Update to current kyverno main (#1070)

* Update to current kyverno main

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>

* update versioning

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>

* schema updates

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>

---------

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>

Author: fjogeleit

Makefile

@@ -4,7 +4,7 @@
 
 KIND_IMAGE           ?= kindest/node:v1.33.1
 KIND_NAME            ?= kind
-KYVERNO_VERSION      ?= v1.15.1
+KYVERNO_VERSION      ?= main
 KOCACHE              ?= /tmp/ko-cache
 USE_CONFIG           ?= standard,no-ingress,in-cluster,all-read-rbac
 KUBECONFIG           ?= ""

backend/data/schemas/apis/policies.kyverno.io/v1alpha1.json

@@ -11,7 +11,7 @@ require (
 	github.com/knadh/koanf/parsers/yaml v1.1.0
 	github.com/knadh/koanf/providers/file v1.2.0
 	github.com/knadh/koanf/v2 v2.3.0
-	github.com/kyverno/kyverno v1.15.1
+	github.com/kyverno/kyverno v1.5.0-rc1.0.20250916081458-93be27ce3540
 	github.com/loopfz/gadgeto v0.11.5
 	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.11.1
@@ -145,7 +145,7 @@ require (
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.1 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zerologr v1.2.3 // indirect
@@ -172,7 +172,7 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
-	github.com/google/cel-go v0.26.0 // indirect
+	github.com/google/cel-go v0.26.1 // indirect
 	github.com/google/certificate-transparency-go v1.3.1 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
@@ -337,29 +337,29 @@ require (
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.18.0 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/term v0.33.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	google.golang.org/api v0.233.0 // indirect
 	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
-	google.golang.org/grpc v1.74.2 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/grpc v1.75.1 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.34.0 // indirect
-	k8s.io/cli-runtime v0.33.3 // indirect
+	k8s.io/cli-runtime v0.33.4 // indirect
 	k8s.io/component-base v0.34.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
@@ -371,7 +371,7 @@ require (
 	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/release-utils v0.12.0 // indirect
+	sigs.k8s.io/release-utils v0.12.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 

backend/go.mod

@@ -159,7 +159,12 @@ func (p *Processor) Run(
 			gvk := newResource.GroupVersionKind()
 			gvr := gvk.GroupVersion().WithResource(strings.ToLower(gvk.Kind + "s"))
 
-			result, err := admissionpolicy.Validate(pData, newResource, gvk, gvr, make(map[string]map[string]string), p.dClient, true)
+			result, err := admissionpolicy.Validate(pData, newResource, gvk, gvr, make(map[string]map[string]string), p.dClient, &authenticationv1.UserInfo{
+				UID:      "user-123",
+				Username: p.params.Context.Username,
+				Groups:   p.params.Context.Groups,
+				Extra:    nil,
+			}, true)
 			if err != nil {
 				return nil, err
 			}
@@ -429,7 +434,6 @@ func newEngine(
 ) (engineapi.Engine, error) {
 	return kyvernoengine.NewEngine(
 		cfg,
-		config.NewDefaultMetricsConfiguration(),
 		jp,
 		client,
 		rclient,

backend/go.sum

@@ -12,7 +12,7 @@
             size="small"
             style="position: absolute; bottom: 20px; right: -90px"
           >
-            v1.15.0
+            v1.15.2
           </v-chip>
         </template>
         <template v-if="display.smAndDown.value">
@@ -22,7 +22,7 @@
             size="small"
             style="position: absolute; bottom: 16px; left: 90px"
           >
-            Kyverno v1.15.0
+            Kyverno v1.15.2
           </v-chip>
         </template>
       </div>
@@ -31,7 +31,7 @@
     <div>
       <v-menu v-if="config.versions.length" open-on-hover>
         <template v-slot:activator="{ props }">
-          <v-btn variant="outlined" class="text-none" rounded="xl" v-bind="props">v1.15.0 </v-btn>
+          <v-btn variant="outlined" class="text-none" rounded="xl" v-bind="props">v1.15.2 </v-btn>
         </template>
 
         <v-list variant="flat" class="my-0 py-0 border">

backend/pkg/engine/processor.go

@@ -317,6 +317,32 @@
     "spec": {
       "description": "Spec declares policy exception behaviors.",
       "properties": {
+        "allowedValues": {
+          "description": "AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.",
+          "items": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "images": {
+          "description": "Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.",
+          "items": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
         "matchConditions": {
           "description": "MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.",
           "items": {

frontend/src/components/AppBar/AppBar.vue

@@ -332,6 +332,32 @@
           "spec": {
             "description": "Spec declares policy exception behaviors.",
             "properties": {
+              "allowedValues": {
+                "description": "AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.",
+                "items": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                },
+                "type": [
+                  "array",
+                  "null"
+                ]
+              },
+              "images": {
+                "description": "Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.",
+                "items": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                },
+                "type": [
+                  "array",
+                  "null"
+                ]
+              },
               "matchConditions": {
                 "description": "MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.",
                 "items": {

frontend/src/schemas/policyexception-policies.kyverno.io-v1alpha1.json

@@ -317,6 +317,32 @@
     "spec": {
       "description": "Spec declares policy exception behaviors.",
       "properties": {
+        "allowedValues": {
+          "description": "AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.",
+          "items": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
+        "images": {
+          "description": "Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.",
+          "items": {
+            "type": [
+              "string",
+              "null"
+            ]
+          },
+          "type": [
+            "array",
+            "null"
+          ]
+        },
         "matchConditions": {
           "description": "MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.",
           "items": {

frontend/src/schemas/policyexceptionlist-policies.kyverno.io-v1alpha1.json

@@ -332,6 +332,32 @@
           "spec": {
             "description": "Spec declares policy exception behaviors.",
             "properties": {
+              "allowedValues": {
+                "description": "AllowedValues specifies values that can be used in CEL expressions to bypass policy checks.\nThese values can be referenced in CEL expressions via `exceptions.allowedValues`.",
+                "items": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                },
+                "type": [
+                  "array",
+                  "null"
+                ]
+              },
+              "images": {
+                "description": "Images specifies container images to be excluded from policy evaluation.\nThese excluded images can be referenced in CEL expressions via `exceptions.allowedImages`.",
+                "items": {
+                  "type": [
+                    "string",
+                    "null"
+                  ]
+                },
+                "type": [
+                  "array",
+                  "null"
+                ]
+              },
               "matchConditions": {
                 "description": "MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.",
                 "items": {