wolfi-dev · octo-sts · Feb 16, 2026 · Feb 16, 2026
diff --git a/kyverno-1.17.yaml b/kyverno-1.17.yaml
@@ -0,0 +1,240 @@
+package:
+  name: kyverno-1.17
+  version: "1.17.0"
+  epoch: 0 # GHSA-whqx-f9j3-ch6m
+  description: Kubernetes Native Policy Management
+  copyright:
+    - license: Apache-2.0
+  dependencies:
+    runtime:
+      - ca-certificates-bundle
+    provides:
+      - kyverno=${{package.full-version}}
+
+var-transforms:
+  - from: ${{package.name}}
+    match: '.*-(\d+\.\d+).*'
+    replace: '$1'
+    to: major-minor-version
+
+environment:
+  contents:
+    packages:
+      - build-base
+      - busybox
+      - ca-certificates-bundle
+      - git
+      - go
+      - wolfi-baselayout
+
+pipeline:
+  - uses: git-checkout
+    with:
+      expected-commit: 677447e050565808b153e5394a3f51324f6ec517
+      repository: https://github.com/kyverno/kyverno
+      tag: v${{package.version}}
+
+  - uses: patch
+    # This patch (ideally) can be removed when a new release is cut by the kyverno maintainers.
+    with:
+      patches: update-otel-semconv-to-1.26.0.patch disable-vet-printf-checks.patch
+
+  - runs: |
+      make build-all
+      mkdir -p ${{targets.destdir}}/usr/bin
+      install -Dm755 cmd/kyverno/kyverno ${{targets.destdir}}/usr/bin/kyverno
+
+  - uses: strip
+
+subpackages:
+  - name: kyverno-init-container-${{vars.major-minor-version}}
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/usr/bin
+          install -Dm755 cmd/kyverno-init/kyvernopre ${{targets.subpkgdir}}/usr/bin/kyvernopre
+    dependencies:
+      provides:
+        - kyverno-init-container=${{package.full-version}}
+    test:
+      pipeline:
+        - runs: |
+            kyvernopre --help
+
+  - name: kyverno-reports-controller-${{vars.major-minor-version}}
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/usr/bin
+          install -Dm755 cmd/reports-controller/reports-controller ${{targets.subpkgdir}}/usr/bin/reports-controller
+    dependencies:
+      provides:
+        - kyverno-reports-controller=${{package.full-version}}
+    test:
+      pipeline:
+        - runs: |
+            reports-controller --help
+
+  - name: kyverno-background-controller-${{vars.major-minor-version}}
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/usr/bin
+          install -Dm755 cmd/background-controller/background-controller ${{targets.subpkgdir}}/usr/bin/background-controller
+    dependencies:
+      provides:
+        - kyverno-background-controller=${{package.full-version}}
+    test:
+      pipeline:
+        - runs: |
+            background-controller --help
+
+  - name: kyverno-cleanup-controller-${{vars.major-minor-version}}
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/usr/bin
+          install -Dm755 cmd/cleanup-controller/cleanup-controller ${{targets.subpkgdir}}/usr/bin/cleanup-controller
+    dependencies:
+      provides:
+        - kyverno-cleanup-controller=${{package.full-version}}
+    test:
+      pipeline:
+        - runs: |
+            cleanup-controller --help
+
+  - name: kyverno-cli-${{vars.major-minor-version}}
+    pipeline:
+      - runs: |
+          mkdir -p ${{targets.subpkgdir}}/usr/bin
+          install -Dm755 cmd/cli/kubectl-kyverno/kubectl-kyverno ${{targets.subpkgdir}}/usr/bin/kubectl-kyverno
+    dependencies:
+      provides:
+        - kyverno-cli=${{package.full-version}}
+    test:
+      pipeline:
+        - runs: |
+            kubectl-kyverno version
+            kubectl-kyverno --help
+
+update:
+  enabled: true
+  ignore-regex-patterns:
+    - "-beta"
+    - "-rc"
+  github:
+    identifier: kyverno/kyverno
+    strip-prefix: v
+    tag-filter: v1.17.
+
+test:
+  environment:
+    contents:
+      packages:
+        - kyverno-cli=${{package.full-version}}
+    environment:
+      KYVERNO_NAMESPACE: kyverno-ns
+      KYVERNO_SERVICEACCOUNT_NAME: example-serviceaccount
+      KYVERNO_DEPLOYMENT: kyverno-deployment
+      KYVERNO_POD_NAME: kyverno-pod
+      INIT_CONFIG: kyverno-init-config
+      METRICS_CONFIG: kyverno-metrics-config
+      KUBERNETES_SERVICE_HOST: test-example.net
+      KUBERNETES_SERVICE_PORT: 8081
+  pipeline:
+    - name: "Test kyverno responds to --help without throwing an error"
+      runs: |
+        kyverno --help
+    - name: "Partially mock kyverno and look for known logs"
+      runs: |
+        mkdir -p /var/run/secrets/kubernetes.io/serviceaccount
+        echo "dummy-token" > /var/run/secrets/kubernetes.io/serviceaccount/token
+
+        # Start kyverno in the background and redirect logs to a file
+        kyverno > kyverno.log 2>&1 &
+        KYVERNO_PID=$!
+
+        # Terminate the kyverno process after we've grabbed some logs
+        sleep 5
+        kill $KYVERNO_PID
+        wait $KYVERNO_PID 2>/dev/null || true
+
+        # Even though kyverno won't be operational, check that it attempted
+        # to connect, using the example data.
+        if grep -q '"https://test-example.net:8081/api/v1/namespaces/kyverno-ns' kyverno.log; then
+          echo "Test passed: Found expected log output."
+        else
+          echo "Test failed: Did not find expected log output."
+          echo "Kyverno logs:"
+          cat kyverno.log
+          exit 1
+        fi
+    - uses: test/kwok/cluster
+    - name: "validation tests"
+      runs: |
+        # enforce that every Pod has label app:foo
+        cat <<EOF > require-app.yaml
+        apiVersion: kyverno.io/v1
+        kind: ClusterPolicy
+        metadata:
+          name: require-app-label
+        spec:
+          validationFailureAction: enforce
+          rules:
+          - name: check-app
+            match:
+              resources:
+                kinds:
+                - Pod
+            validate:
+              message: "label 'app' is required"
+              pattern:
+                metadata:
+                  labels:
+                    app: "?*"
+        EOF
+
+        # sample Pod without the label
+        cat <<EOF > pod.yaml
+        apiVersion: v1
+        kind: Pod
+        metadata:
+          name: test-pod
+          namespace: kyverno-ns
+        spec:
+          containers:
+          - name: nginx
+            image: nginx:alpine
+        EOF
+
+        if kubectl-kyverno apply require-app.yaml --resource pod.yaml; then
+          echo "Test failed: validation should prevent apply."; exit 1;
+        else
+          echo "Test passed: validation prevented apply.";
+        fi
+    - name: "mutation tests"
+      runs: |
+        # mutate to add label foo=bar
+        cat <<EOF > add-label.yaml
+        apiVersion: kyverno.io/v1
+        kind: ClusterPolicy
+        metadata:
+          name: add-foo-label
+        spec:
+          rules:
+          - name: add-label
+            match:
+              resources:
+                kinds:
+                - Pod
+            mutate:
+              patchStrategicMerge:
+                metadata:
+                  labels:
+                    foo: bar
+        EOF
+
+        mv pod.yaml pod2.yaml
+
+        kubectl-kyverno apply add-label.yaml --resource pod2.yaml | tee mutate.out
+        if grep -q 'foo: bar' mutate.out; then
+          echo "Test passed: mutation applied.";
+        else
+          echo "Test failed: mutation not applied."; exit 1;
+        fi
diff --git a/kyverno-1.17/disable-vet-printf-checks.patch b/kyverno-1.17/disable-vet-printf-checks.patch
@@ -0,0 +1,17 @@
+Go 1.24 introduces a new vet check ("non-constant format string in call to
+fmt.Errorf") which upstream haven't yet handled, and `go vet` is run as part of
+the build: disable the class of checks which are breaking the build.
+---
+diff --git a/Makefile b/Makefile
+index 8227ac8..add1494 100644
+--- a/Makefile
++++ b/Makefile
+@@ -179,7 +179,7 @@ fmt: ## Run go fmt
+ .PHONY: vet
+ vet: ## Run go vet
+ 	@echo Go vet... >&2
+-	@go vet ./...
++	@go vet -printf=false ./...
+
+ .PHONY: imports
+ imports: $(GOIMPORTS)
diff --git a/kyverno-1.17/update-otel-semconv-to-1.26.0.patch b/kyverno-1.17/update-otel-semconv-to-1.26.0.patch
@@ -0,0 +1,105 @@
+From f68f4c5a8f9566613042b6a74d7b8fbf8c5c8bd4 Mon Sep 17 00:00:00 2001
+From: Eoghan Conlon O'Neill <eoghan.conlononeill@chainguard.dev>
+Date: Wed, 25 Sep 2024 14:20:27 -0600
+Subject: [PATCH] Update otel semconv to 1.26.0
+
+diff --git a/pkg/metrics/http.go b/pkg/metrics/http.go
+index d1ba110..8aedee4 100644
+--- a/pkg/metrics/http.go
++++ b/pkg/metrics/http.go
+@@ -7,7 +7,7 @@ import (
+ 	"github.com/go-logr/logr"
+ 	"go.opentelemetry.io/otel/attribute"
+ 	"go.opentelemetry.io/otel/metric"
+-	semconv "go.opentelemetry.io/otel/semconv/v1.4.0"
++	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+ )
+
+ func GetHTTPMetrics() HTTPMetrics {
+@@ -54,8 +54,8 @@ func (m *httpMetrics) RecordRequest(ctx context.Context, method string, uri stri
+ 	}
+
+ 	attributes := append([]attribute.KeyValue{
+-		semconv.HTTPMethodKey.String(method),
+-		semconv.HTTPURLKey.String(uri),
++		semconv.HTTPRequestMethodKey.String(method),
++		semconv.URLFullKey.String(uri),
+ 	}, attrs...)
+
+ 	m.requestsMetric.Add(ctx, 1, metric.WithAttributes(attributes...))
+diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
+index 499051f..58f74c0 100644
+--- a/pkg/metrics/metrics.go
++++ b/pkg/metrics/metrics.go
+@@ -15,7 +15,7 @@ import (
+ 	"go.opentelemetry.io/otel/metric"
+ 	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
+ 	"go.opentelemetry.io/otel/sdk/resource"
+-	semconv "go.opentelemetry.io/otel/semconv/v1.24.0"
++	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+ 	"k8s.io/client-go/kubernetes"
+ )
+
+diff --git a/pkg/tracing/config.go b/pkg/tracing/config.go
+index 6f6a25e..b3de3ab 100644
+--- a/pkg/tracing/config.go
++++ b/pkg/tracing/config.go
+@@ -13,7 +13,7 @@ import (
+ 	"go.opentelemetry.io/otel/propagation"
+ 	"go.opentelemetry.io/otel/sdk/resource"
+ 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+-	semconv "go.opentelemetry.io/otel/semconv/v1.24.0"
++	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+ 	"k8s.io/client-go/kubernetes"
+ )
+
+diff --git a/pkg/tracing/helpers.go b/pkg/tracing/helpers.go
+index 57ff265..a96fb8e 100644
+--- a/pkg/tracing/helpers.go
++++ b/pkg/tracing/helpers.go
+@@ -6,7 +6,7 @@ import (
+
+ 	"go.opentelemetry.io/otel/attribute"
+ 	"go.opentelemetry.io/otel/codes"
+-	semconv "go.opentelemetry.io/otel/semconv/v1.24.0"
++	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+ 	"go.opentelemetry.io/otel/trace"
+ )
+
+@@ -28,7 +28,7 @@ func SetHttpStatus(ctx context.Context, err error, code int) {
+ 	if err != nil {
+ 		span.RecordError(err)
+ 	}
+-	span.SetAttributes(semconv.HTTPStatusCodeKey.Int(code))
++	span.SetAttributes(semconv.HTTPResponseStatusCodeKey.Int(code))
+ 	if code >= 400 {
+ 		span.SetStatus(codes.Error, http.StatusText(code))
+ 	} else {
+diff --git a/pkg/webhooks/handlers/trace.go b/pkg/webhooks/handlers/trace.go
+index 6083bbe..3508071 100644
+--- a/pkg/webhooks/handlers/trace.go
++++ b/pkg/webhooks/handlers/trace.go
+@@ -9,7 +9,8 @@ import (
+ 	"github.com/go-logr/logr"
+ 	"github.com/kyverno/kyverno/pkg/tracing"
+ 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
+-	semconv "go.opentelemetry.io/otel/semconv/v1.24.0"
++	"go.opentelemetry.io/otel/attribute"
++	semconv "go.opentelemetry.io/otel/semconv/v1.26.0"
+ 	"go.opentelemetry.io/otel/trace"
+ )
+
+@@ -23,10 +24,10 @@ func (inner HttpHandler) WithTrace(name string) HttpHandler {
+ 				inner(writer, request.WithContext(ctx))
+ 			},
+ 			trace.WithAttributes(
+-				semconv.HTTPRequestContentLengthKey.Int64(request.ContentLength),
+-				semconv.NetSockPeerAddrKey.String(tracing.StringValue(request.Host)),
+-				semconv.HTTPMethodKey.String(tracing.StringValue(request.Method)),
+-				semconv.HTTPURLKey.String(tracing.StringValue(request.RequestURI)),
++				attribute.Key("http.request.header.content-length").Int64(request.ContentLength),
++				semconv.NetworkPeerAddressKey.String(tracing.StringValue(request.Host)),
++				semconv.HTTPRequestMethodKey.String(tracing.StringValue(request.Method)),
++				semconv.URLFullKey.String(tracing.StringValue(request.RequestURI)),
+ 			),
+ 			trace.WithSpanKind(trace.SpanKindServer),