mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-25 09:06:49 +00:00
Code Activity
kyverno/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/webhooks.yaml

80 lines
2.1 KiB
YAML
Raw Normal View History

fix: modify the client URL for finegrained validatingpolicies (#12171) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-02-14 15:35:41 +02:00
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
webhook.kyverno.io/managed-by: kyverno
name: kyverno-resource-validating-webhook-cfg
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: kyverno-svc
namespace: kyverno
feat: enable mutating webhook for ivpol (#12423) * feat: enable mutating webhook for ivpol Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add objects to payload Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add chainsaw test Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: propagate policy response to admission reponse Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update chainsaw tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-17 20:31:37 +08:00
path: /policies/vpol/validate/fail/finegrained/disallow-privilege-escalation
fix: modify the client URL for finegrained validatingpolicies (#12171) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-02-14 15:35:41 +02:00
port: 443
failurePolicy: Fail
matchConditions:
- expression: '!(object.kind == ''Pod'') || has(object.metadata.labels) && has(object.metadata.labels.prod)
&& object.metadata.labels.prod == ''true'''
name: check-prod-label
- expression: '!(object.kind ==''Deployment'' || object.kind ==''ReplicaSet'' ||
object.kind ==''StatefulSet'' || object.kind ==''DaemonSet'') || has(object.spec.template.metadata.labels)
&& has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod
== ''true'''
name: autogen-check-prod-label
- expression: '!(object.kind ==''CronJob'') || has(object.spec.jobTemplate.spec.template.metadata.labels)
&& has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod
== ''true'''
name: autogen-cronjobs-check-prod-label
matchPolicy: Equivalent
name: vpol.validate.kyverno.svc-fail-finegrained-disallow-privilege-escalation
namespaceSelector: {}
objectSelector: {}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
scope: '*'
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- jobs
scope: '*'
- apiGroups:
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- cronjobs
scope: '*'
sideEffects: NoneOnDryRun
timeoutSeconds: 10
Copy permalink