Skip to content

⭐ Add Kyverno Kubernetes resources#8449

Open
MaxRink wants to merge 1 commit into
mondoohq:mainfrom
MaxRink:codex/kyverno-integration-mql
Open

⭐ Add Kyverno Kubernetes resources#8449
MaxRink wants to merge 1 commit into
mondoohq:mainfrom
MaxRink:codex/kyverno-integration-mql

Conversation

@MaxRink

@MaxRink MaxRink commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add first-class k8s.kyverno resources for policies, rules, reports/results, PolicyExceptions, and mappings
  • collect Kyverno classic policies, policies.kyverno.io resources, PolicyReports/OpenReports, and PolicyExceptions through the Kubernetes provider
  • enrich Kyverno results and PolicyExceptions with annotation-induced and built-in Mondoo mappings
  • expose plural mapped Mondoo check UID/MRN fields on Kyverno results for one-to-many rule mappings
  • prefer policy annotation mappings over built-in defaults for both results and PolicyExceptions
  • update built-in mappings to current official Kyverno metadata/rule names and carry confidence for partial mappings
  • align runtime built-ins with every reviewed catalog policy/rule pair, including partial hostPath, hostPort, hostPort range, HostProcess, procMount, safe sysctls, SELinux type/user/role controls, seccomp profile controls, strict seccomp partial posture, ephemeral container blocking, non-root group IDs, hostPath PersistentVolume, container socket, service account token, ServiceAccount long-lived Secret references, Secret ServiceAccount token types, Secret environment variable usage, named container port usage, RBAC cluster-admin bindings, high-risk system group bindings, wildcard RBAC verbs/resources, Secret read verbs, RBAC escalation verbs, ClusterRole nodes/proxy access, service mesh, PSP, PodSecurity profile/subrule, default resources, default securityContext, restricted volume types, imagePull, image checksum, bare pods, ServiceAccount, PSS restricted profile mutation, QoS/resource posture, memory request/limit posture, Service exposure, Ingress routing/TLS, namespace inventory, Deployment replica count, StorageClass, NetworkPolicy podSelector, recommended Pod app labels, digest-resolution, and Kubernetes Best Practices mappings
  • support built-in mappings to non-default Mondoo policies such as mondoo-kubernetes-best-practices
  • fix k8s.serviceaccount secrets/imagePullSecrets field construction to return array data for their declared []dict type
  • fix container, initContainer, and ephemeralContainer env/envFrom schema declarations to expose generated []dict data
  • cover the current policies.kyverno.io/v1 PolicyException shape, where policyRefs no longer carry rule names
  • map rule-less modern PolicyExceptions to the referenced policy's mapped rules while preserving broad status
  • compute applied PolicyException status when matching PolicyReport/OpenReports evidence is observed, unless a higher-severity status wins
  • add provider options for configurable mapping annotation keys, PolicyException metadata annotation keys, built-in default mapping enablement, PolicyException behavior defaults, and unmapped PolicyReport result reporting
  • expose Kyverno behavior settings on k8s.kyverno for mirroring intent, mirrored approval/action, expired-exception strictness, unmapped-exception reporting, and unmapped-result reporting

Verification

  • make providers/build/k8s
  • go test ./provider -run 'TestK8sServiceAccount' -count=1
  • go test ./resources -run 'TestKyvernoManifestResources|TestKyvernoBuiltinMappingsCoverReviewedCatalogPolicies|TestKyvernoBuiltinMappingsSupportBestPracticesPolicy' -count=1
  • go test ./resources -run 'TestKyvernoBuiltinMappings|TestKyvernoManifestResources|TestKyvernoPolicyExceptions|TestKyvernoPolicyReports' -count=1
  • go test ./resources -run 'TestKyvernoBuiltinMappings|TestKyvernoPolicyExceptions|TestKyvernoPolicyReports' -count=1
  • go test ./resources -run 'TestKyvernoBuiltinMappingsCoverReviewedCatalogPolicies|TestKyvernoBuiltinMappingsSupportBestPracticesPolicy|TestKyvernoManifestResources|TestKyvernoPolicyExceptions|TestKyvernoPolicyReports' -count=1
  • go test ./config ./resources ./connection/manifest ./provider
  • git diff --check
  • live kind smoke with Kyverno chart 3.8.1 / Kyverno v1.18.1 using a local cnspec build plus local provider cache: all six Kyverno smoke checks passed

Notes

This is read-only collection through the existing Kubernetes scanner path and does not add anything to the admission path. The live Kyverno v1.18.1 CRD rejects old match/ruleNames fields on policies.kyverno.io/v1 PolicyException, so such exceptions keep an explicit broad status when rule names are absent. When the referenced Kyverno policy has known mappings, the exception is still attached to the related Mondoo checks so it can be displayed with the rest of the Kyverno and Mondoo exception context. Mirroring options are exposed as scanner intent, but native external exception upsert/display still requires platform API/UI support.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@MaxRink MaxRink force-pushed the codex/kyverno-integration-mql branch from c381e7f to 080283f Compare June 16, 2026 10:13
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

I have read the Mondoo CLA Document and I hereby sign the CLA

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New Kyverno resource integration is well-structured; container env/envFrom type-change versions are missing and new files have wrong copyright format.

Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/k8s.lr
Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/k8s.lr
@mondoo-code-review mondoo-code-review Bot dismissed their stale review June 16, 2026 12:47

Superseded by new review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine integration to the K8s provider and fixes serviceaccount field types from dict to []dict.

Comment thread providers/k8s/resources/kyverno.go
Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/k8s.lr
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine integration to the K8s provider with well-structured resource schema and fixes a pre-existing env/envFrom type mismatch.

@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

1 similar comment
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kyverno integration queries the Kubernetes API redundantly when default fields are accessed, doubling API calls for policies and exceptions.

Comment thread providers/k8s/resources/kyverno.go
Comment thread providers/k8s/resources/k8s.lr.versions
Comment thread providers/k8s/resources/kyverno.go
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds comprehensive Kyverno policy engine integration to the K8s provider with schema, implementation, and a service account bug fix.

Comment thread providers/k8s/resources/serviceaccount.go Outdated
Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/k8s.lr

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine integration to the Kubernetes provider with schema, discovery, and configuration options.

Comment thread providers/k8s/resources/kyverno.go
Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/k8s.lr.versions
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine integration to the K8s provider and fixes container env/envFrom schema types and serviceaccount secrets type.

Comment thread providers/k8s/resources/kyverno.go
Comment thread providers/k8s/resources/k8s.lr
Comment thread providers/k8s/resources/k8s.lr
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno resource schema and integration; serviceaccount type fix is correct; no production bugs found.

Comment thread providers/k8s/resources/k8s.lr
Comment thread providers/k8s/resources/k8s.lr
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

1 similar comment
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine integration to the K8s provider with schema, config options, and a service account bug fix; internal struct nil-dereference risk on cached resources is the main concern.

Comment thread providers/k8s/resources/kyverno.go
Comment thread providers/k8s/resources/kyverno.go Outdated
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

1 similar comment
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine resources to the K8s provider with a serviceaccount bug fix, but internal struct fields lack nil guards that could cause panics.

Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/kyverno.go Outdated

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adds Kyverno policy engine integration to K8s provider with schema fixes for container env/envFrom types.

Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/kyverno.go Outdated
Comment thread providers/k8s/resources/kyverno.go Outdated
@MaxRink

MaxRink commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

/review

@tas50 tas50 changed the title Add Kyverno Kubernetes resources ⭐ Add Kyverno Kubernetes resources Jun 18, 2026
@MaxRink MaxRink marked this pull request as ready for review June 19, 2026 08:15
@MaxRink MaxRink force-pushed the codex/kyverno-integration-mql branch from cf681a8 to 93d336d Compare June 19, 2026 08:39
@MaxRink MaxRink force-pushed the codex/kyverno-integration-mql branch from 93d336d to f588116 Compare June 25, 2026 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant