Affected by GO-2023-1804 and 3 other vulnerabilities

GO-2023-1804: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

GO-2023-1819: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

GO-2023-2340: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

engine

package

v1.3.0-rc9 Latest Latest Go to latest Published: Jan 1, 2021 License: Apache-2.0 Imports: 28 Imported by: 2

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kyverno/kyverno

Documentation ¶

Index ¶

Constants
func AddResourceToContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ...) error
func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, ...) (unstructured.Unstructured, error)
func Generate(policyContext PolicyContext) (resp *response.EngineResponse)
func ManagedPodResource(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) bool
func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, ...) error
func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse)
func Validate(policyContext *PolicyContext) (resp *response.EngineResponse)
type EngineStats
type PolicyContext

Constants ¶

View Source

const (
	// PodControllerCronJob represent CronJob string
	PodControllerCronJob = "CronJob"
	//PodControllers stores the list of Pod-controllers in csv string
	PodControllers = "DaemonSet,Deployment,Job,StatefulSet,CronJob"
	//PodControllersAnnotation defines the annotation key for Pod-Controllers
	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
)

Variables ¶

This section is empty.

Functions ¶

func AddResourceToContext ¶ added in v1.2.0

func AddResourceToContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resCache resourcecache.ResourceCacheIface, ctx *context.Context) error

AddResourceToContext - Add the Configmap JSON to Context. it will read configmaps (can be extended to get other type of resource like secrets, namespace etc) from the informer cache and add the configmap data to context

func ForceMutate ¶ added in v1.2.0

func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (unstructured.Unstructured, error)

ForceMutate does not check any conditions, it simply mutates the given resource

func Generate ¶

func Generate(policyContext PolicyContext) (resp *response.EngineResponse)

Generate checks for validity of generate rule on the resource 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)

the caller has to check the ruleResponse to determine whether the path exist

2. returns the list of rules that are applicable on this policy and resource, if 1 succeed

func ManagedPodResource ¶ added in v1.3.0

func ManagedPodResource(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) bool

ManagedPodResource returns true: - if the policy has auto-gen annotation && resource == Pod - if the auto-gen contains cronJob && resource == Job

func MatchesResourceDescription ¶ added in v0.8.0

func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string) error

MatchesResourceDescription checks if the resource matches resource description of the rule or not

func Mutate ¶

func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse)

Mutate performs mutation. Overlay first and then mutation patches

func Validate ¶

func Validate(policyContext *PolicyContext) (resp *response.EngineResponse)

Validate applies validation rules from policy on the resource

Types ¶

type EngineStats ¶ added in v0.8.0

type EngineStats struct {
	// average time required to process the policy rules on a resource
	ExecutionTime time.Duration
	// Count of rules that were applied successfully
	RulesAppliedCount int
}

EngineStats stores in the statistics for a single application of resource

type PolicyContext ¶ added in v1.0.0

type PolicyContext struct {

	// Policy is the policy to be processed
	Policy kyverno.ClusterPolicy

	// NewResource is the resource to be processed
	NewResource unstructured.Unstructured

	// OldResource is the prior resource for an update, or nil
	OldResource unstructured.Unstructured

	// AdmissionInfo contains the admission request information
	AdmissionInfo kyverno.RequestInfo

	// Dynamic client - used by generate
	Client *client.Client

	// Config handler
	ExcludeGroupRole []string

	ExcludeResourceFunc func(kind, namespace, name string) bool

	// ResourceCache provides listers to resources. Currently Supports Configmap
	ResourceCache resourcecache.ResourceCacheIface

	// JSONContext is the variable context
	JSONContext *context.Context
}

PolicyContext contains the contexts for engine to process

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
anchor
common
common
context
mutate
operator
response
utils
validate
variables
operator
wildcards

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL