Affected by GO-2023-1804 and 3 other vulnerabilities

GO-2023-1804: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

GO-2023-1819: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

GO-2023-2340: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

config

package

v1.7.1 Latest Latest Go to latest Published: Jun 17, 2022 License: Apache-2.0 Imports: 19 Imported by: 6

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kyverno/kyverno

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func ConfigureClientConfig(clientConfig *rest.Config, qps float64, burst int) error
type Configuration
- func NewConfiguration(client kubernetes.Interface, ...) (Configuration, error)
type MetricsConfig
type MetricsConfigData
- func NewMetricsConfigData(rclient kubernetes.Interface) (*MetricsConfigData, error)
type WebhookConfig

Constants ¶

View Source

const (
	// MutatingWebhookConfigurationName default resource mutating webhook configuration name
	MutatingWebhookConfigurationName = "kyverno-resource-mutating-webhook-cfg"
	// MutatingWebhookConfigurationDebugName default resource mutating webhook configuration name for debug mode
	MutatingWebhookConfigurationDebugName = "kyverno-resource-mutating-webhook-cfg-debug"
	// MutatingWebhookName default resource mutating webhook name
	MutatingWebhookName = "mutate.kyverno.svc"
	// ValidatingWebhookConfigurationName ...
	ValidatingWebhookConfigurationName = "kyverno-resource-validating-webhook-cfg"
	// ValidatingWebhookConfigurationDebugName ...
	ValidatingWebhookConfigurationDebugName = "kyverno-resource-validating-webhook-cfg-debug"
	// ValidatingWebhookName ...
	ValidatingWebhookName = "validate.kyverno.svc"
	//VerifyMutatingWebhookConfigurationName default verify mutating webhook configuration name
	VerifyMutatingWebhookConfigurationName = "kyverno-verify-mutating-webhook-cfg"
	//VerifyMutatingWebhookConfigurationDebugName default verify mutating webhook configuration name for debug mode
	VerifyMutatingWebhookConfigurationDebugName = "kyverno-verify-mutating-webhook-cfg-debug"
	//VerifyMutatingWebhookName default verify mutating webhook name
	VerifyMutatingWebhookName = "monitor-webhooks.kyverno.svc"
	//PolicyValidatingWebhookConfigurationName default policy validating webhook configuration name
	PolicyValidatingWebhookConfigurationName = "kyverno-policy-validating-webhook-cfg"
	//PolicyValidatingWebhookConfigurationDebugName default policy validating webhook configuration name for debug mode
	PolicyValidatingWebhookConfigurationDebugName = "kyverno-policy-validating-webhook-cfg-debug"
	//PolicyValidatingWebhookName default policy validating webhook name
	PolicyValidatingWebhookName = "validate-policy.kyverno.svc"
	//PolicyMutatingWebhookConfigurationName default policy mutating webhook configuration name
	PolicyMutatingWebhookConfigurationName = "kyverno-policy-mutating-webhook-cfg"
	//PolicyMutatingWebhookConfigurationDebugName default policy mutating webhook configuration name for debug mode
	PolicyMutatingWebhookConfigurationDebugName = "kyverno-policy-mutating-webhook-cfg-debug"
	//PolicyMutatingWebhookName default policy mutating webhook name
	PolicyMutatingWebhookName = "mutate-policy.kyverno.svc"
	// Due to kubernetes issue, we must use next literal constants instead of deployment TypeMeta fields
	// Issue: https://github.com/kubernetes/kubernetes/pull/63972
	// When the issue is closed, we should use TypeMeta struct instead of this constants
	// ClusterRoleAPIVersion define the default clusterrole resource apiVersion
	ClusterRoleAPIVersion = "rbac.authorization.k8s.io/v1"
	// ClusterRoleKind define the default clusterrole resource kind
	ClusterRoleKind = "ClusterRole"
	//MutatingWebhookServicePath is the path for mutation webhook
	MutatingWebhookServicePath = "/mutate"
	//ValidatingWebhookServicePath is the path for validation webhook
	ValidatingWebhookServicePath = "/validate"
	//PolicyValidatingWebhookServicePath is the path for policy validation webhook(used to validate policy resource)
	PolicyValidatingWebhookServicePath = "/policyvalidate"
	//PolicyMutatingWebhookServicePath is the path for policy mutation webhook(used to default)
	PolicyMutatingWebhookServicePath = "/policymutate"
	//VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active)
	VerifyMutatingWebhookServicePath = "/verifymutate"
	// LivenessServicePath is the path for check liveness health
	LivenessServicePath = "/health/liveness"
	// ReadinessServicePath is the path for check readness health
	ReadinessServicePath = "/health/readiness"
)

These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml

Variables ¶

View Source

var (
	// KyvernoNamespace is the Kyverno namespace
	KyvernoNamespace = osutils.GetEnvWithFallback("KYVERNO_NAMESPACE", "kyverno")
	// KyvernoDeploymentName is the Kyverno deployment name
	KyvernoDeploymentName = osutils.GetEnvWithFallback("KYVERNO_DEPLOYMENT", "kyverno")
	// KyvernoServiceName is the Kyverno service name
	KyvernoServiceName = osutils.GetEnvWithFallback("KYVERNO_SVC", "kyverno-svc")
	// KyvernoPodName is the Kyverno pod name
	KyvernoPodName = osutils.GetEnvWithFallback("KYVERNO_POD_NAME", "kyverno")
	// KyvernoConfigMapName is the Kyverno configmap name
	KyvernoConfigMapName = osutils.GetEnvWithFallback("INIT_CONFIG", "kyverno")
)

Functions ¶

func ConfigureClientConfig ¶ added in v1.7.0

func ConfigureClientConfig(clientConfig *rest.Config, qps float64, burst int) error

ConfigureClientConfig creates client config and applies rate limit QPS and burst

Types ¶

type Configuration ¶ added in v1.7.0

type Configuration interface {
	// ToFilter checks if the given resource is set to be filtered in the configuration
	ToFilter(kind, namespace, name string) bool
	// GetExcludeGroupRole return exclude roles
	GetExcludeGroupRole() []string
	// GetExcludeUsername return exclude username
	GetExcludeUsername() []string
	// GetGenerateSuccessEvents return if should generate success events
	GetGenerateSuccessEvents() bool
	// RestrictDevelopmentUsername return exclude development username
	RestrictDevelopmentUsername() []string
	// FilterNamespaces filters exclude namespace
	FilterNamespaces(namespaces []string) []string
	// GetWebhooks returns the webhook configs
	GetWebhooks() []WebhookConfig
	// Load loads configuration from a configmap
	Load(cm *v1.ConfigMap)
}

Configuration to be used by consumer to check filters

func NewConfiguration ¶ added in v1.7.0

func NewConfiguration(client kubernetes.Interface, reconcilePolicyReport, updateWebhookConfigurations chan<- bool) (Configuration, error)

NewConfiguration ...

type MetricsConfig ¶ added in v1.4.3

type MetricsConfig struct {
	// contains filtered or unexported fields
}

MetricsConfig stores the config for metrics

type MetricsConfigData ¶ added in v1.4.3

type MetricsConfigData struct {
	// contains filtered or unexported fields
}

MetricsConfigData stores the metrics-related configuration

func NewMetricsConfigData ¶ added in v1.4.3

func NewMetricsConfigData(rclient kubernetes.Interface) (*MetricsConfigData, error)

NewMetricsConfigData ...

func (*MetricsConfigData) GetExcludeNamespaces ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetExcludeNamespaces() []string

GetExcludeNamespaces returns the namespaces to ignore for metrics exposure

func (*MetricsConfigData) GetIncludeNamespaces ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetIncludeNamespaces() []string

GetIncludeNamespaces returns the namespaces to specifically consider for metrics exposure

func (*MetricsConfigData) GetMetricsConfigMapName ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetMetricsConfigMapName() string

GetMetricsConfigMapName returns the configmap name for the metric

func (*MetricsConfigData) GetMetricsRefreshInterval ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetMetricsRefreshInterval() time.Duration

GetMetricsRefreshInterval returns the refresh interval for the metrics

type WebhookConfig ¶ added in v1.4.0

type WebhookConfig struct {
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
	ObjectSelector    *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,11,opt,name=objectSelector"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL