Affected by GO-2023-1804 and 3 other vulnerabilities

GO-2023-1804: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

GO-2023-1819: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

GO-2023-2340: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

context

package

v1.5.7 Latest Latest Go to latest Published: Jan 25, 2022 License: Apache-2.0 Imports: 18 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kyverno/kyverno

Links

Open Source Insights

Documentation ¶

Index ¶

func MutateResourceWithImageInfo(raw []byte, ctx *Context) error
type ContainerImage
type Context
- func NewContext() *Context
type EvalInterface
type ImageInfo
- func (i *ImageInfo) String() string
type Images
type Interface
type InvalidVariableErr
- func (i InvalidVariableErr) Error() string
type MockContext
- func NewMockContext(re *regexp.Regexp, vars ...string) *MockContext

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func MutateResourceWithImageInfo ¶ added in v1.4.2

func MutateResourceWithImageInfo(raw []byte, ctx *Context) error

MutateResourceWithImageInfo will set images to their canonical form so that they can be compared in a predictable manner. This sets the default registry as `docker.io` and the tag as `latest` if these are missing.

Types ¶

type ContainerImage ¶ added in v1.4.2

type ContainerImage struct {
	Name  string
	Image *ImageInfo
}

type Context ¶

type Context struct {
	// contains filtered or unexported fields
}

Context stores the data resources as JSON

func NewContext ¶

func NewContext() *Context

NewContext returns a new context

func (*Context) AddImageInfo ¶ added in v1.3.5

func (ctx *Context) AddImageInfo(resource *unstructured.Unstructured) error

func (*Context) AddJSON ¶

func (ctx *Context) AddJSON(dataRaw []byte) error

AddJSON merges json data

func (*Context) AddJSONObject ¶ added in v1.5.0

func (ctx *Context) AddJSONObject(jsonData interface{}) error

AddJSON merges json data

func (*Context) AddNamespace ¶ added in v1.3.4

func (ctx *Context) AddNamespace(namespace string) error

AddNamespace merges resource json under request.namespace

func (*Context) AddRequest ¶ added in v1.2.0

func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error

AddRequest adds an admission request to context

func (*Context) AddResource ¶

func (ctx *Context) AddResource(dataRaw []byte) error

AddResource data at path: request.object

func (*Context) AddResourceAsObject ¶ added in v1.4.2

func (ctx *Context) AddResourceAsObject(data interface{}) error

func (*Context) AddResourceInOldObject ¶ added in v1.4.2

func (ctx *Context) AddResourceInOldObject(dataRaw []byte) error

AddResourceInOldObject data at path: request.oldObject

func (*Context) AddServiceAccount ¶ added in v1.3.0

func (ctx *Context) AddServiceAccount(userName string) error

AddServiceAccount removes prefix 'system:serviceaccount:' and namespace, then loads only SA name and SA namespace

func (*Context) AddUserInfo ¶

func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error

AddUserInfo adds userInfo at path request.userInfo

func (*Context) Checkpoint ¶ added in v1.3.2

func (ctx *Context) Checkpoint()

Checkpoint creates a copy of the current internal state and pushes it into a stack of stored states.

func (*Context) HasChanged ¶ added in v1.4.2

func (ctx *Context) HasChanged(jmespath string) (bool, error)

func (*Context) ImageInfo ¶ added in v1.4.2

func (ctx *Context) ImageInfo() *Images

func (*Context) Query ¶

func (ctx *Context) Query(query string) (interface{}, error)

Query the JSON context with JMESPATH search path

func (*Context) Reset ¶ added in v1.5.0

func (ctx *Context) Reset()

Reset sets the internal state to the last checkpoint, but does not remove the checkpoint.

func (*Context) Restore ¶ added in v1.3.2

func (ctx *Context) Restore()

Restore sets the internal state to the last checkpoint, and removes the checkpoint.

type EvalInterface ¶

type EvalInterface interface {

	// Query accepts a JMESPath expression and returns matching data
	Query(query string) (interface{}, error)

	// HasChanged accepts a JMESPath expression and compares matching data in the
	// request.object and request.oldObject context fields. If the data has changed
	// it return `true`. If the data has not changed it returns false. If either
	// request.object or request.oldObject are not found, an error is returned.
	HasChanged(jmespath string) (bool, error)
}

EvalInterface is used to query and inspect context data

type ImageInfo ¶ added in v1.4.2

type ImageInfo struct {

	// Registry is the URL address of the image registry e.g. `docker.io`
	Registry string `json:"registry,omitempty"`

	// Name is the image name portion e.g. `busybox`
	Name string `json:"name"`

	// Path is the repository path and image name e.g. `some-repository/busybox`
	Path string `json:"path"`

	// Tag is the image tag e.g. `v2`
	Tag string `json:"tag,omitempty"`

	// Digest is the image digest portion e.g. `sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3`
	Digest string `json:"digest,omitempty"`

	// JSONPointer is full JSON path to this image e.g. `/spec/containers/0/image`
	JSONPointer string `json:"jsonPath,omitempty"`
}

func (*ImageInfo) String ¶ added in v1.4.2

func (i *ImageInfo) String() string

type Images ¶ added in v1.4.2

type Images struct {
	InitContainers map[string]*ImageInfo `json:"initContainers,omitempty"`
	Containers     map[string]*ImageInfo `json:"containers"`
}

type Interface ¶

type Interface interface {

	// AddRequest marshals and adds the admission request to the context
	AddRequest(request *v1beta1.AdmissionRequest) error

	// AddJSON  merges the json with context
	AddJSON(dataRaw []byte) error

	// AddResource merges resource json under request.object
	AddResource(dataRaw []byte) error

	// AddUserInfo merges userInfo json under kyverno.userInfo
	AddUserInfo(userInfo kyverno.UserInfo) error

	// AddServiceAccount merges ServiceAccount types
	AddServiceAccount(userName string) error

	// AddNamespace merges resource json under request.namespace
	AddNamespace(namespace string) error

	EvalInterface
}

Interface to manage context operations

type InvalidVariableErr ¶ added in v1.3.4

type InvalidVariableErr struct {
	// contains filtered or unexported fields
}

InvalidVariableErr represents error for non-white-listed variables

func (InvalidVariableErr) Error ¶ added in v1.3.4

func (i InvalidVariableErr) Error() string

type MockContext ¶ added in v1.5.2

type MockContext struct {
	// contains filtered or unexported fields
}

MockContext is used for testing and validation of variables

func NewMockContext ¶ added in v1.5.2

func NewMockContext(re *regexp.Regexp, vars ...string) *MockContext

NewMockContext creates a new MockContext that allows variables matching the supplied list of wildcard patterns

func (*MockContext) AddVariable ¶ added in v1.5.2

func (ctx *MockContext) AddVariable(wildcardPattern string)

AddVariable adds given wildcardPattern to the allowed variable patterns

func (*MockContext) HasChanged ¶ added in v1.5.2

func (ctx *MockContext) HasChanged(_ string) (bool, error)

func (*MockContext) Query ¶ added in v1.5.2

func (ctx *MockContext) Query(query string) (interface{}, error)

Query the JSON context with JMESPATH search path

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL