diff --git a/kyverno-1.17.yaml b/kyverno-1.17.yaml new file mode 100644 index 000000000000..a8610b1d3fe6 --- /dev/null +++ b/kyverno-1.17.yaml @@ -0,0 +1,240 @@ +package: + name: kyverno-1.17 + version: "1.17.0" + epoch: 0 # GHSA-whqx-f9j3-ch6m + description: Kubernetes Native Policy Management + copyright: + - license: Apache-2.0 + dependencies: + runtime: + - ca-certificates-bundle + provides: + - kyverno=${{package.full-version}} + +var-transforms: + - from: ${{package.name}} + match: '.*-(\d+\.\d+).*' + replace: '$1' + to: major-minor-version + +environment: + contents: + packages: + - build-base + - busybox + - ca-certificates-bundle + - git + - go + - wolfi-baselayout + +pipeline: + - uses: git-checkout + with: + expected-commit: 677447e050565808b153e5394a3f51324f6ec517 + repository: https://github.com/kyverno/kyverno + tag: v${{package.version}} + + - uses: patch + # This patch (ideally) can be removed when a new release is cut by the kyverno maintainers. + with: + patches: update-otel-semconv-to-1.26.0.patch disable-vet-printf-checks.patch + + - runs: | + make build-all + mkdir -p ${{targets.destdir}}/usr/bin + install -Dm755 cmd/kyverno/kyverno ${{targets.destdir}}/usr/bin/kyverno + + - uses: strip + +subpackages: + - name: kyverno-init-container-${{vars.major-minor-version}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/bin + install -Dm755 cmd/kyverno-init/kyvernopre ${{targets.subpkgdir}}/usr/bin/kyvernopre + dependencies: + provides: + - kyverno-init-container=${{package.full-version}} + test: + pipeline: + - runs: | + kyvernopre --help + + - name: kyverno-reports-controller-${{vars.major-minor-version}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/bin + install -Dm755 cmd/reports-controller/reports-controller ${{targets.subpkgdir}}/usr/bin/reports-controller + dependencies: + provides: + - kyverno-reports-controller=${{package.full-version}} + test: + pipeline: + - runs: | + reports-controller --help + + - name: kyverno-background-controller-${{vars.major-minor-version}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/bin + install -Dm755 cmd/background-controller/background-controller ${{targets.subpkgdir}}/usr/bin/background-controller + dependencies: + provides: + - kyverno-background-controller=${{package.full-version}} + test: + pipeline: + - runs: | + background-controller --help + + - name: kyverno-cleanup-controller-${{vars.major-minor-version}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/bin + install -Dm755 cmd/cleanup-controller/cleanup-controller ${{targets.subpkgdir}}/usr/bin/cleanup-controller + dependencies: + provides: + - kyverno-cleanup-controller=${{package.full-version}} + test: + pipeline: + - runs: | + cleanup-controller --help + + - name: kyverno-cli-${{vars.major-minor-version}} + pipeline: + - runs: | + mkdir -p ${{targets.subpkgdir}}/usr/bin + install -Dm755 cmd/cli/kubectl-kyverno/kubectl-kyverno ${{targets.subpkgdir}}/usr/bin/kubectl-kyverno + dependencies: + provides: + - kyverno-cli=${{package.full-version}} + test: + pipeline: + - runs: | + kubectl-kyverno version + kubectl-kyverno --help + +update: + enabled: true + ignore-regex-patterns: + - "-beta" + - "-rc" + github: + identifier: kyverno/kyverno + strip-prefix: v + tag-filter: v1.17. + +test: + environment: + contents: + packages: + - kyverno-cli=${{package.full-version}} + environment: + KYVERNO_NAMESPACE: kyverno-ns + KYVERNO_SERVICEACCOUNT_NAME: example-serviceaccount + KYVERNO_DEPLOYMENT: kyverno-deployment + KYVERNO_POD_NAME: kyverno-pod + INIT_CONFIG: kyverno-init-config + METRICS_CONFIG: kyverno-metrics-config + KUBERNETES_SERVICE_HOST: test-example.net + KUBERNETES_SERVICE_PORT: 8081 + pipeline: + - name: "Test kyverno responds to --help without throwing an error" + runs: | + kyverno --help + - name: "Partially mock kyverno and look for known logs" + runs: | + mkdir -p /var/run/secrets/kubernetes.io/serviceaccount + echo "dummy-token" > /var/run/secrets/kubernetes.io/serviceaccount/token + + # Start kyverno in the background and redirect logs to a file + kyverno > kyverno.log 2>&1 & + KYVERNO_PID=$! + + # Terminate the kyverno process after we've grabbed some logs + sleep 5 + kill $KYVERNO_PID + wait $KYVERNO_PID 2>/dev/null || true + + # Even though kyverno won't be operational, check that it attempted + # to connect, using the example data. + if grep -q '"https://test-example.net:8081/api/v1/namespaces/kyverno-ns' kyverno.log; then + echo "Test passed: Found expected log output." + else + echo "Test failed: Did not find expected log output." + echo "Kyverno logs:" + cat kyverno.log + exit 1 + fi + - uses: test/kwok/cluster + - name: "validation tests" + runs: | + # enforce that every Pod has label app:foo + cat < require-app.yaml + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-app-label + spec: + validationFailureAction: enforce + rules: + - name: check-app + match: + resources: + kinds: + - Pod + validate: + message: "label 'app' is required" + pattern: + metadata: + labels: + app: "?*" + EOF + + # sample Pod without the label + cat < pod.yaml + apiVersion: v1 + kind: Pod + metadata: + name: test-pod + namespace: kyverno-ns + spec: + containers: + - name: nginx + image: nginx:alpine + EOF + + if kubectl-kyverno apply require-app.yaml --resource pod.yaml; then + echo "Test failed: validation should prevent apply."; exit 1; + else + echo "Test passed: validation prevented apply."; + fi + - name: "mutation tests" + runs: | + # mutate to add label foo=bar + cat < add-label.yaml + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: add-foo-label + spec: + rules: + - name: add-label + match: + resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar + EOF + + mv pod.yaml pod2.yaml + + kubectl-kyverno apply add-label.yaml --resource pod2.yaml | tee mutate.out + if grep -q 'foo: bar' mutate.out; then + echo "Test passed: mutation applied."; + else + echo "Test failed: mutation not applied."; exit 1; + fi diff --git a/kyverno-1.17/disable-vet-printf-checks.patch b/kyverno-1.17/disable-vet-printf-checks.patch new file mode 100644 index 000000000000..4bdd5617df0c --- /dev/null +++ b/kyverno-1.17/disable-vet-printf-checks.patch @@ -0,0 +1,17 @@ +Go 1.24 introduces a new vet check ("non-constant format string in call to +fmt.Errorf") which upstream haven't yet handled, and `go vet` is run as part of +the build: disable the class of checks which are breaking the build. +--- +diff --git a/Makefile b/Makefile +index 8227ac8..add1494 100644 +--- a/Makefile ++++ b/Makefile +@@ -179,7 +179,7 @@ fmt: ## Run go fmt + .PHONY: vet + vet: ## Run go vet + @echo Go vet... >&2 +- @go vet ./... ++ @go vet -printf=false ./... + + .PHONY: imports + imports: $(GOIMPORTS) diff --git a/kyverno-1.17/update-otel-semconv-to-1.26.0.patch b/kyverno-1.17/update-otel-semconv-to-1.26.0.patch new file mode 100644 index 000000000000..0f1a93db4e96 --- /dev/null +++ b/kyverno-1.17/update-otel-semconv-to-1.26.0.patch @@ -0,0 +1,105 @@ +From f68f4c5a8f9566613042b6a74d7b8fbf8c5c8bd4 Mon Sep 17 00:00:00 2001 +From: Eoghan Conlon O'Neill +Date: Wed, 25 Sep 2024 14:20:27 -0600 +Subject: [PATCH] Update otel semconv to 1.26.0 + +diff --git a/pkg/metrics/http.go b/pkg/metrics/http.go +index d1ba110..8aedee4 100644 +--- a/pkg/metrics/http.go ++++ b/pkg/metrics/http.go +@@ -7,7 +7,7 @@ import ( + "github.com/go-logr/logr" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/metric" +- semconv "go.opentelemetry.io/otel/semconv/v1.4.0" ++ semconv "go.opentelemetry.io/otel/semconv/v1.26.0" + ) + + func GetHTTPMetrics() HTTPMetrics { +@@ -54,8 +54,8 @@ func (m *httpMetrics) RecordRequest(ctx context.Context, method string, uri stri + } + + attributes := append([]attribute.KeyValue{ +- semconv.HTTPMethodKey.String(method), +- semconv.HTTPURLKey.String(uri), ++ semconv.HTTPRequestMethodKey.String(method), ++ semconv.URLFullKey.String(uri), + }, attrs...) + + m.requestsMetric.Add(ctx, 1, metric.WithAttributes(attributes...)) +diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go +index 499051f..58f74c0 100644 +--- a/pkg/metrics/metrics.go ++++ b/pkg/metrics/metrics.go +@@ -15,7 +15,7 @@ import ( + "go.opentelemetry.io/otel/metric" + sdkmetric "go.opentelemetry.io/otel/sdk/metric" + "go.opentelemetry.io/otel/sdk/resource" +- semconv "go.opentelemetry.io/otel/semconv/v1.24.0" ++ semconv "go.opentelemetry.io/otel/semconv/v1.26.0" + "k8s.io/client-go/kubernetes" + ) + +diff --git a/pkg/tracing/config.go b/pkg/tracing/config.go +index 6f6a25e..b3de3ab 100644 +--- a/pkg/tracing/config.go ++++ b/pkg/tracing/config.go +@@ -13,7 +13,7 @@ import ( + "go.opentelemetry.io/otel/propagation" + "go.opentelemetry.io/otel/sdk/resource" + sdktrace "go.opentelemetry.io/otel/sdk/trace" +- semconv "go.opentelemetry.io/otel/semconv/v1.24.0" ++ semconv "go.opentelemetry.io/otel/semconv/v1.26.0" + "k8s.io/client-go/kubernetes" + ) + +diff --git a/pkg/tracing/helpers.go b/pkg/tracing/helpers.go +index 57ff265..a96fb8e 100644 +--- a/pkg/tracing/helpers.go ++++ b/pkg/tracing/helpers.go +@@ -6,7 +6,7 @@ import ( + + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/codes" +- semconv "go.opentelemetry.io/otel/semconv/v1.24.0" ++ semconv "go.opentelemetry.io/otel/semconv/v1.26.0" + "go.opentelemetry.io/otel/trace" + ) + +@@ -28,7 +28,7 @@ func SetHttpStatus(ctx context.Context, err error, code int) { + if err != nil { + span.RecordError(err) + } +- span.SetAttributes(semconv.HTTPStatusCodeKey.Int(code)) ++ span.SetAttributes(semconv.HTTPResponseStatusCodeKey.Int(code)) + if code >= 400 { + span.SetStatus(codes.Error, http.StatusText(code)) + } else { +diff --git a/pkg/webhooks/handlers/trace.go b/pkg/webhooks/handlers/trace.go +index 6083bbe..3508071 100644 +--- a/pkg/webhooks/handlers/trace.go ++++ b/pkg/webhooks/handlers/trace.go +@@ -9,7 +9,8 @@ import ( + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/tracing" + admissionutils "github.com/kyverno/kyverno/pkg/utils/admission" +- semconv "go.opentelemetry.io/otel/semconv/v1.24.0" ++ "go.opentelemetry.io/otel/attribute" ++ semconv "go.opentelemetry.io/otel/semconv/v1.26.0" + "go.opentelemetry.io/otel/trace" + ) + +@@ -23,10 +24,10 @@ func (inner HttpHandler) WithTrace(name string) HttpHandler { + inner(writer, request.WithContext(ctx)) + }, + trace.WithAttributes( +- semconv.HTTPRequestContentLengthKey.Int64(request.ContentLength), +- semconv.NetSockPeerAddrKey.String(tracing.StringValue(request.Host)), +- semconv.HTTPMethodKey.String(tracing.StringValue(request.Method)), +- semconv.HTTPURLKey.String(tracing.StringValue(request.RequestURI)), ++ attribute.Key("http.request.header.content-length").Int64(request.ContentLength), ++ semconv.NetworkPeerAddressKey.String(tracing.StringValue(request.Host)), ++ semconv.HTTPRequestMethodKey.String(tracing.StringValue(request.Method)), ++ semconv.URLFullKey.String(tracing.StringValue(request.RequestURI)), + ), + trace.WithSpanKind(trace.SpanKindServer),