fix: block mutation only when failurePolicy is set to fail (cherry-pick #8952) #8986
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* fix: only block mutation when failurePolicy is set to fail Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: kuttl test Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add else check Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update defaulting ns label policy's failure policy to be fail based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: there is another Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update policy Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * nit Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add logs Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * Update pkg/webhooks/resource/mutation/mutation.go Signed-off-by: shuting <shuting@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>
realshuting
approved these changes
Nov 22, 2023
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## release-1.11 #8986 +/- ##
=============================================
Coverage 33.35% 33.35%
=============================================
Files 312 312
Lines 25070 25070
=============================================
Hits 8362 8362
Misses 15914 15914
Partials 794 794 ☔ View full report in Codecov by Sentry. |
renovate bot
referenced
this pull request
in allenporter/flux-local
Dec 20, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kyverno/kyverno](https://togithub.com/kyverno/kyverno) | minor | `v1.10.0` -> `v1.11.1` | --- ### Release Notes <details> <summary>kyverno/kyverno (kyverno/kyverno)</summary> ### [`v1.11.1`](https://togithub.com/kyverno/kyverno/releases/tag/v1.11.1) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.11.0...v1.11.1) #### What's Changed - Reduced verbosity of admission request filter INFO log message (cherry-pick [#​8712](https://togithub.com/kyverno/kyverno/issues/8712)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8882](https://togithub.com/kyverno/kyverno/pull/8882) - Close reponse right after succesful request (cherry-pick [#​8894](https://togithub.com/kyverno/kyverno/issues/8894)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8896](https://togithub.com/kyverno/kyverno/pull/8896) - chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.45.0 to 0.46.0 (cherry pick: [#​8893](https://togithub.com/kyverno/kyverno/issues/8893)) by [@​vishal-chdhry](https://togithub.com/vishal-chdhry) in [https://github.com/kyverno/kyverno/pull/8897](https://togithub.com/kyverno/kyverno/pull/8897) - Add policyKind option to kyverno-policies chart (cherry-pick [#​8827](https://togithub.com/kyverno/kyverno/issues/8827)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8923](https://togithub.com/kyverno/kyverno/pull/8923) - \[Helm] correct typo in README for Kyverno 1.10+ (cherry-pick [#​8911](https://togithub.com/kyverno/kyverno/issues/8911)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8927](https://togithub.com/kyverno/kyverno/pull/8927) - Revert "fix(chart): only create ServiceMonitor if cluster supports it ([#​7926](https://togithub.com/kyverno/kyverno/issues/7926)) (cherry-pick [#​8913](https://togithub.com/kyverno/kyverno/issues/8913)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8931](https://togithub.com/kyverno/kyverno/pull/8931) - feat: add checks for max response size in API Call (cherry-pick [#​8957](https://togithub.com/kyverno/kyverno/issues/8957)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8971](https://togithub.com/kyverno/kyverno/pull/8971) - fix: update KeysAreMissing() to ignore negations in resource (cherry-pick [#​8953](https://togithub.com/kyverno/kyverno/issues/8953)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8982](https://togithub.com/kyverno/kyverno/pull/8982) - fix: block mutation only when failurePolicy is set to fail (cherry-pick [#​8952](https://togithub.com/kyverno/kyverno/issues/8952)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/8986](https://togithub.com/kyverno/kyverno/pull/8986) - fix: delete VAPs in case Kyverno policies can't be translated (cherry-pick [#​8887](https://togithub.com/kyverno/kyverno/issues/8887)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/9019](https://togithub.com/kyverno/kyverno/pull/9019) - fix: use v2beta1 version of exceptions in kyverno create CLI (cherry-pick [#​8908](https://togithub.com/kyverno/kyverno/issues/8908)) by [@​MariamFahmy98](https://togithub.com/MariamFahmy98) in [https://github.com/kyverno/kyverno/pull/9020](https://togithub.com/kyverno/kyverno/pull/9020) - fix: remove the additional dash in kyverno create exception (cherry-pick [#​8983](https://togithub.com/kyverno/kyverno/issues/8983)) by [@​MariamFahmy98](https://togithub.com/MariamFahmy98) in [https://github.com/kyverno/kyverno/pull/9021](https://togithub.com/kyverno/kyverno/pull/9021) - fix: use the default namespace in case --namespace isn't set in kyverno create exception (cherry-pick [#​9014](https://togithub.com/kyverno/kyverno/issues/9014)) by [@​MariamFahmy98](https://togithub.com/MariamFahmy98) in [https://github.com/kyverno/kyverno/pull/9022](https://togithub.com/kyverno/kyverno/pull/9022) - Remove var check (cherry-pick [#​8990](https://togithub.com/kyverno/kyverno/issues/8990)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/9024](https://togithub.com/kyverno/kyverno/pull/9024) - fix: use validate.message in case there is no message associated with the CEL expression (cherry-pick [#​8883](https://togithub.com/kyverno/kyverno/issues/8883)) by [@​MariamFahmy98](https://togithub.com/MariamFahmy98) in [https://github.com/kyverno/kyverno/pull/9025](https://togithub.com/kyverno/kyverno/pull/9025) - fix: cleanup older policy reports (cherry-pick [#​9026](https://togithub.com/kyverno/kyverno/issues/9026)) by [@​gcp-cherry-pick-bot](https://togithub.com/gcp-cherry-pick-bot) in [https://github.com/kyverno/kyverno/pull/9035](https://togithub.com/kyverno/kyverno/pull/9035) - Release 1.11.1 by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/9039](https://togithub.com/kyverno/kyverno/pull/9039) **Full Changelog**: kyverno/kyverno@v1.11.0...v1.11.1 ### [`v1.11.0`](https://togithub.com/kyverno/kyverno/blob/HEAD/CHANGELOG.md#v1110) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.7...v1.11.0) ### [`v1.10.7`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.7) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.6...v1.10.7) #### What's Changed - chore: fix high vulnerabilities, in release 1.10 by [@​vishal-chdhry](https://togithub.com/vishal-chdhry) in [https://github.com/kyverno/kyverno/pull/9226](https://togithub.com/kyverno/kyverno/pull/9226) - CVE-2023-30551 in `github.com/sigstore/rekor` - CVE-2023-45142 in `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` - GHSA-m425-mq94-257g in `google.golang.org/grpc` - release 1.10.7 by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/9231](https://togithub.com/kyverno/kyverno/pull/9231) **Full Changelog**: kyverno/kyverno@v1.10.6...v1.10.7 ### [`v1.10.6`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.6) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.5...v1.10.6) #### What's Changed - feat: add checks for max response size in API Call (release 1.10.6) by [@​vishal-chdhry](https://togithub.com/vishal-chdhry) in [https://github.com/kyverno/kyverno/pull/8981](https://togithub.com/kyverno/kyverno/pull/8981) - fix(test): random results when namespace is not specified \[v1.9-v1.10] by [@​aslafy-z](https://togithub.com/aslafy-z) in [https://github.com/kyverno/kyverno/pull/8989](https://togithub.com/kyverno/kyverno/pull/8989) - Release 1.10.6 by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/9030](https://togithub.com/kyverno/kyverno/pull/9030) **Full Changelog**: kyverno/kyverno@v1.10.5...v1.10.6 ### [`v1.10.5`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.5) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.4...v1.10.5) #### What's Changed - feat: add GHSA-vfp6-jrw2-99g9 fixes in cosign v1.13.1 by [@​vishal-chdhry](https://togithub.com/vishal-chdhry) in [https://github.com/kyverno/kyverno/pull/8870](https://togithub.com/kyverno/kyverno/pull/8870) - Release 1.10.5 by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/8881](https://togithub.com/kyverno/kyverno/pull/8881) **Full Changelog**: kyverno/kyverno@v1.10.4...v1.10.5 ### [`v1.10.4`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.4) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.3...v1.10.4) #### What's Changed - fix: backport CVE fixes by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/8798](https://togithub.com/kyverno/kyverno/pull/8798) - Release 1.10.4 by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/8799](https://togithub.com/kyverno/kyverno/pull/8799) - chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.0 ([#​8809](https://togithub.com/kyverno/kyverno/issues/8809)) by [@​realshuting](https://togithub.com/realshuting) in [https://github.com/kyverno/kyverno/pull/8811](https://togithub.com/kyverno/kyverno/pull/8811) - fix: upgrade cosign installer version in release 1.10 and use cosign 1.13.1 by [@​vishal-chdhry](https://togithub.com/vishal-chdhry) in [https://github.com/kyverno/kyverno/pull/8813](https://togithub.com/kyverno/kyverno/pull/8813) **Full Changelog**: kyverno/kyverno@v1.10.3...v1.10.4 ### [`v1.10.3`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.3) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.2...v1.10.3) #### 🐛 Fixed 🐛 Fixed an issue where the error is not returned when the deferred loader is disabled. ([https://github.com/kyverno/kyverno/pull/7982](https://togithub.com/kyverno/kyverno/pull/7982)) ### [`v1.10.2`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.2) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.1...v1.10.2) #### ✨ Added ✨ - Added a new `--policyReports` flag to control if the Policy Reports system is enabled or not. When set to a value of `false`, only standard Events and log messages will contain policy violations both in admission mode as well as background scans. - Booleans can now be properly compared in conditional operators without needing to be converted to string. ([#​7847](https://togithub.com/kyverno/kyverno/issues/7847)) - Added log messages for API call failures. ([#​7834](https://togithub.com/kyverno/kyverno/issues/7834)) - Events will now be created upon successful resource generation. ([#​7550](https://togithub.com/kyverno/kyverno/issues/7550)) ##### Helm - Added an additional check to the ServiceMonitor template to ensure that the cluster supports the `monitoring.coreos.com/v1` API version and if not, it will silently not create the ServiceMonitor instead of failing deployment of the chart. ([#​7926](https://togithub.com/kyverno/kyverno/issues/7926)) - Added chart configurations for cleanup and webhooks. ([#​7871](https://togithub.com/kyverno/kyverno/issues/7871)) - Add nodeSelector and labels to the cleanup CronJobs. ([#​7851](https://togithub.com/kyverno/kyverno/issues/7851), [#​7808](https://togithub.com/kyverno/kyverno/issues/7808)) ####⚠️ Changed⚠️ - (kyverno-policies chart) Added a precondition to skip DELETE operations on a couple policies to make them all consistent. ([#​7883](https://togithub.com/kyverno/kyverno/issues/7883)) - Schema validation for policies matching on CRDs will be skipped. ([#​7869](https://togithub.com/kyverno/kyverno/issues/7869)) - Performed better validation of policies which use the `cloneList` declaration in generate rules. ([#​7823](https://togithub.com/kyverno/kyverno/issues/7823)) - Removed an extra Event created by Kyverno in some verifyImages rules. ([#​7810](https://togithub.com/kyverno/kyverno/issues/7810)) - The Event created upon resource mutation has been updated to make more sense. ([#​7550](https://togithub.com/kyverno/kyverno/issues/7550)) #### 🐛 Fixed 🐛 - Fixed an issue where higher log levels weren't being printed in the logs. ([#​7877](https://togithub.com/kyverno/kyverno/issues/7877)) - Fixed an issue with an entry in a nil map when validating a policy. ([#​7874](https://togithub.com/kyverno/kyverno/issues/7874)) - Fixed a type confusion problem. ([#​7857](https://togithub.com/kyverno/kyverno/issues/7857)) - Fixed an issue with namespaceSelector and matching on Namespaces. ([#​7837](https://togithub.com/kyverno/kyverno/issues/7837)) - Fixed an issue where category and severity annotations weren't being returned in policy reports from CLI tests. ([#​7828](https://togithub.com/kyverno/kyverno/issues/7828)) - Fixed an issue where some verifyImages rules may have broken in `Audit` mode. ([#​7806](https://togithub.com/kyverno/kyverno/issues/7806)) - Fixed an issue in target scope validations for generate rules. ([#​7800](https://togithub.com/kyverno/kyverno/issues/7800)) - Fixed an issue with aggregated admission reports having stale results. ([#​7798](https://togithub.com/kyverno/kyverno/issues/7798)) - Fixed an issue preventing a rollback when a verifyImages rule was in place. ([#​7752](https://togithub.com/kyverno/kyverno/issues/7752)) - Removed some obsolete structs from the CLI. ([#​6802](https://togithub.com/kyverno/kyverno/issues/6802)) ##### Helm - Fixed a minor chart templating issue in RBAC. ([#​7774](https://togithub.com/kyverno/kyverno/issues/7774)) <details> <summary>Click to expand all PRs</summary> [#​7926](https://togithub.com/kyverno/kyverno/issues/7926) fix(chart): only create ServiceMonitor if cluster supports it [#​7888](https://togithub.com/kyverno/kyverno/issues/7888) add flag for policy reports [#​7883](https://togithub.com/kyverno/kyverno/issues/7883) fix(policy chart): Skip DELETE requests on policies using deny statements [#​7877](https://togithub.com/kyverno/kyverno/issues/7877) fix log level in `logging` package [#​7874](https://togithub.com/kyverno/kyverno/issues/7874) policy validation: fix assignment to entry in nil map [#​7871](https://togithub.com/kyverno/kyverno/issues/7871) feat(chart) Add configurations for cleanup jobs and webhooks [#​7869](https://togithub.com/kyverno/kyverno/issues/7869) feat: skip schema validation for CRD [#​7858](https://togithub.com/kyverno/kyverno/issues/7858) fix: add tekton/pipeline to nancy ignore list [#​7857](https://togithub.com/kyverno/kyverno/issues/7857) fix type confusion in policy validation [#​7851](https://togithub.com/kyverno/kyverno/issues/7851) Add nodeSelector for cleanupJob CronJob resources [#​7847](https://togithub.com/kyverno/kyverno/issues/7847) feat: enable operator boolean comparison [#​7837](https://togithub.com/kyverno/kyverno/issues/7837) fix: namespace label matching for Namespace [#​7834](https://togithub.com/kyverno/kyverno/issues/7834) Added log message for API call failures [#​7828](https://togithub.com/kyverno/kyverno/issues/7828) bug: add severity and category in cluster policy report [#​7823](https://togithub.com/kyverno/kyverno/issues/7823) Feat: cloneList rule validation [#​7810](https://togithub.com/kyverno/kyverno/issues/7810) fix: skip creating event for an empty resource name [#​7808](https://togithub.com/kyverno/kyverno/issues/7808) feat: allow pod labels for cleanup jobs [#​7806](https://togithub.com/kyverno/kyverno/issues/7806) refactor: remove manual keychain refresh from client [#​7800](https://togithub.com/kyverno/kyverno/issues/7800) fix: target scope validation for the generate rule [#​7798](https://togithub.com/kyverno/kyverno/issues/7798) fix: aggregated admission report not updated correctly [#​7774](https://togithub.com/kyverno/kyverno/issues/7774) chart: fix admission controller rbac templating [#​7752](https://togithub.com/kyverno/kyverno/issues/7752) Modified annotation matching during rollback [#​7550](https://togithub.com/kyverno/kyverno/issues/7550) feat: add events for successful generation [#​6802](https://togithub.com/kyverno/kyverno/issues/6802) refactor: remove obsolete structs from CLI </details> ### [`v1.10.1`](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.1) [Compare Source](https://togithub.com/kyverno/kyverno/compare/v1.10.0...v1.10.1) This patch release of 1.10 unblocks users of generate rules using [clone-type](https://kyverno.io/docs/writing-policies/generate/#clone-source) declarations as mentioned in the [1.10 migration guide](https://togithub.com/kyverno/kyverno/blob/release-1.10/charts/kyverno/README.md#migrating-from-v2-to-v3). Please see the complete [1.10.0 release notes](https://togithub.com/kyverno/kyverno/releases/tag/v1.10.0) if you are installing/upgrading to 1.10.1 without progressing through 1.10.0. Please also see the security advisory [here](https://togithub.com/kyverno/kyverno/security/advisories/GHSA-rw9c-qq4h-c24p) acknowledging detected vulnerabilities in the 1.10 release to which Kyverno is NOT susceptible. #### ✨ Added ✨ - Added the ability to assign custom labels to policy reports ([#​7416](https://togithub.com/kyverno/kyverno/issues/7416)) - All release artifacts are now signed ([#​7478](https://togithub.com/kyverno/kyverno/issues/7478), [#​7711](https://togithub.com/kyverno/kyverno/issues/7711)) - Added a new environment variable, settable on the background controller, called `BACKGROUND_SCAN_INTERVAL` which can override the background scan interval from its default of one hour ([#​7504](https://togithub.com/kyverno/kyverno/issues/7504)) - Added a new container flag called `--enableDeferredLoading` (`true` by default) which allows disabling of the new deferred/lazy context variable loading system introduced in 1.10.0 ([#​7694](https://togithub.com/kyverno/kyverno/issues/7694), [#​7691](https://togithub.com/kyverno/kyverno/issues/7691)) ##### Helm - Added the ability to configure tolerations, resources, and Pod annotations for the admission report cleanup jobs ([#​7331](https://togithub.com/kyverno/kyverno/issues/7331), [#​7337](https://togithub.com/kyverno/kyverno/issues/7337), [#​7366](https://togithub.com/kyverno/kyverno/issues/7366)) - Added missing `delete` verb to the admission reports cleanup job ClusterRole ([#​7375](https://togithub.com/kyverno/kyverno/issues/7375)) - Added the ability to set verbs for the `additionalresources` ClusterRole used by the background controller to address the inability to generate Roles and ClusterRoles ([#​7380](https://togithub.com/kyverno/kyverno/issues/7380)) - Removal of the Helm chart will now properly remove all Kyverno webhooks ([#​7633](https://togithub.com/kyverno/kyverno/issues/7633)) - Added ability to select cluster on the Grafana dashboard ([#​7659](https://togithub.com/kyverno/kyverno/issues/7659)) - Add `relabelings` and `metricRelabelings` config to all ServiceMonitors ([#​7659](https://togithub.com/kyverno/kyverno/issues/7659)) - Make ConfigMap labels for the Grafana dashboard ConfigMap configurable ([#​7659](https://togithub.com/kyverno/kyverno/issues/7659)) - Added ability to use imagePullSecrets for the admission reports cleanup CronJobs ([#​7730](https://togithub.com/kyverno/kyverno/issues/7730)) ####⚠️ Changed⚠️ - The new `order` field available under `foreach` loops will now be respected when the mutation method is `patchStrategicMerge` ([#​7336](https://togithub.com/kyverno/kyverno/issues/7336)) - Changed the message returned from a failed permissions check so it's more general in nature ([#​7362](https://togithub.com/kyverno/kyverno/issues/7362)) - Removed the redundant loop protection introduced in 1.10.0 making it possible to match on the same resource kind as Kyverno should generate ([#​7388](https://togithub.com/kyverno/kyverno/issues/7388)) - Performed some internal refactoring of the generate rule type ([#​7417](https://togithub.com/kyverno/kyverno/issues/7417)) - Make it so that setting `--webhookTimeout` affects all of Kyverno's webhooks and not just the resource webhooks ([#​7435](https://togithub.com/kyverno/kyverno/issues/7435)) - Made it so that the `name` field for a rule is required ([#​7464](https://togithub.com/kyverno/kyverno/issues/7464)) - Log kind, namespace, and name in processed resources ([#​7498](https://togithub.com/kyverno/kyverno/issues/7498)) - Refactored some reconciliation logic for generate rules ([#​7531](https://togithub.com/kyverno/kyverno/issues/7531)) - Mutation failures, when occurring within a `foreach` loop, will show the cause ([#​7563](https://togithub.com/kyverno/kyverno/issues/7563)) - Bumped notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 ([#​7666](https://togithub.com/kyverno/kyverno/issues/7666)) - Misc. refactors related to the changes/fixes in deferred/lazy loading ([#​7675](https://togithub.com/kyverno/kyverno/issues/7675), [#​7678](https://togithub.com/kyverno/kyverno/issues/7678), [#​7690](https://togithub.com/kyverno/kyverno/issues/7690)) #### 🐛 Fixed 🐛 - Fixed a panic when a user installs a policy with an invalid schema ([#​6526](https://togithub.com/kyverno/kyverno/issues/6526)) - Fixed an issue where the `default` field in a `variable`-type context variable was not being used when the result was `nil` ([#​7251](https://togithub.com/kyverno/kyverno/issues/7251)) - Fixed a panic in the reports controller when it encounters an invalid image ([#​7332](https://togithub.com/kyverno/kyverno/issues/7332)) - Fixed an issue when `--protectManagedResources` was enabled which prevented generation of bindings ([#​7363](https://togithub.com/kyverno/kyverno/issues/7363)) - Fixed a panic when environment variables weren't passed ([#​7383](https://togithub.com/kyverno/kyverno/issues/7383)) - Fixed an inability to use the `target.*` variable in a mutate existing rule ([#​7387](https://togithub.com/kyverno/kyverno/issues/7387)) - Fixed a sync issue if an array element was removed from a clone source ([#​7417](https://togithub.com/kyverno/kyverno/issues/7417)) - Fixed an issue preventing background reports from being created if an empty response is received for a given API group ([#​7428](https://togithub.com/kyverno/kyverno/issues/7428)) - Fixed an issue where Policy Exceptions weren't being considered for deletes ([#​7433](https://togithub.com/kyverno/kyverno/issues/7433)) - Fixed an issue preventing one clone source from being used in multiple rules or for multiple targets ([#​7436](https://togithub.com/kyverno/kyverno/issues/7436)) - Fixed an issue with generate rules failing when the trigger resource kind used a forward slash ([#​7436](https://togithub.com/kyverno/kyverno/issues/7436)) - Fixed a generate issue in which removal of a single trigger would remove generated resources it shouldn't have ([#​7579](https://togithub.com/kyverno/kyverno/issues/7579)) - Fixed an issue with how Kyverno reports a failure when it cannot fetch a CRD ([#​7439](https://togithub.com/kyverno/kyverno/issues/7439)) - Fixed an issue with auto-gen not generating the correct matching kinds when overridden with the annotation ([#​7455](https://togithub.com/kyverno/kyverno/issues/7455)) - Fixed another issue with auto-gen in which CronJob translated rules weren't translating variables correctly ([#​7571](https://togithub.com/kyverno/kyverno/issues/7571)) - Fixed an issue with a generate rule using a cloneList declaration so that syncs are observed properly ([#​7466](https://togithub.com/kyverno/kyverno/issues/7466)) - Fixed a panic when the background controller substitutes a variable with `nil` ([#​7473](https://togithub.com/kyverno/kyverno/issues/7473)) - Fixed the scope validation check for a generate rule so it detects the correct resource kind ([#​7479](https://togithub.com/kyverno/kyverno/issues/7479)) - Fixed an issue preventing generated resources from being removed when preconditions no longer matched ([#​7496](https://togithub.com/kyverno/kyverno/issues/7496)) - Fixed a slightly misleading error message in deny conditions ([#​7503](https://togithub.com/kyverno/kyverno/issues/7503)) - Fixed it (finally) so that no informational logs are produced when logging is set to `0` ([#​7515](https://togithub.com/kyverno/kyverno/issues/7515)) - Fixed removal of ownerReferences when generating via clone a resource across Namespaces ([#​7517](https://togithub.com/kyverno/kyverno/issues/7517)) - Fixed residual issues from 1.10.0 for lazy/deferred loading of context variables ([#​7552](https://togithub.com/kyverno/kyverno/issues/7552), [#​7597](https://togithub.com/kyverno/kyverno/issues/7597)) - Fixed an issue performing image verification in background mode ([#​7564](https://togithub.com/kyverno/kyverno/issues/7564)) - Make configuring max procs not exit in case of error ([#​7588](https://togithub.com/kyverno/kyverno/issues/7588)) - Fixed some typos in the descriptions of flags applicable to the reports controller ([#​7617](https://togithub.com/kyverno/kyverno/issues/7617)) - Fixed a permissions check when installing a generate policy due to incorrect API group matching ([#​7628](https://togithub.com/kyverno/kyverno/issues/7628)) - Fixed an issue where the service name in a tracer configuration could not be customized ([#​7644](https://togithub.com/kyverno/kyverno/issues/7644)) - Fixed an issue with an image verification rule which would cause updating a Deployment with more than one container to fail ([#​7692](https://togithub.com/kyverno/kyverno/issues/7692)) - Fixed a minor issue in an error message ([#​7688](https://togithub.com/kyverno/kyverno/issues/7688)) - Fixed an issue with locking the schema manager which could result in CRDs not being found ([#​7704](https://togithub.com/kyverno/kyverno/issues/7704)) ##### Helm - Fixed missing environment variables in the admission controller ([#​7383](https://togithub.com/kyverno/kyverno/issues/7383)) - Fixed missing `extraEnvVars` on all controllers ([#​7403](https://togithub.com/kyverno/kyverno/issues/7403)) - Fixed an issue templating the new reports cleanup job image ([#​7430](https://togithub.com/kyverno/kyverno/issues/7430)) - Fixed a typo when enabling anti-affinity ([#​7440](https://togithub.com/kyverno/kyverno/issues/7440)) - Fixed missing imagePullSecrets ([#​7474](https://togithub.com/kyverno/kyverno/issues/7474)) - Fixed missing `delete` verb for Secrets in the admission controller and cleanup controller ([#​7527](https://togithub.com/kyverno/kyverno/issues/7527), [#​7679](https://togithub.com/kyverno/kyverno/issues/7679)) <details> <summary>Click to expand all PRs</summary> 7730 feat: Add option to add imagePullSecrets to cleanup CronJobs 7712 fix: remove show goreleaser version step 7711 fix: release signing 7704 fix: lock schema manager when updating it 7694 Fix deferred loading (cherry-pick [#​7597](https://togithub.com/kyverno/kyverno/issues/7597)) 7692 fix: image verification (cherry-pick [#​7652](https://togithub.com/kyverno/kyverno/issues/7652)) 7691 feat: add lazy loading feature flag (cherry-pick [#​7680](https://togithub.com/kyverno/kyverno/issues/7680)) 7690 refactor: migrate context loaders (part 2) from [#​7597](https://togithub.com/kyverno/kyverno/issues/7597) (cherry-pick [#​7677](https://togithub.com/kyverno/kyverno/issues/7677)) 7688 fix: Swap any/all in the error message. 7680 feat: add lazy loading feature flag 7679 fix: cleanup controller rbac (cherry-pick [#​7669](https://togithub.com/kyverno/kyverno/issues/7669)) 7678 refactor: migrate context loaders (part 1) from [#​7597](https://togithub.com/kyverno/kyverno/issues/7597) (cherry-pick [#​7676](https://togithub.com/kyverno/kyverno/issues/7676)) 7677 refactor: migrate context loaders (part 2) from [#​7597](https://togithub.com/kyverno/kyverno/issues/7597) 7676 refactor: migrate context loaders (part 1) from [#​7597](https://togithub.com/kyverno/kyverno/issues/7597) 7675 refactor: add specific loaders from [#​7597](https://togithub.com/kyverno/kyverno/issues/7597) (cherry-pick [#​7671](https://togithub.com/kyverno/kyverno/issues/7671)) 7671 refactor: add specific loaders from [#​7597](https://togithub.com/kyverno/kyverno/issues/7597) 7669 fix: cleanup controller rbac 7666 \[Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 7659 feat: add cluster select and relabling config for ServiceMonitors 7652 fix: image verification with 2+ containers 7644 fix: customizable tracer configuration 7633 feat: enable Helm webhook cleanup hook by default 7628 fix: auth checks with the APIVersion and the subresource 7617 fix: update the flag descriptions of the reports-controller 7597 Fix deferred loading 7596 fix: CLI tests 7590 Add nancy-ignore to make it pass with current dependencies 7589 chore: reduce sleep duration for generate kuttl tests 7588 fix: make configuring max procs not exit in case of error 7579 fix: deletion mismatch for the generate policy 7571 fix: autogen not working correctly with cronjob conditions 7564 fix: background image verification not working 7563 Fix: Mutate: Foreach: Error cause is missing 7552 fix: recursive lazy loading 7531 refactor: generate reconciliation on policy updates 7527 fix: update kyverno admission-controller role to have delete verb for… 7517 fix: Remove ownerReferences when cloning across Namespaces 7515 fix: log level initialisation 7504 feat: add debug env BACKGROUND_SCAN_INTERVAL 7503 fix: misleading error message in deny conditions 7498 fix: log kind/namespace/name in scan errors 7496 fix: Delete downstream objects on precondition fail 7479 fix: target scope validation for the generate rule 7478 feat: sign released artifacts 7474 fix: image pull secrets in admission controller 7473 fix: background controller panics during variables substitution 7466 fix: cloneList sync behavior 7464 fix: rule name not required in the crd schema 7460 fix: flaky generate test 7455 fix: autogen not generating the correct kind 7440 fixed typo in admission controller chart template 7439 fix: error reported when sanity check fails 7436 fix: the same source cannot be used for multiple targets with a generate clone rule 7435 fix: add missing webhook timeouts 7433 fix: exceptions not considered on delete 7430 fix: helm template for cleanup jobs image 7428 fix: reports discovery error 7417 fix: array element removal should be synced to the downstream resource with a generate data sync rule 7416 feat: hold custom labels 7403 fix: missing extraEnvVars in helm chart 7388 Remove policy validation prevent loop for generate 7387 fix mutate targets validation 7383 fix: missing/incorrect env variables 7380 Allow setting verbs for clusterrole extraresources on backgroundController 7375 Add missing delete verb to admission cleanup clusterrole 7366 feat(cronjobs): Enable podAnnotations on CronJobs 7363 fix: protect managed resource not considering other components 7362 fix: permission validation message 7338 fix: flaky kuttl test add-external-secret-prefix 7337 feat: cleanup jobs resources 7336 feat: obey the order field in patchStrategicMerge method 7332 fix: panic in background reports 7331 feat: cleanup job tolerations 7251 Fix: \[Bug] The default field in a context variable does not replace nil results 6526 fix: add type conversion error judgment to avoid program panic </details> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/allenporter/flux-local). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-picked fix: block mutation only when failurePolicy is set to fail (#8952)
to fail
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: shuting shuting@nirmata.com
Signed-off-by: Vishal Choudhary vishal.choudhary@nirmata.com
Signed-off-by: shuting shuting@nirmata.com
Co-authored-by: shuting shuting@nirmata.com
Co-authored-by: shuting shutting06@gmail.com