Affected by GO-2023-1804 and 3 other vulnerabilities

GO-2023-1804: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

GO-2023-1819: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

GO-2023-2340: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

config

package

v1.6.10 Latest Latest Go to latest Published: Feb 25, 2022 License: Apache-2.0 Imports: 20 Imported by: 6

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kyverno/kyverno

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func CreateClientConfig(kubeconfig string, qps float64, burst int, log logr.Logger) (*rest.Config, error)
type ConfigData
- func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, ...) *ConfigData
type Interface
type MetricsConfig
type MetricsConfigData
- func NewMetricsConfigData(rclient kubernetes.Interface, log logr.Logger) (*MetricsConfigData, error)
type WebhookConfig

Constants ¶

View Source

const (
	//MutatingWebhookConfigurationName default resource mutating webhook configuration name
	MutatingWebhookConfigurationName = "kyverno-resource-mutating-webhook-cfg"
	//MutatingWebhookConfigurationDebugName default resource mutating webhook configuration name for debug mode
	MutatingWebhookConfigurationDebugName = "kyverno-resource-mutating-webhook-cfg-debug"
	//MutatingWebhookName default resource mutating webhook name
	MutatingWebhookName = "mutate.kyverno.svc"

	ValidatingWebhookConfigurationName      = "kyverno-resource-validating-webhook-cfg"
	ValidatingWebhookConfigurationDebugName = "kyverno-resource-validating-webhook-cfg-debug"
	ValidatingWebhookName                   = "validate.kyverno.svc"

	//VerifyMutatingWebhookConfigurationName default verify mutating webhook configuration name
	VerifyMutatingWebhookConfigurationName = "kyverno-verify-mutating-webhook-cfg"
	//VerifyMutatingWebhookConfigurationDebugName default verify mutating webhook configuration name for debug mode
	VerifyMutatingWebhookConfigurationDebugName = "kyverno-verify-mutating-webhook-cfg-debug"
	//VerifyMutatingWebhookName default verify mutating webhook name
	VerifyMutatingWebhookName = "monitor-webhooks.kyverno.svc"

	//PolicyValidatingWebhookConfigurationName default policy validating webhook configuration name
	PolicyValidatingWebhookConfigurationName = "kyverno-policy-validating-webhook-cfg"
	//PolicyValidatingWebhookConfigurationDebugName default policy validating webhook configuration name for debug mode
	PolicyValidatingWebhookConfigurationDebugName = "kyverno-policy-validating-webhook-cfg-debug"
	//PolicyValidatingWebhookName default policy validating webhook name
	PolicyValidatingWebhookName = "validate-policy.kyverno.svc"

	//PolicyMutatingWebhookConfigurationName default policy mutating webhook configuration name
	PolicyMutatingWebhookConfigurationName = "kyverno-policy-mutating-webhook-cfg"
	//PolicyMutatingWebhookConfigurationDebugName default policy mutating webhook configuration name for debug mode
	PolicyMutatingWebhookConfigurationDebugName = "kyverno-policy-mutating-webhook-cfg-debug"
	//PolicyMutatingWebhookName default policy mutating webhook name
	PolicyMutatingWebhookName = "mutate-policy.kyverno.svc"

	// DeploymentKind define the default deployment resource kind
	DeploymentKind = "Deployment"

	// DeploymentAPIVersion define the default deployment resource apiVersion
	DeploymentAPIVersion = "apps/v1"

	// NamespaceKind define the default namespace resource kind
	NamespaceKind = "Namespace"

	// NamespaceAPIVersion define the default namespace resource apiVersion
	NamespaceAPIVersion = "v1"

	// ClusterRoleAPIVersion define the default clusterrole resource apiVersion
	ClusterRoleAPIVersion = "rbac.authorization.k8s.io/v1"

	// ClusterRoleKind define the default clusterrole resource kind
	ClusterRoleKind = "ClusterRole"
)

These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml

Variables ¶

View Source

var (
	//KyvernoNamespace is the Kyverno namespace
	KyvernoNamespace = getKyvernoNameSpace()

	// KyvernoDeploymentName is the Kyverno deployment name
	KyvernoDeploymentName = getKyvernoDeploymentName()

	//KyvernoServiceName is the Kyverno service name
	KyvernoServiceName = getKyvernoServiceName()

	//MutatingWebhookServicePath is the path for mutation webhook
	MutatingWebhookServicePath = "/mutate"

	//ValidatingWebhookServicePath is the path for validation webhook
	ValidatingWebhookServicePath = "/validate"

	//PolicyValidatingWebhookServicePath is the path for policy validation webhook(used to validate policy resource)
	PolicyValidatingWebhookServicePath = "/policyvalidate"

	//PolicyMutatingWebhookServicePath is the path for policy mutation webhook(used to default)
	PolicyMutatingWebhookServicePath = "/policymutate"

	//VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active)
	VerifyMutatingWebhookServicePath = "/verifymutate"

	// LivenessServicePath is the path for check liveness health
	LivenessServicePath = "/health/liveness"

	// ReadinessServicePath is the path for check readness health
	ReadinessServicePath = "/health/readiness"
)

Functions ¶

func CreateClientConfig ¶ added in v1.1.0

func CreateClientConfig(kubeconfig string, qps float64, burst int, log logr.Logger) (*rest.Config, error)

CreateClientConfig creates client config and applies rate limit QPS and burst

Types ¶

type ConfigData ¶ added in v0.11.0

type ConfigData struct {
	// contains filtered or unexported fields
}

ConfigData stores the configuration

func NewConfigData ¶ added in v0.11.0

func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8sResources, excludeGroupRole, excludeUsername string, reconcilePolicyReport, updateWebhookConfigurations chan<- bool, log logr.Logger) *ConfigData

NewConfigData ...

func (*ConfigData) FilterNamespaces ¶ added in v1.3.2

func (cd *ConfigData) FilterNamespaces(namespaces []string) []string

FilterNamespaces filters exclude namespace

func (*ConfigData) GetExcludeGroupRole ¶ added in v1.2.0

func (cd *ConfigData) GetExcludeGroupRole() []string

GetExcludeGroupRole return exclude roles

func (*ConfigData) GetExcludeUsername ¶ added in v1.2.0

func (cd *ConfigData) GetExcludeUsername() []string

GetExcludeUsername return exclude username

func (*ConfigData) GetGenerateSuccessEvents ¶ added in v1.4.2

func (cd *ConfigData) GetGenerateSuccessEvents() bool

GetGenerateSuccessEvents return if should generate success events

func (*ConfigData) GetInitConfigMapName ¶ added in v1.4.0

func (cd *ConfigData) GetInitConfigMapName() string

GetInitConfigMapName returns the init configmap name

func (*ConfigData) GetWebhooks ¶ added in v1.4.0

func (cd *ConfigData) GetWebhooks() []WebhookConfig

GetWebhooks returns the webhook configs

func (*ConfigData) RestrictDevelopmentUsername ¶ added in v1.2.0

func (cd *ConfigData) RestrictDevelopmentUsername() []string

RestrictDevelopmentUsername return exclude development username

func (*ConfigData) Run ¶ added in v0.11.0

func (cd *ConfigData) Run(stopCh <-chan struct{})

Run checks syncing

func (*ConfigData) ToFilter ¶ added in v0.11.0

func (cd *ConfigData) ToFilter(kind, namespace, name string) bool

ToFilter checks if the given resource is set to be filtered in the configuration

type Interface ¶ added in v0.11.0

type Interface interface {
	ToFilter(kind, namespace, name string) bool
	GetExcludeGroupRole() []string
	GetExcludeUsername() []string
	GetGenerateSuccessEvents() bool
	RestrictDevelopmentUsername() []string
	FilterNamespaces(namespaces []string) []string
	GetWebhooks() []WebhookConfig
	GetInitConfigMapName() string
}

Interface to be used by consumer to check filters

type MetricsConfig ¶ added in v1.4.3

type MetricsConfig struct {
	// contains filtered or unexported fields
}

MetricsConfig stores the config for metrics

type MetricsConfigData ¶ added in v1.4.3

type MetricsConfigData struct {
	// contains filtered or unexported fields
}

MetricsConfigData stores the metrics-related configuration

func NewMetricsConfigData ¶ added in v1.4.3

func NewMetricsConfigData(rclient kubernetes.Interface, log logr.Logger) (*MetricsConfigData, error)

NewMetricsConfigData ...

func (*MetricsConfigData) GetExcludeNamespaces ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetExcludeNamespaces() []string

GetExcludeNamespaces returns the namespaces to ignore for metrics exposure

func (*MetricsConfigData) GetIncludeNamespaces ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetIncludeNamespaces() []string

GetIncludeNamespaces returns the namespaces to specifically consider for metrics exposure

func (*MetricsConfigData) GetMetricsConfigMapName ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetMetricsConfigMapName() string

GetMetricsConfigMapName returns the configmap name for the metric

func (*MetricsConfigData) GetMetricsRefreshInterval ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetMetricsRefreshInterval() time.Duration

GetMetricsRefreshInterval returns the refresh interval for the metrics

type WebhookConfig ¶ added in v1.4.0

type WebhookConfig struct {
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL