Affected by GO-2023-1804 and 3 other vulnerabilities

GO-2023-1804: Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

GO-2023-1819: Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

GO-2023-2340: Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

config

package

v1.8.0-rc2 Latest Latest Go to latest Published: Sep 12, 2022 License: Apache-2.0 Imports: 20 Imported by: 6

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kyverno/kyverno

Documentation ¶

Index ¶

Constants
func CreateClientConfig(kubeconfig string, qps float64, burst int) (*rest.Config, error)
func KyvernoConfigMapName() string
func KyvernoDeploymentName() string
func KyvernoNamespace() string
func KyvernoPodName() string
func KyvernoServiceAccountName() string
func KyvernoServiceName() string
type Configuration
- func NewConfiguration(client kubernetes.Interface, ...) (Configuration, error)
- func NewFakeConfig() Configuration
type MetricsConfig
type MetricsConfigData
- func NewFakeMetricsConfig(client kubernetes.Interface) *MetricsConfigData
- func NewMetricsConfigData(rclient kubernetes.Interface) (*MetricsConfigData, error)
type WebhookConfig

Constants ¶

View Source

const (
	// MutatingWebhookConfigurationName default resource mutating webhook configuration name
	MutatingWebhookConfigurationName = "kyverno-resource-mutating-webhook-cfg"
	// MutatingWebhookConfigurationDebugName default resource mutating webhook configuration name for debug mode
	MutatingWebhookConfigurationDebugName = "kyverno-resource-mutating-webhook-cfg-debug"
	// MutatingWebhookName default resource mutating webhook name
	MutatingWebhookName = "mutate.kyverno.svc"
	// ValidatingWebhookConfigurationName ...
	ValidatingWebhookConfigurationName = "kyverno-resource-validating-webhook-cfg"
	// ValidatingWebhookConfigurationDebugName ...
	ValidatingWebhookConfigurationDebugName = "kyverno-resource-validating-webhook-cfg-debug"
	// ValidatingWebhookName ...
	ValidatingWebhookName = "validate.kyverno.svc"
	// VerifyMutatingWebhookConfigurationName default verify mutating webhook configuration name
	VerifyMutatingWebhookConfigurationName = "kyverno-verify-mutating-webhook-cfg"
	// VerifyMutatingWebhookConfigurationDebugName default verify mutating webhook configuration name for debug mode
	VerifyMutatingWebhookConfigurationDebugName = "kyverno-verify-mutating-webhook-cfg-debug"
	// VerifyMutatingWebhookName default verify mutating webhook name
	VerifyMutatingWebhookName = "monitor-webhooks.kyverno.svc"
	// PolicyValidatingWebhookConfigurationName default policy validating webhook configuration name
	PolicyValidatingWebhookConfigurationName = "kyverno-policy-validating-webhook-cfg"
	// PolicyValidatingWebhookConfigurationDebugName default policy validating webhook configuration name for debug mode
	PolicyValidatingWebhookConfigurationDebugName = "kyverno-policy-validating-webhook-cfg-debug"
	// PolicyValidatingWebhookName default policy validating webhook name
	PolicyValidatingWebhookName = "validate-policy.kyverno.svc"
	// PolicyMutatingWebhookConfigurationName default policy mutating webhook configuration name
	PolicyMutatingWebhookConfigurationName = "kyverno-policy-mutating-webhook-cfg"
	// PolicyMutatingWebhookConfigurationDebugName default policy mutating webhook configuration name for debug mode
	PolicyMutatingWebhookConfigurationDebugName = "kyverno-policy-mutating-webhook-cfg-debug"
	// PolicyMutatingWebhookName default policy mutating webhook name
	PolicyMutatingWebhookName = "mutate-policy.kyverno.svc"
	// Due to kubernetes issue, we must use next literal constants instead of deployment TypeMeta fields
	// Issue: https://github.com/kubernetes/kubernetes/pull/63972
	// When the issue is closed, we should use TypeMeta struct instead of this constants
	// ClusterRoleAPIVersion define the default clusterrole resource apiVersion
	ClusterRoleAPIVersion = "rbac.authorization.k8s.io/v1"
	// ClusterRoleKind define the default clusterrole resource kind
	ClusterRoleKind = "ClusterRole"
	// MutatingWebhookServicePath is the path for mutation webhook
	MutatingWebhookServicePath = "/mutate"
	// ValidatingWebhookServicePath is the path for validation webhook
	ValidatingWebhookServicePath = "/validate"
	// PolicyValidatingWebhookServicePath is the path for policy validation webhook(used to validate policy resource)
	PolicyValidatingWebhookServicePath = "/policyvalidate"
	// PolicyMutatingWebhookServicePath is the path for policy mutation webhook(used to default)
	PolicyMutatingWebhookServicePath = "/policymutate"
	// VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active)
	VerifyMutatingWebhookServicePath = "/verifymutate"
	// LivenessServicePath is the path for check liveness health
	LivenessServicePath = "/health/liveness"
	// ReadinessServicePath is the path for check readness health
	ReadinessServicePath = "/health/readiness"
)

These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml

Variables ¶

This section is empty.

Functions ¶

func CreateClientConfig ¶ added in v1.1.0

func CreateClientConfig(kubeconfig string, qps float64, burst int) (*rest.Config, error)

CreateClientConfig creates client config and applies rate limit QPS and burst

func KyvernoConfigMapName ¶ added in v1.7.0

func KyvernoConfigMapName() string

func KyvernoDeploymentName ¶ added in v1.3.0

func KyvernoDeploymentName() string

func KyvernoNamespace ¶ added in v1.3.0

func KyvernoNamespace() string

func KyvernoPodName ¶ added in v1.7.0

func KyvernoPodName() string

func KyvernoServiceAccountName ¶ added in v1.8.0

func KyvernoServiceAccountName() string

func KyvernoServiceName ¶ added in v1.3.0

func KyvernoServiceName() string

Types ¶

type Configuration ¶ added in v1.7.0

type Configuration interface {
	// ToFilter checks if the given resource is set to be filtered in the configuration
	ToFilter(kind, namespace, name string) bool
	// GetExcludeGroupRole return exclude roles
	GetExcludeGroupRole() []string
	// GetExcludeUsername return exclude username
	GetExcludeUsername() []string
	// GetGenerateSuccessEvents return if should generate success events
	GetGenerateSuccessEvents() bool
	// RestrictDevelopmentUsername return exclude development username
	RestrictDevelopmentUsername() []string
	// FilterNamespaces filters exclude namespace
	FilterNamespaces(namespaces []string) []string
	// GetWebhooks returns the webhook configs
	GetWebhooks() []WebhookConfig
	// Load loads configuration from a configmap
	Load(cm *corev1.ConfigMap)
}

Configuration to be used by consumer to check filters

func NewConfiguration ¶ added in v1.7.0

func NewConfiguration(client kubernetes.Interface, reconcilePolicyReport, updateWebhookConfigurations chan<- bool) (Configuration, error)

NewConfiguration ...

func NewFakeConfig ¶ added in v1.8.0

func NewFakeConfig() Configuration

type MetricsConfig ¶ added in v1.4.3

type MetricsConfig struct {
	// contains filtered or unexported fields
}

MetricsConfig stores the config for metrics

type MetricsConfigData ¶ added in v1.4.3

type MetricsConfigData struct {
	// contains filtered or unexported fields
}

MetricsConfigData stores the metrics-related configuration

func NewFakeMetricsConfig ¶ added in v1.8.0

func NewFakeMetricsConfig(client kubernetes.Interface) *MetricsConfigData

func NewMetricsConfigData ¶ added in v1.4.3

func NewMetricsConfigData(rclient kubernetes.Interface) (*MetricsConfigData, error)

NewMetricsConfigData ...

func (*MetricsConfigData) GetExcludeNamespaces ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetExcludeNamespaces() []string

GetExcludeNamespaces returns the namespaces to ignore for metrics exposure

func (*MetricsConfigData) GetIncludeNamespaces ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetIncludeNamespaces() []string

GetIncludeNamespaces returns the namespaces to specifically consider for metrics exposure

func (*MetricsConfigData) GetMetricsConfigMapName ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetMetricsConfigMapName() string

GetMetricsConfigMapName returns the configmap name for the metric

func (*MetricsConfigData) GetMetricsRefreshInterval ¶ added in v1.4.3

func (mcd *MetricsConfigData) GetMetricsRefreshInterval() time.Duration

GetMetricsRefreshInterval returns the refresh interval for the metrics

type WebhookConfig ¶ added in v1.4.0

type WebhookConfig struct {
	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,5,opt,name=namespaceSelector"`
	ObjectSelector    *metav1.LabelSelector `json:"objectSelector,omitempty" protobuf:"bytes,11,opt,name=objectSelector"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL