chore: fix high vulnerabilities in release 1.10 (kyverno#9226)

* chore: use cosign 1.13.2 in 1.10 Signed-off-by: Vishal Choudhary <[email protected]> * feat: rekor vulnerability fix Signed-off-by: Vishal Choudhary <[email protected]> * fix: upgrade schema url Signed-off-by: Vishal Choudhary <[email protected]> * fix: update all files Signed-off-by: Vishal Choudhary <[email protected]> * fix: missed one Signed-off-by: Vishal Choudhary <[email protected]> * feat: upgrade linter Signed-off-by: Vishal Choudhary <[email protected]> --------- Signed-off-by: Vishal Choudhary <[email protected]>
giantswarm · Dec 20, 2023 · 7748d7e · 7748d7e
1 parent 9198bea
commit 7748d7e
Show file tree

Hide file tree

Showing 16 changed files with 3,671 additions and 316 deletions.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -27,9 +27,9 @@ jobs:
         with:
           build-cache-key: lint
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
-          version: v1.52.2
+          version: v1.54.2
           skip-cache: true
       - name: go fmt check
         run: make fmt-check

diff --git a/cmd/cleanup-controller/handlers/cleanup/handlers.go b/cmd/cleanup-controller/handlers/cleanup/handlers.go
@@ -16,9 +16,9 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	"github.com/kyverno/kyverno/pkg/utils/match"
+	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/metric/global"
-	"go.opentelemetry.io/otel/metric/instrument"
+	"go.opentelemetry.io/otel/metric"
 	"go.uber.org/multierr"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -40,22 +40,22 @@ type handlers struct {
 }
 
 type cleanupMetrics struct {
-	deletedObjectsTotal  instrument.Int64Counter
-	cleanupFailuresTotal instrument.Int64Counter
+	deletedObjectsTotal  metric.Int64Counter
+	cleanupFailuresTotal metric.Int64Counter
 }
 
 func newCleanupMetrics(logger logr.Logger) cleanupMetrics {
-	meter := global.MeterProvider().Meter(metrics.MeterName)
+	meter := otel.GetMeterProvider().Meter(metrics.MeterName)
 	deletedObjectsTotal, err := meter.Int64Counter(
 		"kyverno_cleanup_controller_deletedobjects",
-		instrument.WithDescription("can be used to track number of deleted objects."),
+		metric.WithDescription("can be used to track number of deleted objects."),
 	)
 	if err != nil {
 		logger.Error(err, "Failed to create instrument, kyverno_cleanup_controller_deletedobjects_total")
 	}
 	cleanupFailuresTotal, err := meter.Int64Counter(
 		"kyverno_cleanup_controller_errors",
-		instrument.WithDescription("can be used to track number of cleanup failures."),
+		metric.WithDescription("can be used to track number of cleanup failures."),
 	)
 	if err != nil {
 		logger.Error(err, "Failed to create instrument, kyverno_cleanup_controller_errors_total")
@@ -131,7 +131,7 @@ func (h *handlers) executePolicy(
 			debug.Error(err, "failed to list resources")
 			errs = append(errs, err)
 			if h.metrics.cleanupFailuresTotal != nil {
-				h.metrics.cleanupFailuresTotal.Add(ctx, 1, commonLabels...)
+				h.metrics.cleanupFailuresTotal.Add(ctx, 1, metric.WithAttributes(commonLabels...))
 			}
 		} else {
 			for i := range list.Items {
@@ -221,14 +221,14 @@ func (h *handlers) executePolicy(
 					logger.WithValues("name", name, "namespace", namespace).Info("resource matched, it will be deleted...")
 					if err := h.client.DeleteResource(ctx, resource.GetAPIVersion(), resource.GetKind(), namespace, name, false); err != nil {
 						if h.metrics.cleanupFailuresTotal != nil {
-							h.metrics.cleanupFailuresTotal.Add(ctx, 1, labels...)
+							h.metrics.cleanupFailuresTotal.Add(ctx, 1, metric.WithAttributes(labels...))
 						}
 						debug.Error(err, "failed to delete resource")
 						errs = append(errs, err)
 						h.createEvent(policy, resource, err)
 					} else {
 						if h.metrics.deletedObjectsTotal != nil {
-							h.metrics.deletedObjectsTotal.Add(ctx, 1, labels...)
+							h.metrics.deletedObjectsTotal.Add(ctx, 1, metric.WithAttributes(labels...))
 						}
 						debug.Info("deleted")
 						h.createEvent(policy, resource, nil)

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/pkg/controllers/metrics/policy/controller.go b/pkg/controllers/metrics/policy/controller.go
@@ -11,17 +11,16 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
+	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
-	"go.opentelemetry.io/otel/metric/global"
-	"go.opentelemetry.io/otel/metric/instrument"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )
 
 type controller struct {
 	metricsConfig metrics.MetricsConfigManager
-	ruleInfo      instrument.Float64ObservableGauge
+	ruleInfo      metric.Float64ObservableGauge
 
 	// listers
 	cpolLister kyvernov1listers.ClusterPolicyLister
@@ -37,11 +36,11 @@ func NewController(
 	polInformer kyvernov1informers.PolicyInformer,
 	waitGroup *sync.WaitGroup,
 ) {
-	meterProvider := global.MeterProvider()
+	meterProvider := otel.GetMeterProvider()
 	meter := meterProvider.Meter(metrics.MeterName)
 	policyRuleInfoMetric, err := meter.Float64ObservableGauge(
 		"kyverno_policy_rule_info_total",
-		instrument.WithDescription("can be used to track the info of the rules or/and policies present in the cluster. 0 means the rule doesn't exist and has been deleted, 1 means the rule is currently existent in the cluster"),
+		metric.WithDescription("can be used to track the info of the rules or/and policies present in the cluster. 0 means the rule doesn't exist and has been deleted, 1 means the rule is currently existent in the cluster"),
 	)
 	if err != nil {
 		logger.Error(err, "Failed to create instrument, kyverno_policy_rule_info_total")
@@ -114,7 +113,7 @@ func (c *controller) reportPolicy(ctx context.Context, policy kyvernov1.PolicyIn
 				attribute.String("rule_name", rule.Name),
 				attribute.String("rule_type", string(ruleType)),
 			}
-			observer.ObserveFloat64(c.ruleInfo, 1, append(ruleAttributes, policyAttributes...)...)
+			observer.ObserveFloat64(c.ruleInfo, 1, metric.WithAttributes(append(ruleAttributes, policyAttributes...)...))
 		}
 	}
 	return nil

diff --git a/pkg/engine/context/loaders/imagedata.go b/pkg/engine/context/loaders/imagedata.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
+	"github.com/google/go-containerregistry/pkg/name"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
@@ -107,6 +108,10 @@ func (idl *imageDataLoader) fetchImageDataMap(client registryclient.Client, ref
 	if err != nil {
 		return nil, err
 	}
+	parsedRef, err := name.ParseReference(ref)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
+	}
 	image, err := desc.Image()
 	if err != nil {
 		return nil, fmt.Errorf("failed to resolve image reference: %s, error: %v", ref, err)
@@ -132,10 +137,10 @@ func (idl *imageDataLoader) fetchImageDataMap(client registryclient.Client, ref
 
 	data := map[string]interface{}{
 		"image":         ref,
-		"resolvedImage": fmt.Sprintf("%s@%s", desc.Ref.Context().Name(), desc.Digest.String()),
-		"registry":      desc.Ref.Context().RegistryStr(),
-		"repository":    desc.Ref.Context().RepositoryStr(),
-		"identifier":    desc.Ref.Identifier(),
+		"resolvedImage": fmt.Sprintf("%s@%s", parsedRef.Context().Name(), desc.Digest.String()),
+		"registry":      parsedRef.Context().RegistryStr(),
+		"repository":    parsedRef.Context().RepositoryStr(),
+		"identifier":    parsedRef.Identifier(),
 		"manifest":      manifest,
 		"configData":    configData,
 	}

diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go
@@ -21,8 +21,8 @@ import (
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/kyverno/kyverno/pkg/tracing"
 	stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
-	"go.opentelemetry.io/otel/metric/global"
-	"go.opentelemetry.io/otel/metric/instrument"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/metric"
 	"go.opentelemetry.io/otel/trace"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -36,8 +36,8 @@ type engine struct {
 	contextLoader        engineapi.ContextLoaderFactory
 	exceptionSelector    engineapi.PolicyExceptionSelector
 	// metrics
-	resultCounter     instrument.Int64Counter
-	durationHistogram instrument.Float64Histogram
+	resultCounter     metric.Int64Counter
+	durationHistogram metric.Float64Histogram
 }
 
 type handlerFactory = func() (handlers.Handler, error)
@@ -51,17 +51,17 @@ func NewEngine(
 	contextLoader engineapi.ContextLoaderFactory,
 	exceptionSelector engineapi.PolicyExceptionSelector,
 ) engineapi.Engine {
-	meter := global.MeterProvider().Meter(metrics.MeterName)
+	meter := otel.GetMeterProvider().Meter(metrics.MeterName)
 	resultCounter, err := meter.Int64Counter(
 		"kyverno_policy_results",
-		instrument.WithDescription("can be used to track the results associated with the policies applied in the user's cluster, at the level from rule to policy to admission requests"),
+		metric.WithDescription("can be used to track the results associated with the policies applied in the user's cluster, at the level from rule to policy to admission requests"),
 	)
 	if err != nil {
 		logging.Error(err, "failed to register metric kyverno_policy_results")
 	}
 	durationHistogram, err := meter.Float64Histogram(
 		"kyverno_policy_execution_duration_seconds",
-		instrument.WithDescription("can be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests"),
+		metric.WithDescription("can be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests"),
 	)
 	if err != nil {
 		logging.Error(err, "failed to register metric kyverno_policy_execution_duration_seconds")

diff --git a/pkg/engine/metrics.go b/pkg/engine/metrics.go
@@ -9,6 +9,7 @@ import (
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/metric"
 )
 
 func (e *engine) reportMetrics(
@@ -71,7 +72,7 @@ func (e *engine) reportMetrics(
 					attribute.String("rule_type", string(ruleType)),
 					attribute.String("rule_execution_cause", string(executionCause)),
 				}
-				e.resultCounter.Add(ctx, 1, commonLabels...)
+				e.resultCounter.Add(ctx, 1, metric.WithAttributes(commonLabels...))
 			}
 			if e.durationHistogram != nil {
 				commonLabels := []attribute.KeyValue{
@@ -88,7 +89,7 @@ func (e *engine) reportMetrics(
 					attribute.String("rule_type", string(ruleType)),
 					attribute.String("rule_execution_cause", string(executionCause)),
 				}
-				e.durationHistogram.Record(ctx, rule.Stats().ProcessingTime().Seconds(), commonLabels...)
+				e.durationHistogram.Record(ctx, rule.Stats().ProcessingTime().Seconds(), metric.WithAttributes(commonLabels...))
 			}
 		}
 	}

diff --git a/pkg/metrics/fake.go b/pkg/metrics/fake.go
@@ -2,7 +2,7 @@ package metrics
 
 import (
 	"github.com/kyverno/kyverno/pkg/config"
-	"go.opentelemetry.io/otel/metric/global"
+	"go.opentelemetry.io/otel"
 	"k8s.io/klog/v2"
 )
 
@@ -11,6 +11,6 @@ func NewFakeMetricsConfig() *MetricsConfig {
 		config: config.NewDefaultMetricsConfiguration(),
 		Log:    klog.NewKlogr(),
 	}
-	_ = mc.initializeMetrics(global.MeterProvider())
+	_ = mc.initializeMetrics(otel.GetMeterProvider())
 	return mc
 }
diff --git a/pkg/metrics/init.go b/pkg/metrics/init.go
@@ -6,16 +6,16 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/kyverno/kyverno/pkg/config"
+	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/metric"
-	"go.opentelemetry.io/otel/metric/global"
 	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
 	"k8s.io/client-go/kubernetes"
 )
 
 func InitMetrics(
 	ctx context.Context,
 	disableMetricsExport bool,
-	otel string,
+	otelProvider string,
 	metricsAddr string,
 	otelCollector string,
 	metricsConfiguration config.MetricsConfiguration,
@@ -27,7 +27,7 @@ func InitMetrics(
 	var metricsServerMux *http.ServeMux
 	if !disableMetricsExport {
 		var meterProvider metric.MeterProvider
-		if otel == "grpc" {
+		if otelProvider == "grpc" {
 			endpoint := otelCollector + metricsAddr
 			meterProvider, err = NewOTLPGRPCConfig(
 				ctx,
@@ -39,21 +39,21 @@ func InitMetrics(
 			if err != nil {
 				return nil, nil, nil, err
 			}
-		} else if otel == "prometheus" {
+		} else if otelProvider == "prometheus" {
 			meterProvider, metricsServerMux, err = NewPrometheusConfig(ctx, logger)
 			if err != nil {
 				return nil, nil, nil, err
 			}
 		}
 		if meterProvider != nil {
-			global.SetMeterProvider(meterProvider)
+			otel.SetMeterProvider(meterProvider)
 		}
 	}
 	metricsConfig := MetricsConfig{
 		Log:    logger,
 		config: metricsConfiguration,
 	}
-	err = metricsConfig.initializeMetrics(global.MeterProvider())
+	err = metricsConfig.initializeMetrics(otel.GetMeterProvider())
 	if err != nil {
 		logger.Error(err, "Failed initializing metrics")
 		return nil, nil, nil, err

diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
@@ -16,11 +16,9 @@ import (
 	"go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc"
 	"go.opentelemetry.io/otel/exporters/prometheus"
 	"go.opentelemetry.io/otel/metric"
-	"go.opentelemetry.io/otel/metric/instrument"
 	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
-	"go.opentelemetry.io/otel/sdk/metric/aggregation"
 	"go.opentelemetry.io/otel/sdk/resource"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
 	"k8s.io/client-go/kubernetes"
 )
 
@@ -30,8 +28,8 @@ const (
 
 type MetricsConfig struct {
 	// instruments
-	policyChangesMetric instrument.Int64Counter
-	clientQueriesMetric instrument.Int64Counter
+	policyChangesMetric metric.Int64Counter
+	clientQueriesMetric metric.Int64Counter
 
 	// config
 	config kconfig.MetricsConfiguration
@@ -51,12 +49,12 @@ func (m *MetricsConfig) Config() kconfig.MetricsConfiguration {
 func (m *MetricsConfig) initializeMetrics(meterProvider metric.MeterProvider) error {
 	var err error
 	meter := meterProvider.Meter(MeterName)
-	m.policyChangesMetric, err = meter.Int64Counter("kyverno_policy_changes", instrument.WithDescription("can be used to track all the changes associated with the Kyverno policies present on the cluster such as creation, updates and deletions"))
+	m.policyChangesMetric, err = meter.Int64Counter("kyverno_policy_changes", metric.WithDescription("can be used to track all the changes associated with the Kyverno policies present on the cluster such as creation, updates and deletions"))
 	if err != nil {
 		m.Log.Error(err, "Failed to create instrument, kyverno_policy_changes")
 		return err
 	}
-	m.clientQueriesMetric, err = meter.Int64Counter("kyverno_client_queries", instrument.WithDescription("can be used to track the number of client queries sent from Kyverno to the API-server"))
+	m.clientQueriesMetric, err = meter.Int64Counter("kyverno_client_queries", metric.WithDescription("can be used to track the number of client queries sent from Kyverno to the API-server"))
 	if err != nil {
 		m.Log.Error(err, "Failed to create instrument, kyverno_client_queries")
 		return err
@@ -73,10 +71,10 @@ func ShutDownController(ctx context.Context, pusher *sdkmetric.MeterProvider) {
 	}
 }
 
-func aggregationSelector(ik sdkmetric.InstrumentKind) aggregation.Aggregation {
+func aggregationSelector(ik sdkmetric.InstrumentKind) sdkmetric.Aggregation {
 	switch ik {
 	case sdkmetric.InstrumentKindHistogram:
-		return aggregation.ExplicitBucketHistogram{
+		return sdkmetric.AggregationExplicitBucketHistogram{
 			Boundaries: []float64{
 				0.005,
 				0.01,
@@ -194,7 +192,7 @@ func (m *MetricsConfig) RecordPolicyChanges(ctx context.Context, policyValidatio
 		attribute.String("policy_name", policyName),
 		attribute.String("policy_change_type", policyChangeType),
 	}
-	m.policyChangesMetric.Add(ctx, 1, commonLabels...)
+	m.policyChangesMetric.Add(ctx, 1, metric.WithAttributes(commonLabels...))
 }
 
 func (m *MetricsConfig) RecordClientQueries(ctx context.Context, clientQueryOperation ClientQueryOperation, clientType ClientType, resourceKind string, resourceNamespace string) {
@@ -204,5 +202,5 @@ func (m *MetricsConfig) RecordClientQueries(ctx context.Context, clientQueryOper
 		attribute.String("resource_kind", resourceKind),
 		attribute.String("resource_namespace", resourceNamespace),
 	}
-	m.clientQueriesMetric.Add(ctx, 1, commonLabels...)
+	m.clientQueriesMetric.Add(ctx, 1, metric.WithAttributes(commonLabels...))
 }
diff --git a/pkg/tracing/config.go b/pkg/tracing/config.go
@@ -13,7 +13,7 @@ import (
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/sdk/resource"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
 	"k8s.io/client-go/kubernetes"
 )
 

diff --git a/pkg/tracing/helpers.go b/pkg/tracing/helpers.go
@@ -6,7 +6,7 @@ import (
 
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
 	"go.opentelemetry.io/otel/trace"
 )