kubeops · tamalsaha · Dec 9, 2025 · Dec 9, 2025
diff --git a/.config/api-rules/violation_exceptions.list b/.config/api-rules/violation_exceptions.list
@@ -24,6 +24,7 @@ API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,X509Subject,
 API rule violation: list_type_missing,kmodules.xyz/client-go/api/v1,X509Subject,StreetAddresses
 API rule violation: list_type_missing,kubeops.dev/ui-server/apis/policy/v1alpha1,Constraint,Violations
 API rule violation: list_type_missing,kubeops.dev/ui-server/apis/policy/v1alpha1,PolicyReportResponse,Constraints
+API rule violation: list_type_missing,kubeops.dev/ui-server/apis/policy/v1alpha1,StatusViolation,EnforcementActions
 API rule violation: names_match,k8s.io/api/core/v1,AzureDiskVolumeSource,DataDiskURI
 API rule violation: names_match,k8s.io/api/core/v1,ContainerStatus,LastTerminationState
 API rule violation: names_match,k8s.io/api/core/v1,DaemonEndpoint,Port

diff --git a/Dockerfile.ubi b/Dockerfile.ubi
@@ -0,0 +1,41 @@
+# Copyright AppsCode Inc. and Contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM {ARG_FROM}
+
+LABEL org.opencontainers.image.source="https://github.com/kubeops/ui-server" \
+    name="ACE UI Server" \
+    maintainer=AppsCode \
+    vendor=AppsCode \
+    version={ARG_TAG} \
+    release={ARG_TAG} \
+    summary="Exposes cluster resources in Kubernetes native way for ACE platform" \
+    description="Exposes cluster resources in Kubernetes native way for ACE platform"
+
+RUN mkdir -p /licenses
+COPY LICENSE /licenses/
+
+RUN set -x \
+  && microdnf update -y \
+  && microdnf install -y ca-certificates tzdata \
+  && microdnf clean all
+
+ENV TZ=Etc/UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+ADD bin/{ARG_OS}_{ARG_ARCH}/{ARG_BIN} /{ARG_BIN}
+
+USER 65534
+
+ENTRYPOINT ["/{ARG_BIN}"]
diff --git a/Makefile b/Makefile
@@ -26,7 +26,7 @@ COMPRESS ?= no
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
 CRD_OPTIONS          ?= "crd:crdVersions={v1},allowDangerousTypes=true"
 CODE_GENERATOR_IMAGE ?= ghcr.io/appscode/gengo:release-1.32
-API_GROUPS           ?= cost:v1alpha1 identity:v1alpha1 offline:v1alpha1 policy:v1alpha1
+API_GROUPS           ?= cost:v1alpha1 offline:v1alpha1 policy:v1alpha1
 
 # Where to push the docker image.
 REGISTRY ?= ghcr.io/appscode
@@ -69,17 +69,20 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 # BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
 BASEIMAGE_PROD   ?= alpine
 BASEIMAGE_DBG    ?= debian:12
+BASEIMAGE_UBI    ?= registry.access.redhat.com/ubi10/ubi-minimal
 
 IMAGE            := $(REGISTRY)/$(BIN)
 VERSION_PROD     := $(VERSION)
 VERSION_DBG      := $(VERSION)-dbg
+VERSION_UBI      := $(VERSION)-ubi
 TAG              := $(VERSION)_$(OS)_$(ARCH)
 TAG_PROD         := $(TAG)
 TAG_DBG          := $(VERSION)-dbg_$(OS)_$(ARCH)
+TAG_UBI          := $(VERSION)-ubi_$(OS)_$(ARCH)
 
 GO_VERSION       ?= 1.25
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
-CHART_TEST_IMAGE ?= quay.io/helmpack/chart-testing:v3.10.0
+CHART_TEST_IMAGE ?= quay.io/helmpack/chart-testing:v3.13.0
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)
 ifeq ($(OS),windows)
@@ -97,6 +100,7 @@ BUILD_DIRS  := bin/$(OS)_$(ARCH)     \
 
 DOCKERFILE_PROD  = Dockerfile.in
 DOCKERFILE_DBG   = Dockerfile.dbg
+DOCKERFILE_UBI   = Dockerfile.ubi
 
 DOCKER_REPO_ROOT := /go/src/$(GO_PKG)/$(REPO)
 
@@ -297,15 +301,16 @@ $(OUTBIN): .go/$(OUTBIN).stamp
 # Used to track state in hidden files.
 DOTFILE_IMAGE    = $(subst /,_,$(IMAGE))-$(TAG)
 
-container: bin/.container-$(DOTFILE_IMAGE)-PROD bin/.container-$(DOTFILE_IMAGE)-DBG
+container: bin/.container-$(DOTFILE_IMAGE)-PROD bin/.container-$(DOTFILE_IMAGE)-DBG bin/.container-$(DOTFILE_IMAGE)-UBI
 ifeq (,$(SRC_REG))
 bin/.container-$(DOTFILE_IMAGE)-%: bin/$(OS)_$(ARCH)/$(BIN) $(DOCKERFILE_%)
 	@echo "container: $(IMAGE):$(TAG_$*)"
-	@sed                                    \
+	@sed                                  \
 		-e 's|{ARG_BIN}|$(BIN)|g'           \
 		-e 's|{ARG_ARCH}|$(ARCH)|g'         \
 		-e 's|{ARG_OS}|$(OS)|g'             \
 		-e 's|{ARG_FROM}|$(BASEIMAGE_$*)|g' \
+		-e 's|{ARG_TAG}|$(TAG)|g'           \
 		$(DOCKERFILE_$*) > bin/.dockerfile-$*-$(OS)_$(ARCH)
 	@docker buildx build --platform $(OS)/$(ARCH) --load --pull -t $(IMAGE):$(TAG_$*) -f bin/.dockerfile-$*-$(OS)_$(ARCH) .
 	@docker images -q $(IMAGE):$(TAG_$*) > $@
@@ -317,17 +322,17 @@ bin/.container-$(DOTFILE_IMAGE)-%:
 	@echo
 endif
 
-push: bin/.push-$(DOTFILE_IMAGE)-PROD bin/.push-$(DOTFILE_IMAGE)-DBG
+push: bin/.push-$(DOTFILE_IMAGE)-PROD bin/.push-$(DOTFILE_IMAGE)-DBG bin/.push-$(DOTFILE_IMAGE)-UBI
 bin/.push-$(DOTFILE_IMAGE)-%: bin/.container-$(DOTFILE_IMAGE)-%
 	@docker push $(IMAGE):$(TAG_$*)
 	@echo "pushed: $(IMAGE):$(TAG_$*)"
 	@echo
 
 .PHONY: docker-manifest
-docker-manifest: docker-manifest-PROD docker-manifest-DBG
+docker-manifest: docker-manifest-PROD docker-manifest-DBG docker-manifest-UBI
 docker-manifest-%:
-	docker manifest create -a $(IMAGE):$(VERSION_$*) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION_$*)_$(subst /,_,$(PLATFORM)))
-	docker manifest push $(IMAGE):$(VERSION_$*)
+	@docker manifest create -a $(IMAGE):$(VERSION_$*) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION_$*)_$(subst /,_,$(PLATFORM)))
+	@docker manifest push $(IMAGE):$(VERSION_$*)
 
 .PHONY: test
 test: unit-tests e2e-tests

diff --git a/apis/policy/v1alpha1/openapi_generated.go b/apis/policy/v1alpha1/openapi_generated.go
diff --git a/apis/policy/v1alpha1/policy_report.go b/apis/policy/v1alpha1/policy_report.go
@@ -17,7 +17,6 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/audit"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	kmapi "kmodules.xyz/client-go/api/v1"
@@ -54,5 +53,16 @@ type Constraint struct {
 	AuditTimestamp metav1.Time                 `json:"auditTimestamp,omitempty"`
 	Name           string                      `json:"name,omitempty"`
 	GVR            schema.GroupVersionResource `json:"gvr,omitempty"`
-	Violations     []audit.StatusViolation     `json:"violations,omitempty"`
+	Violations     []StatusViolation           `json:"violations,omitempty"`
+}
+
+type StatusViolation struct {
+	Group              string   `json:"group"`
+	Version            string   `json:"version"`
+	Kind               string   `json:"kind"`
+	Name               string   `json:"name"`
+	Namespace          string   `json:"namespace,omitempty"`
+	Message            string   `json:"message"`
+	EnforcementAction  string   `json:"enforcementAction"`
+	EnforcementActions []string `json:"enforcementActions,omitempty"`
 }
diff --git a/apis/policy/v1alpha1/zz_generated.deepcopy.go b/apis/policy/v1alpha1/zz_generated.deepcopy.go