mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
refactor: move kyverno constants out of v1 package (#7760)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
3cefe76297
commit
03702476fa
31 changed files with 92 additions and 72 deletions
|
|
@ -1,4 +1,4 @@
|
|||
package v1
|
||||
package kyverno
|
||||
|
||||
const (
|
||||
// PodControllersAnnotation defines the annotation key for Pod-Controllers
|
||||
|
|
@ -3,6 +3,7 @@ package v1
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -44,7 +45,7 @@ func Test_ClusterPolicy_Autogen_All(t *testing.T) {
|
|||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "policy",
|
||||
Annotations: map[string]string{
|
||||
PodControllersAnnotation: "all",
|
||||
kyverno.PodControllersAnnotation: "all",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package v1
|
|||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -43,7 +44,7 @@ type ClusterPolicy struct {
|
|||
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
|
||||
func (p *ClusterPolicy) HasAutoGenAnnotation() bool {
|
||||
annotations := p.GetAnnotations()
|
||||
val, ok := annotations[PodControllersAnnotation]
|
||||
val, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if ok && strings.ToLower(val) != "none" {
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package v1
|
|||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -44,7 +45,7 @@ func Test_Policy_Autogen_All(t *testing.T) {
|
|||
Name: "policy",
|
||||
Namespace: "abcd",
|
||||
Annotations: map[string]string{
|
||||
PodControllersAnnotation: "all",
|
||||
kyverno.PodControllersAnnotation: "all",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package v1
|
|||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -44,7 +45,7 @@ type Policy struct {
|
|||
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
|
||||
func (p *Policy) HasAutoGenAnnotation() bool {
|
||||
annotations := p.GetAnnotations()
|
||||
val, ok := annotations[PodControllersAnnotation]
|
||||
val, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if ok && strings.ToLower(val) != "none" {
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
package v1
|
||||
|
||||
import (
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
log "github.com/kyverno/kyverno/pkg/logging"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
|
|
@ -28,7 +29,7 @@ func ToJSON(in apiextensions.JSON) *apiextv1.JSON {
|
|||
|
||||
// ValidatePolicyName validates policy name
|
||||
func ValidateAutogenAnnotation(path *field.Path, annotations map[string]string) (errs field.ErrorList) {
|
||||
value, ok := annotations[PodControllersAnnotation]
|
||||
value, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if ok {
|
||||
if value == "all" {
|
||||
errs = append(errs, field.Forbidden(path, "Autogen annotation does not support 'all' anymore, remove the annotation or set it to a valid value"))
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ package v2beta1
|
|||
import (
|
||||
"testing"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -45,7 +45,7 @@ func Test_ClusterPolicy_Autogen_All(t *testing.T) {
|
|||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "policy",
|
||||
Annotations: map[string]string{
|
||||
kyvernov1.PodControllersAnnotation: "all",
|
||||
kyverno.PodControllersAnnotation: "all",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package v2beta1
|
|||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
|
|
@ -43,7 +44,7 @@ type ClusterPolicy struct {
|
|||
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
|
||||
func (p *ClusterPolicy) HasAutoGenAnnotation() bool {
|
||||
annotations := p.GetAnnotations()
|
||||
val, ok := annotations[kyvernov1.PodControllersAnnotation]
|
||||
val, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if ok && strings.ToLower(val) != "none" {
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ package v2beta1
|
|||
import (
|
||||
"testing"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
|
|
@ -45,7 +45,7 @@ func Test_Policy_Autogen_All(t *testing.T) {
|
|||
Name: "policy",
|
||||
Namespace: "abcd",
|
||||
Annotations: map[string]string{
|
||||
kyvernov1.PodControllersAnnotation: "all",
|
||||
kyverno.PodControllersAnnotation: "all",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package v2beta1
|
|||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
|
|
@ -43,7 +44,7 @@ type Policy struct {
|
|||
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
|
||||
func (p *Policy) HasAutoGenAnnotation() bool {
|
||||
annotations := p.GetAnnotations()
|
||||
val, ok := annotations[kyvernov1.PodControllersAnnotation]
|
||||
val, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if ok && strings.ToLower(val) != "none" {
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-git/go-billy/v5/memfs"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
|
||||
|
|
@ -406,7 +407,7 @@ func (c *ApplyCommandConfig) applyCommandHelper() (*common.ResultCounts, []*unst
|
|||
rc.Pass++
|
||||
case engineapi.RuleStatusFail:
|
||||
ann := policy.GetAnnotations()
|
||||
if scored, ok := ann[kyvernov1.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
rc.Warn++
|
||||
break
|
||||
} else if applyPolicyConfig.AuditWarn && response.GetValidationFailureAction().Audit() {
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
|
||||
|
|
@ -108,7 +108,7 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
|
|||
} else if ruleResponse.Status() == engineapi.RuleStatusPass {
|
||||
result.Result = policyreportv1alpha2.StatusPass
|
||||
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
|
||||
if scored, ok := ann[kyvernov1.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
|
|
@ -123,7 +123,7 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
|
|||
result.Rule = ruleResponse.Name()
|
||||
}
|
||||
result.Message = ruleResponse.Message()
|
||||
result.Source = kyvernov1.ValueKyvernoApp
|
||||
result.Source = kyverno.ValueKyvernoApp
|
||||
result.Timestamp = now
|
||||
results[appname] = append(results[appname], result)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/go-git/go-billy/v5"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
|
|
@ -559,7 +560,7 @@ func buildPolicyResults(
|
|||
} else if rule.Status() == engineapi.RuleStatusPass {
|
||||
result.Result = policyreportv1alpha2.StatusPass
|
||||
} else if rule.Status() == engineapi.RuleStatusFail {
|
||||
if scored, ok := ann[kyvernov1.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
} else if auditWarn && resp.GetValidationFailureAction().Audit() {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/go-git/go-billy/v5"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
|
||||
|
|
@ -333,7 +334,7 @@ func ProcessValidateEngineResponse(policy kyvernov1.PolicyInterface, validateRes
|
|||
case engineapi.RuleStatusFail:
|
||||
auditWarning := false
|
||||
ann := policy.GetAnnotations()
|
||||
if scored, ok := ann[kyvernov1.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
rc.Warn++
|
||||
break
|
||||
} else if auditWarn && validateResponse.GetValidationFailureAction().Audit() {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"encoding/json"
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"golang.org/x/exp/slices"
|
||||
|
|
@ -126,7 +127,7 @@ func GetRequestedControllers(meta *metav1.ObjectMeta) []string {
|
|||
if annotations == nil {
|
||||
return nil
|
||||
}
|
||||
controllers, ok := annotations[kyvernov1.PodControllersAnnotation]
|
||||
controllers, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if !ok || controllers == "" {
|
||||
return nil
|
||||
}
|
||||
|
|
@ -241,7 +242,7 @@ func computeRules(p kyvernov1.PolicyInterface) []kyvernov1.Rule {
|
|||
desiredControllers = "none"
|
||||
}
|
||||
ann := p.GetAnnotations()
|
||||
actualControllers, ok := ann[kyvernov1.PodControllersAnnotation]
|
||||
actualControllers, ok := ann[kyverno.PodControllersAnnotation]
|
||||
if !ok || !applyAutoGen {
|
||||
actualControllers = desiredControllers
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -7,7 +7,8 @@ import (
|
|||
"strings"
|
||||
"testing"
|
||||
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -143,7 +144,7 @@ func Test_CanAutoGen(t *testing.T) {
|
|||
|
||||
for _, test := range testCases {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
var policy kyverno.ClusterPolicy
|
||||
var policy kyvernov1.ClusterPolicy
|
||||
err := json.Unmarshal(test.policy, &policy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
|
@ -246,7 +247,7 @@ func Test_GetSupportedControllers(t *testing.T) {
|
|||
|
||||
for _, test := range testCases {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
var policy kyverno.ClusterPolicy
|
||||
var policy kyvernov1.ClusterPolicy
|
||||
err := json.Unmarshal(test.policy, &policy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
|
@ -354,7 +355,7 @@ func Test_ComputeRules(t *testing.T) {
|
|||
testCases := []struct {
|
||||
name string
|
||||
policy string
|
||||
expectedRules []kyverno.Rule
|
||||
expectedRules []kyvernov1.Rule
|
||||
}{
|
||||
{
|
||||
name: "rule-with-match-name",
|
||||
|
|
@ -404,19 +405,19 @@ spec:
|
|||
FlDw3fzPhtberBblY4Y9u525ev999SogMBTXoSkfajRR2ol10xUxY60kVbqoEUln
|
||||
kA==
|
||||
-----END CERTIFICATE-----`,
|
||||
expectedRules: []kyverno.Rule{{
|
||||
expectedRules: []kyvernov1.Rule{{
|
||||
Name: "check-image",
|
||||
MatchResources: kyverno.MatchResources{
|
||||
ResourceDescription: kyverno.ResourceDescription{
|
||||
MatchResources: kyvernov1.MatchResources{
|
||||
ResourceDescription: kyvernov1.ResourceDescription{
|
||||
Kinds: []string{"Pod"},
|
||||
},
|
||||
},
|
||||
VerifyImages: []kyverno.ImageVerification{{
|
||||
VerifyImages: []kyvernov1.ImageVerification{{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []kyverno.AttestorSet{{
|
||||
Attestors: []kyvernov1.AttestorSet{{
|
||||
Count: intPtr(1),
|
||||
Entries: []kyverno.Attestor{{
|
||||
Keyless: &kyverno.KeylessAttestor{
|
||||
Entries: []kyvernov1.Attestor{{
|
||||
Keyless: &kyvernov1.KeylessAttestor{
|
||||
Roots: `-----BEGIN CERTIFICATE-----
|
||||
MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ
|
||||
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt
|
||||
|
|
@ -445,17 +446,17 @@ kA==
|
|||
}},
|
||||
}, {
|
||||
Name: "autogen-check-image",
|
||||
MatchResources: kyverno.MatchResources{
|
||||
ResourceDescription: kyverno.ResourceDescription{
|
||||
MatchResources: kyvernov1.MatchResources{
|
||||
ResourceDescription: kyvernov1.ResourceDescription{
|
||||
Kinds: []string{"DaemonSet", "Deployment", "Job", "StatefulSet", "ReplicaSet", "ReplicationController"},
|
||||
},
|
||||
},
|
||||
VerifyImages: []kyverno.ImageVerification{{
|
||||
VerifyImages: []kyvernov1.ImageVerification{{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []kyverno.AttestorSet{{
|
||||
Attestors: []kyvernov1.AttestorSet{{
|
||||
Count: intPtr(1),
|
||||
Entries: []kyverno.Attestor{{
|
||||
Keyless: &kyverno.KeylessAttestor{
|
||||
Entries: []kyvernov1.Attestor{{
|
||||
Keyless: &kyvernov1.KeylessAttestor{
|
||||
Roots: `-----BEGIN CERTIFICATE-----
|
||||
MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ
|
||||
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt
|
||||
|
|
@ -484,17 +485,17 @@ kA==
|
|||
}},
|
||||
}, {
|
||||
Name: "autogen-cronjob-check-image",
|
||||
MatchResources: kyverno.MatchResources{
|
||||
ResourceDescription: kyverno.ResourceDescription{
|
||||
MatchResources: kyvernov1.MatchResources{
|
||||
ResourceDescription: kyvernov1.ResourceDescription{
|
||||
Kinds: []string{"CronJob"},
|
||||
},
|
||||
},
|
||||
VerifyImages: []kyverno.ImageVerification{{
|
||||
VerifyImages: []kyvernov1.ImageVerification{{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []kyverno.AttestorSet{{
|
||||
Attestors: []kyvernov1.AttestorSet{{
|
||||
Count: intPtr(1),
|
||||
Entries: []kyverno.Attestor{{
|
||||
Keyless: &kyverno.KeylessAttestor{
|
||||
Entries: []kyvernov1.Attestor{{
|
||||
Keyless: &kyvernov1.KeylessAttestor{
|
||||
Roots: `-----BEGIN CERTIFICATE-----
|
||||
MIIDjTCCAnWgAwIBAgIQb8yUrbw3aYZAubIjOJkFBjANBgkqhkiG9w0BAQsFADBZ
|
||||
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKdmVuYWZpZGVt
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import (
|
|||
"reflect"
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
|
|
@ -67,8 +68,8 @@ func GenerateLabelsSet(policyKey string, trigger Object) pkglabels.Set {
|
|||
|
||||
func managedBy(labels map[string]string) {
|
||||
// ManagedBy label
|
||||
key := kyvernov1.LabelAppManagedBy
|
||||
value := kyvernov1.ValueKyvernoApp
|
||||
key := kyverno.LabelAppManagedBy
|
||||
value := kyverno.ValueKyvernoApp
|
||||
val, ok := labels[key]
|
||||
if ok {
|
||||
if val != value {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/background/common"
|
||||
|
|
@ -61,7 +62,7 @@ func (c *GenerateController) handleNonPolicyChanges(policy kyvernov1.PolicyInter
|
|||
common.GeneratePolicyLabel: policy.GetName(),
|
||||
common.GeneratePolicyNamespaceLabel: policy.GetNamespace(),
|
||||
common.GenerateRuleLabel: rule.Name,
|
||||
kyvernov1.LabelAppManagedBy: kyvernov1.ValueKyvernoApp,
|
||||
kyverno.LabelAppManagedBy: kyverno.ValueKyvernoApp,
|
||||
}
|
||||
|
||||
downstreams, err := c.getDownstreams(rule, labels, ur)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/controllers"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
|
|
@ -156,7 +156,7 @@ func objectMeta(name string, annotations map[string]string, owner ...metav1.Owne
|
|||
return metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Labels: map[string]string{
|
||||
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
||||
utils.ManagedByLabel: kyverno.ValueKyvernoApp,
|
||||
},
|
||||
Annotations: annotations,
|
||||
OwnerReferences: owner,
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
|
|
@ -211,7 +212,7 @@ func (c *controller) watchdog(ctx context.Context, logger logr.Logger) {
|
|||
Name: "kyverno-health",
|
||||
Namespace: config.KyvernoNamespace(),
|
||||
Labels: map[string]string{
|
||||
"app.kubernetes.io/name": kyvernov1.ValueKyvernoApp,
|
||||
"app.kubernetes.io/name": kyverno.ValueKyvernoApp,
|
||||
},
|
||||
Annotations: map[string]string{
|
||||
AnnotationLastRequestTime: time.Now().Format(time.RFC3339),
|
||||
|
|
@ -227,7 +228,7 @@ func (c *controller) watchdog(ctx context.Context, logger logr.Logger) {
|
|||
} else {
|
||||
lease := lease.DeepCopy()
|
||||
lease.Labels = map[string]string{
|
||||
"app.kubernetes.io/name": kyvernov1.ValueKyvernoApp,
|
||||
"app.kubernetes.io/name": kyverno.ValueKyvernoApp,
|
||||
}
|
||||
_, err = c.leaseClient.Update(ctx, lease, metav1.UpdateOptions{})
|
||||
if err != nil {
|
||||
|
|
@ -515,7 +516,7 @@ func (c *controller) buildVerifyMutatingWebhookConfiguration(_ context.Context,
|
|||
AdmissionReviewVersions: []string{"v1"},
|
||||
ObjectSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"app.kubernetes.io/name": kyvernov1.ValueKyvernoApp,
|
||||
"app.kubernetes.io/name": kyverno.ValueKyvernoApp,
|
||||
},
|
||||
},
|
||||
}},
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package webhook
|
|||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
"golang.org/x/exp/slices"
|
||||
|
|
@ -88,7 +89,7 @@ func objectMeta(name string, annotations map[string]string, owner ...metav1.Owne
|
|||
return metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Labels: map[string]string{
|
||||
utils.ManagedByLabel: kyvernov1.ValueKyvernoApp,
|
||||
utils.ManagedByLabel: kyverno.ValueKyvernoApp,
|
||||
},
|
||||
Annotations: annotations,
|
||||
OwnerReferences: owner,
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
|
|
@ -97,7 +98,7 @@ func (pc *policyController) syncDataRulechanges(policy kyvernov1.PolicyInterface
|
|||
common.GeneratePolicyLabel: policy.GetName(),
|
||||
common.GeneratePolicyNamespaceLabel: policy.GetNamespace(),
|
||||
common.GenerateRuleLabel: rule.Name,
|
||||
kyvernov1.LabelAppManagedBy: kyvernov1.ValueKyvernoApp,
|
||||
kyverno.LabelAppManagedBy: kyverno.ValueKyvernoApp,
|
||||
}
|
||||
|
||||
downstreams, err := generateutils.FindDownstream(pc.client, rule.Generation.GetAPIVersion(), rule.Generation.GetKind(), labels)
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import (
|
|||
"fmt"
|
||||
"time"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
|
@ -228,7 +228,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
|
|||
Name: name,
|
||||
Namespace: config.KyvernoNamespace(),
|
||||
Labels: map[string]string{
|
||||
managedByLabel: kyvernov1.ValueKyvernoApp,
|
||||
managedByLabel: kyverno.ValueKyvernoApp,
|
||||
},
|
||||
},
|
||||
Type: corev1.SecretTypeTLS,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
"encoding/pem"
|
||||
"time"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
|
|
@ -89,7 +89,7 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool {
|
|||
if labels == nil {
|
||||
return false
|
||||
}
|
||||
if labels[managedByLabel] != kyvernov1.ValueKyvernoApp {
|
||||
if labels[managedByLabel] != kyverno.ValueKyvernoApp {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
package controller
|
||||
|
||||
import (
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
)
|
||||
|
|
@ -33,11 +33,11 @@ func GetLabel(obj metav1.Object, key string) string {
|
|||
}
|
||||
|
||||
func SetManagedByKyvernoLabel(obj metav1.Object) {
|
||||
SetLabel(obj, kyvernov1.LabelAppManagedBy, kyvernov1.ValueKyvernoApp)
|
||||
SetLabel(obj, kyverno.LabelAppManagedBy, kyverno.ValueKyvernoApp)
|
||||
}
|
||||
|
||||
func IsManagedByKyverno(obj metav1.Object) bool {
|
||||
return CheckLabel(obj, kyvernov1.LabelAppManagedBy, kyvernov1.ValueKyvernoApp)
|
||||
return CheckLabel(obj, kyverno.LabelAppManagedBy, kyverno.ValueKyvernoApp)
|
||||
}
|
||||
|
||||
func HasLabel(obj metav1.Object, key string) bool {
|
||||
|
|
|
|||
|
|
@ -1,14 +1,14 @@
|
|||
package controller
|
||||
|
||||
import (
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/selection"
|
||||
)
|
||||
|
||||
func SelectorNotManagedByKyverno() (labels.Selector, error) {
|
||||
selector := labels.Everything()
|
||||
requirement, err := labels.NewRequirement(kyvernov1.LabelAppManagedBy, selection.NotEquals, []string{kyvernov1.ValueKyvernoApp})
|
||||
requirement, err := labels.NewRequirement(kyverno.LabelAppManagedBy, selection.NotEquals, []string{kyverno.ValueKyvernoApp})
|
||||
if err == nil {
|
||||
selector = selector.Add(*requirement)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
|
|
@ -77,7 +78,7 @@ func CleanupKyvernoLabels(obj metav1.Object) {
|
|||
}
|
||||
|
||||
func SetManagedByKyvernoLabel(obj metav1.Object) {
|
||||
controllerutils.SetLabel(obj, kyvernov1.LabelAppManagedBy, kyvernov1.ValueKyvernoApp)
|
||||
controllerutils.SetLabel(obj, kyverno.LabelAppManagedBy, kyverno.ValueKyvernoApp)
|
||||
}
|
||||
|
||||
func SetResourceUid(report kyvernov1alpha2.ReportInterface, uid types.UID) {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
|
|
@ -87,17 +87,17 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
|
|||
for _, ruleResult := range response.PolicyResponse.Rules {
|
||||
annotations := response.Policy().GetAnnotations()
|
||||
result := policyreportv1alpha2.PolicyReportResult{
|
||||
Source: kyvernov1.ValueKyvernoApp,
|
||||
Source: kyverno.ValueKyvernoApp,
|
||||
Policy: key,
|
||||
Rule: ruleResult.Name(),
|
||||
Message: ruleResult.Message(),
|
||||
Result: toPolicyResult(ruleResult.Status()),
|
||||
Scored: annotations[kyvernov1.AnnotationPolicyScored] != "false",
|
||||
Scored: annotations[kyverno.AnnotationPolicyScored] != "false",
|
||||
Timestamp: metav1.Timestamp{
|
||||
Seconds: time.Now().Unix(),
|
||||
},
|
||||
Category: annotations[kyvernov1.AnnotationPolicyCategory],
|
||||
Severity: severityFromString(annotations[kyvernov1.AnnotationPolicySeverity]),
|
||||
Category: annotations[kyverno.AnnotationPolicyCategory],
|
||||
Severity: severityFromString(annotations[kyverno.AnnotationPolicySeverity]),
|
||||
}
|
||||
pss := ruleResult.PodSecurityChecks()
|
||||
if pss != nil {
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import (
|
|||
jsonpatch "github.com/evanphx/json-patch/v5"
|
||||
"github.com/jmespath/go-jmespath"
|
||||
"github.com/jmoiron/jsonq"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
|
|
@ -1124,7 +1125,7 @@ func jsonPatchOnPod(rule kyvernov1.Rule) bool {
|
|||
|
||||
func podControllerAutoGenExclusion(policy kyvernov1.PolicyInterface) bool {
|
||||
annotations := policy.GetAnnotations()
|
||||
val, ok := annotations[kyvernov1.PodControllersAnnotation]
|
||||
val, ok := annotations[kyverno.PodControllersAnnotation]
|
||||
if !ok || val == "none" {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
|
|
@ -39,7 +39,7 @@ func (inner AdmissionHandler) withProtection() AdmissionHandler {
|
|||
}
|
||||
for _, resource := range []unstructured.Unstructured{newResource, oldResource} {
|
||||
resLabels := resource.GetLabels()
|
||||
if resLabels[kyvernov1.LabelAppManagedBy] == kyvernov1.ValueKyvernoApp {
|
||||
if resLabels[kyverno.LabelAppManagedBy] == kyverno.ValueKyvernoApp {
|
||||
if !strings.HasPrefix(request.UserInfo.Username, kyvernoUsernamePrefix) {
|
||||
logger.V(2).Info("access to the resource not authorized, this is a kyverno managed resource and should be altered only by kyverno")
|
||||
return admissionutils.Response(request.UID, errors.New("A kyverno managed resource can only be modified by kyverno"))
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/background/common"
|
||||
|
|
@ -237,7 +238,7 @@ func (h *generationHandler) processRequest(ctx context.Context, policyContext *e
|
|||
new := policyContext.NewResource()
|
||||
old := policyContext.OldResource()
|
||||
labels := old.GetLabels()
|
||||
managedBy := labels[kyvernov1.LabelAppManagedBy] == kyvernov1.ValueKyvernoApp
|
||||
managedBy := labels[kyverno.LabelAppManagedBy] == kyverno.ValueKyvernoApp
|
||||
|
||||
// clone source changes
|
||||
if !managedBy {
|
||||
|
|
|
|||
Loading…
Reference in a new issue