add kyverno Policies endpoints

modules/api/cmd/kubermatic-api/main.go

@@ -414,6 +414,7 @@ func createInitProviders(ctx context.Context, options serverRunOptions, masterCf
 
 	backupStorageProvider := backupStorageProviderFactory(defaultImpersonationClient.CreateImpersonatedClient, client)
 
+	policyTemplateProvider := policyTemplateProviderFactory(defaultImpersonationClient.CreateImpersonatedClient, client)
 	return providers{
 		sshKey:                                         sshKeyProvider,
 		privilegedSSHKeyProvider:                       privilegedSSHKeyProvider,
@@ -457,6 +458,7 @@ func createInitProviders(ctx context.Context, options serverRunOptions, masterCf
 		etcdBackupConfigProjectProviderGetter:          etcdBackupConfigProjectProviderGetter,
 		etcdRestoreProjectProviderGetter:               etcdRestoreProjectProviderGetter,
 		backupStorageProvider:                          backupStorageProvider,
+		policyTemplateProvider:                         policyTemplateProvider,
 		backupCredentialsProviderGetter:                backupCredentialsProviderGetter,
 		privilegedMLAAdminSettingProviderGetter:        privilegedMLAAdminSettingProviderGetter,
 		seedProvider:                                   seedProvider,

modules/api/cmd/kubermatic-api/options.go

@@ -213,6 +213,7 @@ type providers struct {
 	applicationDefinitionProvider                  provider.ApplicationDefinitionProvider
 	privilegedOperatingSystemProfileProviderGetter provider.PrivilegedOperatingSystemProfileProviderGetter
 	oidcIssuerVerifierProviderGetter               provider.OIDCIssuerVerifierGetter
+	policyTemplateProvider                         provider.PolicyTemplateProvider
 }
 
 func loadKubermaticConfiguration(filename string) (*kubermaticv1.KubermaticConfiguration, error) {

modules/api/cmd/kubermatic-api/wrappers_ce.go

@@ -51,3 +51,7 @@ func groupProjectBindingFactory(_ kubernetes.ImpersonationClient, _ ctrlruntimec
 func backupStorageProviderFactory(_ kubernetes.ImpersonationClient, _ ctrlruntimeclient.Client) provider.BackupStorageProvider {
 	return nil
 }
+
+func policyTemplateProviderFactory(_ kubernetes.ImpersonationClient, _ ctrlruntimeclient.Client) provider.PolicyTemplateProvider {
+	return nil
+}

modules/api/cmd/kubermatic-api/wrappers_ee.go

@@ -52,3 +52,7 @@ func groupProjectBindingFactory(createMasterImpersonatedClient kubernetes.Impers
 func backupStorageProviderFactory(createMasterImpersonatedClient kubernetes.ImpersonationClient, privilegedClient ctrlruntimeclient.Client) provider.BackupStorageProvider {
 	return eeapi.BackupStorageProviderFactory(createMasterImpersonatedClient, privilegedClient)
 }
+
+func policyTemplateProviderFactory(createMasterImpersonatedClient kubernetes.ImpersonationClient, privilegedClient ctrlruntimeclient.Client) provider.PolicyTemplateProvider {
+	return eeapi.PolicyTemplateProviderFactory(createMasterImpersonatedClient, privilegedClient)
+}

modules/api/go.mod

@@ -35,7 +35,7 @@ require (
 	github.com/go-kit/log v0.2.1
 	github.com/go-logr/zapr v1.3.0
 	github.com/go-openapi/errors v0.22.0
-	github.com/go-openapi/runtime v0.27.1
+	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/go-openapi/validate v0.24.0
@@ -57,7 +57,7 @@ require (
 	github.com/prometheus/client_golang v1.20.5
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/vmware-tanzu/velero v1.15.0
 	github.com/vmware/go-vcloud-director/v2 v2.26.0
 	github.com/vmware/govmomi v0.46.2
@@ -67,8 +67,8 @@ require (
 	google.golang.org/api v0.209.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8c.io/kubeone v1.9.0
-	k8c.io/kubermatic/v2 v2.26.0-rc.0.0.20250108204244-266fa5d264c1
-	k8c.io/machine-controller v1.60.1-0.20241118073303-4f251c4bc5a3
+	k8c.io/kubermatic/v2 v2.27.0-alpha.0.0.20250127155100-597500a9ce09
+	k8c.io/machine-controller v1.60.1-0.20250113105754-d6ee7f43eac2
 	k8c.io/operating-system-manager v1.6.1-0.20241118134103-5db575f65108
 	k8c.io/reconciler v0.5.0
 	k8s.io/api v0.31.3
@@ -100,6 +100,124 @@ replace k8s.io/client-go => k8s.io/client-go v0.31.1
 
 require github.com/kubeovn/kube-ovn v1.13.0
 
+// replace k8c.io/kubermatic/v2 => github.com/adoi/kubermatic add-policy-crds-for-kyverno
+
+// replace k8c.io/kubermatic/v2 => github.com/adoi/kubermatic@ee7cafebd6fa4a177c3924fc157ab71dd6524777
+
+// replace k8c.io/kubermatic/v2 => github.com/adoi/kubermatic v0.0.0-20250122155632-ee7cafebd6fa
+
+require (
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20240807094312-a32ad29eed79 // indirect
+	cuelang.org/go v0.10.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/IGLOU-EU/go-wildcard v1.0.3 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ProtonMail/go-crypto v1.1.3 // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
+	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
+	github.com/alibabacloud-go/tea v1.2.2 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.6 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
+	github.com/aliyun/credentials-go v1.3.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.6 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240909191326-0ee4ec5d16bf // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/buildkite/agent/v3 v3.78.0 // indirect
+	github.com/buildkite/go-pipeline v0.11.0 // indirect
+	github.com/buildkite/interpolate v0.1.3 // indirect
+	github.com/buildkite/roko v1.2.0 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.4.0 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.11.0 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
+	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/docker/cli v27.2.0+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/emicklei/proto v1.13.2 // indirect
+	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-logr/zerologr v1.2.3 // indirect
+	github.com/go-piv/piv-go v1.11.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/certificate-transparency-go v1.2.1 // indirect
+	github.com/google/go-containerregistry v0.20.2 // indirect
+	github.com/google/go-github/v55 v55.0.0 // indirect
+	github.com/in-toto/attestation v1.1.0 // indirect
+	github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/kyverno/kyverno-json v0.0.4-0.20240730143747-aade3d42fc0e // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240823215653-da7865cb107b // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
+	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
+	github.com/oleiade/reflections v1.1.0 // indirect
+	github.com/oliveagle/jsonpath v0.0.0-20180606110733-2e52cf6e6852 // indirect
+	github.com/open-policy-agent/opa v0.68.0 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20240116145035-ef3ab179eed6 // indirect
+	github.com/r3labs/diff v1.1.0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/sassoftware/relic v7.2.1+incompatible // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/cosign/v2 v2.4.0 // indirect
+	github.com/sigstore/fulcio v1.6.3 // indirect
+	github.com/sigstore/k8s-manifest-sigstore v0.5.4 // indirect
+	github.com/sigstore/protobuf-specs v0.3.2 // indirect
+	github.com/sigstore/rekor v1.3.6 // indirect
+	github.com/sigstore/sigstore v1.8.10 // indirect
+	github.com/sigstore/sigstore-go v0.6.2 // indirect
+	github.com/sigstore/timestamp-authority v1.2.2 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.3.0 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tektoncd/chains v0.22.0 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/theupdateframework/go-tuf v0.7.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.1 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	github.com/transparency-dev/merkle v0.0.2 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xanzy/go-gitlab v0.108.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/yashtewari/glob-intersection v0.2.0 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.31.0 // indirect
+	go.step.sm/crypto v0.51.1 // indirect
+	k8s.io/pod-security-admission v0.31.2 // indirect
+	sigs.k8s.io/release-utils v0.8.4 // indirect
+)
+
 require (
 	cel.dev/expr v0.19.0 // indirect
 	cloud.google.com/go/auth v0.11.0 // indirect
@@ -192,6 +310,7 @@ require (
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/kyverno/kyverno v1.13.2 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -215,7 +334,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
 	github.com/ovn-org/libovsdb v0.7.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/peterhellberg/link v1.2.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect