Affected by GO-2023-1804 and 3 other vulnerabilities

GO-2023-1804: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

GO-2023-1819: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

GO-2023-2340: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

policy

package

v1.2.1 Latest Latest Go to latest Published: Oct 22, 2020 License: Apache-2.0 Imports: 48 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kyverno/kyverno

Links

Open Source Insights

Documentation ¶

Index ¶

func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error
func Validate(policyRaw []byte, client *dclient.Client, mock bool, ...) error
type Condition
type PVControlInterface
type PolicyController
- func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client.Client, ...) (*PolicyController, error)
- func (pc *PolicyController) Run(workers int, stopCh <-chan struct{})
type RealPVControl
- func (r RealPVControl) DeleteClusterPolicyViolation(name string) error
- func (r RealPVControl) DeleteNamespacedPolicyViolation(ns, name string) error
type ResourceManager
- func NewResourceManager(rebuildTime int64) *ResourceManager
type Validation

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ContainsVariablesOtherThanObject ¶ added in v1.2.0

func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error

ContainsVariablesOtherThanObject returns error if variable that does not start from request.object

func Validate ¶ added in v1.2.0

func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIController *openapi.Controller) error

Validate does some initial check to verify some conditions - One operation per rule - ResourceDescription mandatory checks

Types ¶

type Condition ¶ added in v0.9.1

type Condition int

Condition defines condition type

const (
	//NotEvaluate to not evaluate condition
	NotEvaluate Condition = 0
	// Process to evaluate condition
	Process Condition = 1
	// Skip to ignore/skip the condition
	Skip Condition = 2
)

type PVControlInterface ¶

type PVControlInterface interface {
	DeleteClusterPolicyViolation(name string) error
	DeleteNamespacedPolicyViolation(ns, name string) error
}

PVControlInterface provides interface to operate on policy violation resource

type PolicyController ¶

type PolicyController struct {
	// contains filtered or unexported fields
}

PolicyController is responsible for synchronizing Policy objects stored in the system with the corresponding policy violations

func NewPolicyController ¶

func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
	client *client.Client,
	pInformer kyvernoinformer.ClusterPolicyInformer,
	npInformer kyvernoinformer.PolicyInformer,
	cpvInformer kyvernoinformer.ClusterPolicyViolationInformer,
	nspvInformer kyvernoinformer.PolicyViolationInformer,
	grInformer kyvernoinformer.GenerateRequestInformer,
	configHandler config.Interface, eventGen event.Interface,
	pvGenerator policyviolation.GeneratorInterface,
	resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
	namespaces informers.NamespaceInformer,
	log logr.Logger,
	resCache resourcecache.ResourceCacheIface,
) (*PolicyController, error)

NewPolicyController create a new PolicyController

func (*PolicyController) Run ¶

func (pc *PolicyController) Run(workers int, stopCh <-chan struct{})

Run begins watching and syncing.

type RealPVControl ¶

type RealPVControl struct {
	Client   kyvernoclient.Interface
	Recorder record.EventRecorder
}

RealPVControl is the default implementation of PVControlInterface.

func (RealPVControl) DeleteClusterPolicyViolation ¶ added in v1.1.0

func (r RealPVControl) DeleteClusterPolicyViolation(name string) error

DeleteClusterPolicyViolation deletes the policy violation

func (RealPVControl) DeleteNamespacedPolicyViolation ¶ added in v1.0.0

func (r RealPVControl) DeleteNamespacedPolicyViolation(ns, name string) error

DeleteNamespacedPolicyViolation deletes the namespaced policy violation

type ResourceManager ¶

type ResourceManager struct {
	// contains filtered or unexported fields
}

ResourceManager stores the details on already processed resources for caching

func NewResourceManager ¶

func NewResourceManager(rebuildTime int64) *ResourceManager

NewResourceManager returns a new ResourceManager

func (*ResourceManager) Drop ¶

func (rm *ResourceManager) Drop()

Drop drop the cache after every rebuild interval mins TODO: or drop based on the size

func (*ResourceManager) ProcessResource ¶

func (rm *ResourceManager) ProcessResource(policy, pv, kind, ns, name, rv string) bool

ProcessResource returns true if the policy was not applied on the resource

func (*ResourceManager) RegisterResource ¶

func (rm *ResourceManager) RegisterResource(policy, pv, kind, ns, name, rv string)

RegisterResource stores if the policy is processed on this resource version

type Validation ¶ added in v1.2.0

type Validation interface {
	Validate() (string, error)
}

Validation provides methods to validate a rule

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
common
generate
fake
mutate
validate

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL