diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index c7dcfd42d2c1..c6be390fd2d5 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno-policies -version: v2.3.4 -appVersion: v1.6.2 +version: v2.3.5 +appVersion: v1.6.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 15703905b6a5..fedca0040561 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: v2.3.3 -appVersion: v1.6.2 +version: v2.3.4 +appVersion: v1.6.3 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 4a8318140b3c..1772b77bbdde 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -11,7 +11,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -1388,7 +1388,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1880,7 +1880,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -2372,7 +2372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -2553,7 +2553,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -3930,7 +3930,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4422,7 +4422,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io diff --git a/config/install.yaml b/config/install.yaml index 02dbc40824b4..b95855db02a9 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2202,7 +2202,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2882,7 +2882,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3562,7 +3562,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3759,7 +3759,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -5942,7 +5942,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6620,7 +6620,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7298,7 +7298,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-service-account namespace: kyverno --- @@ -7311,7 +7311,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno rules: @@ -7345,7 +7345,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7372,7 +7372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7399,7 +7399,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7426,7 +7426,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events rules: - apiGroups: @@ -7448,7 +7448,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate rules: - apiGroups: @@ -7495,7 +7495,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies rules: - apiGroups: @@ -7546,7 +7546,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo rules: - apiGroups: @@ -7569,7 +7569,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view rules: - apiGroups: @@ -7590,7 +7590,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook rules: - apiGroups: @@ -7616,7 +7616,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7637,7 +7637,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7657,7 +7657,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7677,7 +7677,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7697,7 +7697,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,7 +7717,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7737,7 +7737,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7761,7 +7761,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno --- @@ -7777,7 +7777,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-metrics namespace: kyverno --- @@ -7790,7 +7790,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc namespace: kyverno spec: @@ -7811,7 +7811,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7832,7 +7832,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno spec: @@ -7854,7 +7854,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 spec: affinity: podAntiAffinity: @@ -7885,7 +7885,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:v1.6.2 + image: ghcr.io/kyverno/kyverno:v1.6.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7940,7 +7940,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.6.2 + image: ghcr.io/kyverno/kyvernopre:v1.6.3 imagePullPolicy: IfNotPresent name: kyverno-pre resources: diff --git a/config/release/install.yaml b/config/release/install.yaml index 02dbc40824b4..b95855db02a9 100755 --- a/config/release/install.yaml +++ b/config/release/install.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -21,7 +21,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2202,7 +2202,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2882,7 +2882,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3562,7 +3562,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3759,7 +3759,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policies.kyverno.io spec: group: kyverno.io @@ -5942,7 +5942,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6620,7 +6620,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7298,7 +7298,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-service-account namespace: kyverno --- @@ -7311,7 +7311,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno rules: @@ -7345,7 +7345,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7372,7 +7372,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7399,7 +7399,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7426,7 +7426,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events rules: - apiGroups: @@ -7448,7 +7448,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate rules: - apiGroups: @@ -7495,7 +7495,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies rules: - apiGroups: @@ -7546,7 +7546,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo rules: - apiGroups: @@ -7569,7 +7569,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view rules: - apiGroups: @@ -7590,7 +7590,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook rules: - apiGroups: @@ -7616,7 +7616,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:leaderelection namespace: kyverno roleRef: @@ -7637,7 +7637,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:events roleRef: apiGroup: rbac.authorization.k8s.io @@ -7657,7 +7657,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:generate roleRef: apiGroup: rbac.authorization.k8s.io @@ -7677,7 +7677,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:policies roleRef: apiGroup: rbac.authorization.k8s.io @@ -7697,7 +7697,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7717,7 +7717,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:view roleRef: apiGroup: rbac.authorization.k8s.io @@ -7737,7 +7737,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7761,7 +7761,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno --- @@ -7777,7 +7777,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-metrics namespace: kyverno --- @@ -7790,7 +7790,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc namespace: kyverno spec: @@ -7811,7 +7811,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7832,7 +7832,7 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 name: kyverno namespace: kyverno spec: @@ -7854,7 +7854,7 @@ spec: app.kubernetes.io/instance: kyverno app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 spec: affinity: podAntiAffinity: @@ -7885,7 +7885,7 @@ spec: value: kyverno-svc - name: TUF_ROOT value: /.sigstore - image: ghcr.io/kyverno/kyverno:v1.6.2 + image: ghcr.io/kyverno/kyverno:v1.6.3 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7940,7 +7940,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.6.2 + image: ghcr.io/kyverno/kyvernopre:v1.6.3 imagePullPolicy: IfNotPresent name: kyverno-pre resources: diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index 8d13b59e32dc..07401ba63800 100755 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -9,6 +9,6 @@ transformers: images: - name: ghcr.io/kyverno/kyverno - newTag: v1.6.2 + newTag: v1.6.3 - name: ghcr.io/kyverno/kyvernopre - newTag: v1.6.2 + newTag: v1.6.3 diff --git a/config/release/labels.yaml b/config/release/labels.yaml index c34a8aa6a3e0..9122d512e57e 100644 --- a/config/release/labels.yaml +++ b/config/release/labels.yaml @@ -4,7 +4,7 @@ kind: LabelTransformer metadata: name: labelTransformer labels: - app.kubernetes.io/version: v1.6.2 + app.kubernetes.io/version: v1.6.3 fieldSpecs: - path: metadata/labels create: true diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 32dbe2b8c416..95fb31d00239 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -126,7 +126,6 @@ func (wrc *Register) Register() error { return err } } - wrc.removeWebhookConfigurations() caData := wrc.readCaData() if caData == nil { @@ -318,9 +317,12 @@ func (wrc *Register) createResourceMutatingWebhookConfiguration(caData []byte) e _, err := wrc.client.CreateResource("", kindMutating, "", *config, false) if errorsapi.IsAlreadyExists(err) { logger.V(6).Info("resource mutating webhook configuration already exists", "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } - if err != nil { logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name) return err @@ -344,6 +346,10 @@ func (wrc *Register) createResourceValidatingWebhookConfiguration(caData []byte) _, err := wrc.client.CreateResource("", kindValidating, "", *config, false) if errorsapi.IsAlreadyExists(err) { logger.V(6).Info("resource validating webhook configuration already exists", "name", config.Name) + err = wrc.updateValidatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -369,6 +375,10 @@ func (wrc *Register) createPolicyValidatingWebhookConfiguration(caData []byte) e if _, err := wrc.client.CreateResource("", kindValidating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindValidating, "name", config.Name) + err = wrc.updateValidatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -392,6 +402,10 @@ func (wrc *Register) createPolicyMutatingWebhookConfiguration(caData []byte) err if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -414,6 +428,10 @@ func (wrc *Register) createVerifyMutatingWebhookConfiguration(caData []byte) err if _, err := wrc.client.CreateResource("", kindMutating, "", *config, false); err != nil { if errorsapi.IsAlreadyExists(err) { wrc.log.V(6).Info("webhook already exists", "kind", kindMutating, "name", config.Name) + err = wrc.updateMutatingWebhookConfiguration(config) + if err != nil { + return err + } return nil } @@ -684,9 +702,6 @@ func (wrc *Register) checkEndpoint() error { } } - // clean up old webhook configurations, if any - wrc.removeWebhookConfigurations() - err = fmt.Errorf("endpoint not ready") wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) return err @@ -851,3 +866,93 @@ func (wrc *Register) updateResourceMutatingWebhookConfiguration(nsSelector map[s return nil } + +// updateMutatingWebhookConfiguration updates an existing MutatingWebhookConfiguration with the rules provided by +// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved. +func (wrc *Register) updateMutatingWebhookConfiguration(targetConfig *admregapi.MutatingWebhookConfiguration) error { + // Fetch the existing webhook. + currentConfiguration, err := wrc.mwcLister.Get(targetConfig.Name) + if err != nil { + return fmt.Errorf("failed to get %s %s: %v", kindMutating, targetConfig.Name, err) + } + // Create a map of the target webhooks. + targetWebhooksMap := make(map[string]admregapi.MutatingWebhook) + for _, w := range targetConfig.Webhooks { + targetWebhooksMap[w.Name] = w + } + // Update the webhooks. + newWebhooks := make([]admregapi.MutatingWebhook, 0) + for _, w := range currentConfiguration.Webhooks { + target, exist := targetWebhooksMap[w.Name] + if !exist { + continue + } + delete(targetWebhooksMap, w.Name) + // Update the webhook configuration + w.ClientConfig.URL = target.ClientConfig.URL + w.ClientConfig.Service = target.ClientConfig.Service + w.ClientConfig.CABundle = target.ClientConfig.CABundle + if target.Rules != nil { + // If the target webhook has rule definitions override the current. + w.Rules = target.Rules + } + newWebhooks = append(newWebhooks, w) + } + // Check if there are additional webhooks defined and add them. + for _, w := range targetWebhooksMap { + newWebhooks = append(newWebhooks, w) + } + // Update the current configuration. + currentConfiguration.Webhooks = newWebhooks + _, err = wrc.client.UpdateResource("", kindMutating, "", currentConfiguration, false) + if err != nil { + return err + } + wrc.log.V(3).Info("successfully updated mutatingWebhookConfigurations", "name", targetConfig.Name) + return nil +} + +// updateValidatingWebhookConfiguration updates an existing ValidatingWebhookConfiguration with the rules provided by +// the targetConfig. If the targetConfig doesn't provide any rules, the existing rules will be preserved. +func (wrc *Register) updateValidatingWebhookConfiguration(targetConfig *admregapi.ValidatingWebhookConfiguration) error { + // Fetch the existing webhook. + currentConfiguration, err := wrc.vwcLister.Get(targetConfig.Name) + if err != nil { + return fmt.Errorf("failed to get %s %s: %v", kindValidating, targetConfig.Name, err) + } + // Create a map of the target webhooks. + targetWebhooksMap := make(map[string]admregapi.ValidatingWebhook) + for _, w := range targetConfig.Webhooks { + targetWebhooksMap[w.Name] = w + } + // Update the webhooks. + newWebhooks := make([]admregapi.ValidatingWebhook, 0) + for _, w := range currentConfiguration.Webhooks { + target, exist := targetWebhooksMap[w.Name] + if !exist { + continue + } + delete(targetWebhooksMap, w.Name) + // Update the webhook configuration + w.ClientConfig.URL = target.ClientConfig.URL + w.ClientConfig.Service = target.ClientConfig.Service + w.ClientConfig.CABundle = target.ClientConfig.CABundle + if target.Rules != nil { + // If the target webhook has rule definitions override the current. + w.Rules = target.Rules + } + newWebhooks = append(newWebhooks, w) + } + // Check if there are additional webhooks defined and add them. + for _, w := range targetWebhooksMap { + newWebhooks = append(newWebhooks, w) + } + // Update the current configuration. + currentConfiguration.Webhooks = newWebhooks + _, err = wrc.client.UpdateResource("", kindValidating, "", currentConfiguration, false) + if err != nil { + return err + } + wrc.log.V(3).Info("successfully updated validatingWebhookConfigurations", "name", targetConfig.Name) + return nil +}