rule.ExcludeResources.Annotations != nil {
+		if !(reflect.DeepEqual(rule.MatchResources.Annotations, rule.ExcludeResources.Annotations)) {
+			return false
+		}
+	}
+
+	if (rule.MatchResources.Annotations == nil && rule.ExcludeResources.Annotations != nil) ||
+		(rule.MatchResources.Annotations != nil && rule.ExcludeResources.Annotations == nil) {
+		return false
+	}
+
 	return true
 }
 

samples/README.md

@@ -2,7 +2,7 @@
 
 Sample policies are designed to be applied to your Kubernetes clusters with minimal changes.
 
-The policies are mostly validation rules in `audit` mode i.e. your existing workloads will not be impacted, but will be audited for policy compliance.
+The policies are mostly validation rules in `audit` mode (i.e. your existing workloads will not be impacted, but will be audited for policy compliance). It is recommended that all policies be tested and observed in a non-production environment before setting `enforce` mode.
 
 ## Best Practice Policies
 
@@ -45,6 +45,13 @@ These policies provide additional best practices and are worthy of close conside
 1. [Disallow mounting Secrets as environment variables](DisallowSecretsFromEnvVars.md)
 1. [Add default labels](AddDefaultLabels.md)
 
+## Miscellaneous Policies
+
+Policies in this group are either highly-specific, involve third-party CRDs, or may be variations on standard Best Practice or Additional policies.
+
+1. [Require `imagePullPolicy` of `Always` for images not using `latest` tags](RequireImagePullPolicyAlways.md)
+1. [Require images using `latest` tag not use `imagePullPolicy` of `Always`](RequireLatestImagesNotUseAlways.md)
+
 ## Applying the sample policies
 
 To apply these policies to your cluster, install Kyverno and import the policies as follows:

samples/RequireImagePullPolicyAlways.md

@@ -0,0 +1,29 @@
+# Require `imagePullPolicy` is set to `Always` for images not using `latest` tags
+
+By default, Kubernetes sets the `imagePullPolicy` for images which specify a tag to be `IfNotPresent`. In some cases, this may not be desired where the image could be rebuilt upstream. This sample policy ensures that all containers have their `imagePullPolicy` set to `Always`.
+
+## Policy YAML
+
+[imagepullpolicy-always.yaml](misc/imagepullpolicy-always.yaml)
+
+```yaml
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: imagepullpolicy-always
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: imagepullpolicy-always
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The imagePullPolicy must be set to `Always` for all containers when a tag other than `latest` is used."  
+      pattern:
+        spec:
+          containers:
+          - imagePullPolicy: Always
+```

samples/RequireLatestImagesNotUseAlways.md

@@ -0,0 +1,32 @@
+# Require images using `latest` tag set `imagePullPolicy` to not `Always`
+
+When using the `latest` tag for images, although generally [not a best practice](DisallowLatestTag.md), Kubernetes defaults its `imagePullPolicy` to `Always`. Since Docker Hub has instituted a [rate-limiting policy](https://www.docker.com/blog/what-you-need-to-know-about-upcoming-docker-hub-rate-limiting/), this could result in reaching that limit faster than anticipated, which could mean errors for other Pods in the cluster or across the enterprise. Ensuring those `latest`-tagged images do not use the default of `Always` is one way to ensure pulls are only when needed.
+
+This sample policy checks the `image` value and ensures that if `:latest` is defined that the `imagePullPolicy` must use something other than the value of `Always`. Note that if no tag is defined, Kyverno will not see that as a violation of the policy.
+
+## Policy YAML
+
+[latestimage-notalways.yaml](misc/latestimage-notalways.yaml)
+
+```yaml
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: latestimage-notalways
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: latestimage-notalways
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "When using the `latest` tag, the `imagePullPolicy` must not use `Always`."  
+      pattern:
+        spec:
+          containers:
+          - (image): "*:latest"
+            imagePullPolicy: "!Always"
+```