feat: add basic structure for image verify cache #7890

vishal-chdhry · 2023-07-24T06:25:12Z

Signed-off-by: Vishal Choudhary sendtovishalchoudhary@gmail.com

Explanation

This PR

Adds interface for image verify cache
Adds a skeleton for cache client
Adds global flags
Adds cache options in the rule

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

sonatype-lift · 2023-07-24T06:25:15Z

Sonatype Lift is retiring

Sonatype Lift will be retiring on Sep 12, 2023, with its analysis stopping on Aug 12, 2023. We understand that this news may come as a disappointment, and Sonatype is committed to helping you transition off it seamlessly. If you’d like to retain your data, please export your issues from the web console.
We are extremely grateful and thank you for your support over the years.

📖 Read about the impacts and timeline

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

codecov · 2023-07-24T06:53:52Z

Codecov Report

Merging #7890 (5aa0d29) into main (bc95283) will increase coverage by 0.01%.
The diff coverage is 62.50%.

@@            Coverage Diff             @@
##             main    #7890      +/-   ##
==========================================
+ Coverage   33.06%   33.07%   +0.01%     
==========================================
  Files         244      244              
  Lines       22923    22930       +7     
==========================================
+ Hits         7579     7584       +5     
- Misses      14554    14556       +2     
  Partials      790      790

Files Changed	Coverage Δ
api/kyverno/v1/image_verification_types.go	`60.84% <ø> (ø)`
api/kyverno/v2beta1/image_verification_types.go	`58.62% <ø> (ø)`
...md/cleanup-controller/handlers/cleanup/handlers.go	`0.00% <0.00%> (ø)`
cmd/cli/kubectl-kyverno/utils/common/common.go	`8.83% <0.00%> (-0.02%)`	⬇️
pkg/engine/handlers/mutation/mutate_image.go	`0.00% <0.00%> (ø)`
...ctl-kyverno/utils/common/kyverno_policies_types.go	`48.99% <100.00%> (+0.34%)`	⬆️
pkg/engine/engine.go	`72.13% <100.00%> (+0.30%)`	⬆️
pkg/engine/image_verify.go	`92.68% <100.00%> (+0.18%)`	⬆️
pkg/webhooks/resource/fake.go	`100.00% <100.00%> (ø)`

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

cmd/internal/flag.go

pkg/imageverifycache/client.go

realshuting · 2023-07-24T07:07:33Z

pkg/imageverifycache/client.go

+	c.logger.Info("Cache entry not found", "policyId", policyId, "ruleName", ruleName, "imageRef", imageRef)
+	c.logger.Info("Cache entry found", "policyId", policyId, "ruleName", ruleName, "imageRef", imageRef)


Conflict logs.

Oh! I have added that there just as a reminder to add a log for "not found" as well, as the cache has not been implemented yet, should we keep it?

api/kyverno/v1/image_verification_types.go

Signed-off-by: shuting <shutting06@gmail.com>

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

eddycharly · 2023-07-31T08:51:51Z

@vishal-chdhry so we just store the bool result in the cache ? Does it make sense to store the payload we get from the call to the registry instead ?

vishal-chdhry · 2023-07-31T08:58:02Z

@eddycharly, as every cache entry is tied to a policy, I don't see the need to store the payload as well.

Every cache entry means that "when this rule in this image is active and a resource is created using the given image, the image is verified "

This also includes verification of conditions of the policy. Kyverno will skip the verification altogether for that image.

what will the payload be used for?

eddycharly · 2023-07-31T09:32:02Z

@vishal-chdhry I hoped that the cache could be a simple middleware on top of the registry client.

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

pkg/imageverifycache/client.go

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

eddycharly · 2023-08-02T13:37:37Z

I can imagine a potential race issue if a policy is deleted while there's a request in flight.

by adding policy version, old entries will automatically become outdated and we will not have to remove them manually Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

eddycharly · 2023-08-04T11:55:05Z

pkg/imageverifycache/interface.go

+	Get(ctx context.Context, policyId string, policyVersion string, ruleName string, imagerRef string) (bool, error)
+
+	// Clear clears the entire cache
+	Clear(ctx context.Context) (bool, error)


Do we need this ?

@eddycharly I don't think we need it, as TTL cache will clear itself after sometime anyways.

eddycharly · 2023-08-04T11:57:15Z

pkg/imageverifycache/interface.go

+	// Set Adds an image to the cache. The image is considered to be verified for the given rule in the policy
+	// The entry outomatically expires after sometime
+	// Returns true when the cache entry is added
+	Set(ctx context.Context, policyId string, policyVersion string, ruleName string, imageRef string) (bool, error)


I wonder if it would make sense to pass the policy interface rather than a policy id and resource version 🤔

@eddycharly If we pass the rule name and image ref before and evaluate the policy version afterwards (when we call the Set()). Isn't it possible that the policy has been modified while we are setting the cache. So we will be adding an entry with the new policy version but the rule name and image ref are from previous version

Maybe we should also pass the Rule and do a check if the rule is still in the policy.

nevermind I think version info are stored and not evaluated so they cannot change

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

eddycharly · 2023-08-04T15:56:59Z

@vishal-chdhry you need to fix linter issues

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

hackeramitkumar · 2023-08-04T16:06:57Z

pkg/imageverifycache/interface.go

+	// Set Adds an image to the cache. The image is considered to be verified for the given rule in the policy
+	// The entry outomatically expires after sometime
+	// Returns true when the cache entry is added
+	Set(ctx context.Context, policy kyvernov1.PolicyInterface, ruleName string, imageRef string) (bool, error)


@vishal-chdhry I think there is no need of returning error here.

@hackeramitkumar I see ristretto just returns false when it fails to set the cache. But we cannot silently fail here, whenever we fail to set the cache, i.e the SetWithTTL() returns false. We must return an error (with a custom message since ristretto wont give one).

vishal-chdhry · 2023-08-04T16:35:44Z

@eddycharly Linting issue has been fixed

eddycharly

LGTM

* feat: add interface for image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add basic client for cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add ttl to client Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add flags and flag setup Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: added a default image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add propogation of cache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add useCache to image verification types Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: add ivcache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add logger to cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Update cmd/internal/flag.go Signed-off-by: shuting <shutting06@gmail.com> * feat: add use cache to v2beta1 crd Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: change public attribute TTL to private Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: replace nil in test with disabled cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: convert ttl time to time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: update opts to use time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat:add policy version and remove delete functions by adding policy version, old entries will automatically become outdated and we will not have to remove them manually Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: remove clear and update get and set to take interface as input Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * style: fix lint issue Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat:add usage of flux auth package for creating keychain for every oci provider, we will create a client from flux and use its login() method Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add registry checking Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: update azure keychain to return anonymous kc Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: remove google keychain Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: kubeconfig redefined Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: fix kubeconfig flag being double defined Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * updated comments (#7902) Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#7918) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.2 to 1.57.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.56.2...v1.57.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#7919) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.0 to 5.8.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.8.0...v5.8.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * refactor validating admission policies (#7835) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: update default keychain in registry to be empty (#7906) * feat: update default keychain to be empty Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: update registryCredentialHelpers description Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: rename vap to its full name (#7929) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix(chart): only create ServiceMonitor if cluster supports it (#7926) * fix: only create ServiceMonitor if cluster supports it Adds an additional check to the ServiceMonitor template to ensure that the cluster supports the `monitoring.coreos.com/v1` API version. Signed-off-by: Alexej Disterhoft <alexej@disterhoft.de> * add IITS Consulting as adopter from Google Form (#7932) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * Adding other folder's subfolders to workflows/conformance.yaml's tests array (#7927) Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> Co-authored-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> * feat: add create metrics-config cli command (#7782) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump svenstaro/upload-release-action from 2.6.1 to 2.7.0 (#7940) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.6.1 to 2.7.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](svenstaro/upload-release-action@2b9d284...1beeb57) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * test: add tests for ghcr private repository (#7791) * chore: organize constants better (#7941) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: move cert.kyverno.io/managed-by label in constants (#7942) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: rename --compact to --detailed-results in CLI (#7937) * fix: rename --compact to --detailed-results in CLI Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * rename compact arg Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: move more constants (#7944) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add `create values` cli command (#7779) * feat: add cli command Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add create values cli command Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Removed usage of `replacements` from goreleaser.yml file (#7833) * Changed goreleaser.yml file Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> * Changed syntax Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> * Small indent fix Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> --------- Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> Co-authored-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * add 1.10.2 (#7947) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * chore: move cache enabled label (#7949) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump go.uber.org/zap from 1.24.0 to 1.25.0 (#7952) Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.24.0 to 1.25.0. - [Release notes](https://github.com/uber-go/zap/releases) - [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md) - [Commits](uber-go/zap@v1.24.0...v1.25.0) --- updated-dependencies: - dependency-name: go.uber.org/zap dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * doc: add feature flag guidelines (#7951) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: move kyverno.io/verify-images constant (#7955) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: add ttl controller (#7821) * added the ttl controller Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed label and vars Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added logger Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed comments Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * more lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * applied changes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * minor fixes Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix logger, separate parse logic Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added kuttl tests, validation utilities Signed-off-by: Ved Ratan <vedratan8@gmail.com> * commented code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * renamed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix test Signed-off-by: Ved Ratan <vedratan8@gmail.com> * created log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix log.go Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added README.md refactor code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added validation webhook Signed-off-by: Ved Ratan <vedratan8@gmail.com> * label-validation fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added flag, updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated verbs Signed-off-by: Ved Ratan <vedratan8@gmail.com> * updated helm chart Signed-off-by: Ved Ratan <vedratan8@gmail.com> * test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter Signed-off-by: Ved Ratan <vedratan8@gmail.com> * imporoved webhook validation Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * linter fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * webhook names and path constants Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * constant label Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix label selector Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl test fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * helm docs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix controller logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: manager logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix failure policy Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * move kuttl tests in separate job Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove rbac steps Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * remove configmaps from core cluster role Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix logger Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rename flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix linter Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: rename ttl controller package (#7957) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: move ttl formats to constants (#7958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: Add support for server-side-apply in generate rules (#7705) * feat: Add support for server-side-apply in generate rules Signed-off-by: Mike Bryant <mike@mikebryant.me.uk> * chore: run make codegen-all Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk> * chore: Remove unnecessary file I got from copy/paste Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk> --------- Signed-off-by: Mike Bryant <mike@mikebryant.me.uk> Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * refactor: ttl label validation (#7960) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github.com/google/go-containerregistry (#7961) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.14.1-0.20230425172351-b7c6e9dc3944 to 0.16.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/commits/v0.16.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: fix cleanup controller debug in vscode (#7963) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: ttl cleanup controller events processing (#7964) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test: add test to cleanup the same resource twice (#7965) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: ttl manager stop informer on error (#7966) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump slsa-framework/slsa-github-generator (#7968) Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](slsa-framework/slsa-github-generator@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add basic structure for image verify cache (#7890) * feat: add interface for image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add basic client for cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add ttl to client Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add flags and flag setup Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: added a default image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add propogation of cache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add useCache to image verification types Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: add ivcache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add logger to cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Update cmd/internal/flag.go Signed-off-by: shuting <shutting06@gmail.com> * feat: add use cache to v2beta1 crd Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: change public attribute TTL to private Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: replace nil in test with disabled cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: convert ttl time to time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: update opts to use time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat:add policy version and remove delete functions by adding policy version, old entries will automatically become outdated and we will not have to remove them manually Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: remove clear and update get and set to take interface as input Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * style: fix lint issue Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * Fixes kyverno cli container reorder (#7943) * added combine rule response Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added kyverno test cli tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added kyverno test cli tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * small nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added ; in between the err messages Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed fixed rulename and ruletype Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> --------- Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.15.0 to 0.15.1 (#7975) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.15.0 to 0.15.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.15.0...v0.15.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/text from 0.11.0 to 0.12.0 (#7976) Bumps [golang.org/x/text](https://github.com/golang/text) from 0.11.0 to 0.12.0. - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#7977) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.11.0 to 0.12.0. - [Commits](golang/crypto@v0.11.0...v0.12.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix:Add Missing Severity Cases in SeverityFromString Function (#7974) Signed-off-by: lichanghao.orange <lichanghao.orange@bytedance.com> Co-authored-by: shuting <shuting@nirmata.com> * feat(chart) Allow podSecurityContext and securityContext for webhooksCleanup (#7970) Fixes #7962 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: Fixed issue with AddVariable that prevented certain variables (#7981) When using a label or annotation with quoted dots, AddVariable was splitting inside the quote causing it to be improperly parsed and replaced Signed-off-by: mvaal <mvaal@expediagroup.com> * fix: Kyverno cli apply duplicate result counts (#7945) * removed repeated logic from kyverno_policies_types Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> fixed unit tests * fixed unit tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * updated common.go logic Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * remove skip response logic from common.go Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * remove skip response logic from common.go Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * fixed conflict Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> --------- Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: return err in load data (#7982) Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * fix, enhancement (#7988) * fix, enhancement Signed-off-by: Ved Ratan <vedratan8@gmail.com> * lint Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix: improve lint Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: update auth pkg Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore: fix go mod Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: updated CLI keychains Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * chore update fluxcd/pkg/auth@0.31.1 Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Alexej Disterhoft <alexej@disterhoft.de> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Ved Ratan <vedratan8@gmail.com> Signed-off-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Signed-off-by: Mike Bryant <mike@mikebryant.me.uk> Signed-off-by: Mike Bryant <mike.bryant@mettle.co.uk> Signed-off-by: shuting <shutting06@gmail.com> Signed-off-by: lichanghao.orange <lichanghao.orange@bytedance.com> Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: mvaal <mvaal@expediagroup.com> Co-authored-by: Amit kumar <amit9116260192@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Alexej Disterhoft <github@disterhoft.de> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Pradyot Ranjan <99216956+prady0t@users.noreply.github.com> Co-authored-by: Pradyot Ranjan <99216956+pradyotRanjan@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Co-authored-by: Mike Bryant <mike.bryant@mettle.co.uk> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: UgOrange <lichanghao.orange@bytedance.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Marcus Vaal <mvaal@expediagroup.com>

vishal-chdhry added 6 commits July 24, 2023 10:21

feat: add interface for image verify cache

5af80ee

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

feat: add basic client for cache

c390032

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

feat: add ttl to client

26fdb25

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

feat: add flags and flag setup

e0afc61

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

feat: added a default image verify cache

249111d

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

feat: add propogation of cache to image verifier

4cc8894

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

vishal-chdhry requested review from MarcelMue, realshuting and MariamFahmy98 as code owners July 24, 2023 06:25

vishal-chdhry requested a review from eddycharly July 24, 2023 06:25

vishal-chdhry added 2 commits July 24, 2023 12:14

feat: add useCache to image verification types

98c5170

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

bug: add ivcache to image verifier

987d074

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

vishal-chdhry requested review from chipzoller and treydock as code owners July 24, 2023 06:46

vishal-chdhry added 3 commits July 24, 2023 12:23

feat: add logger to cache

8fdb8e2

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

typo: DisabledImageVerfiyCache

7329b77

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

typo: DisabledImageVerfiyCache

541b6f3

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

realshuting requested changes Jul 24, 2023

View reviewed changes

realshuting and others added 5 commits July 24, 2023 15:08

Update cmd/internal/flag.go

59a7af7

Signed-off-by: shuting <shutting06@gmail.com>

feat: add use cache to v2beta1 crd

53feb46

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

bug: change public attribute TTL to private

b84f342

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

Merge branch 'main' into image-verify-cache-setup

c257652

Merge branch 'main' into image-verify-cache-setup

77c43eb

realshuting previously approved these changes Jul 26, 2023

View reviewed changes

Merge branch 'main' into image-verify-cache-setup

b81aee4

realshuting added the milestone 1.11.0 label Jul 26, 2023

realshuting added this to the Kyverno Release 1.11.0 milestone Jul 26, 2023

Merge branch 'main' into image-verify-cache-setup

8954f47

vishal-chdhry added 2 commits July 31, 2023 18:22

Merge branch 'main' into image-verify-cache-setup

b6fdd6c

fix: replace nil in test with disabled cache

9b0d8ed

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

vishal-chdhry dismissed realshuting’s stale review via 9b0d8ed July 31, 2023 12:57

hackeramitkumar reviewed Aug 1, 2023

View reviewed changes

pkg/imageverifycache/client.go Outdated Show resolved Hide resolved

pkg/imageverifycache/client.go Outdated Show resolved Hide resolved

pkg/imageverifycache/client.go Outdated Show resolved Hide resolved

vishal-chdhry added 4 commits August 1, 2023 15:39

fix: convert ttl time to time.Duration

b275007

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

feat: update opts to use time.Duration

f593982

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

Merge branch 'main' into image-verify-cache-setup

1c30481

Merge branch 'main' into image-verify-cache-setup

b0be29e

vishal-chdhry mentioned this pull request Aug 1, 2023

[Feature] VerifyImages - add validated images digests/fetched KMS pubkeys to cache #4732

Closed

2 tasks

feat:add policy version and remove delete functions

31c144e

by adding policy version, old entries will automatically become outdated and we will not have to remove them manually Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

eddycharly reviewed Aug 4, 2023

View reviewed changes

feat: remove clear and update get and set to take interface as input

0e0e2e3

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

eddycharly mentioned this pull request Aug 4, 2023

added verify image ristretto cache implementation #7969

Merged

style: fix lint issue

a6ccfd1

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

hackeramitkumar reviewed Aug 4, 2023

View reviewed changes

Merge branch 'main' into image-verify-cache-setup

5aa0d29

vishal-chdhry requested review from eddycharly, realshuting and hackeramitkumar August 4, 2023 16:14

eddycharly approved these changes Aug 6, 2023

View reviewed changes

eddycharly merged commit b385693 into kyverno:main Aug 6, 2023

		c.logger.Info("Cache entry not found", "policyId", policyId, "ruleName", ruleName, "imageRef", imageRef)
		c.logger.Info("Cache entry found", "policyId", policyId, "ruleName", ruleName, "imageRef", imageRef)

feat: add basic structure for image verify cache #7890

feat: add basic structure for image verify cache #7890

Uh oh!

Conversation

vishal-chdhry commented Jul 24, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Explanation

Uh oh!

sonatype-lift bot commented Jul 24, 2023

Sonatype Lift is retiring

Uh oh!

codecov bot commented Jul 24, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

eddycharly commented Jul 31, 2023

Uh oh!

vishal-chdhry commented Jul 31, 2023

Uh oh!

eddycharly commented Jul 31, 2023

Uh oh!

Uh oh!

Uh oh!

Uh oh!

eddycharly commented Aug 2, 2023

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

eddycharly commented Aug 4, 2023

Uh oh!

Choose a reason for hiding this comment

Uh oh!

vishal-chdhry Aug 4, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

vishal-chdhry commented Aug 4, 2023

Uh oh!

eddycharly left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

vishal-chdhry commented Jul 24, 2023 •

edited

Loading

codecov bot commented Jul 24, 2023 •

edited

Loading

vishal-chdhry Aug 4, 2023 •

edited

Loading