mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00
Code Activity

Support for Context vars in cleanup (#6084)

Browse source 
* Added Context in CleanupPolicySpec

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added context.go file with loadVariable()

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added loadAPIData() in context.go and called from handlers.go

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added conditionals for not supported context variables

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Reverted versions in CRDs

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Reverted CRDs to v0.11.1

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Imported fmt in handlers.go

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added Context in CleanupPolicySpec

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added context.go file with loadVariable()

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added loadAPIData() in context.go and called from handlers.go

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added conditionals for not supported context variables

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Reverted versions in CRDs

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Reverted CRDs to v0.11.1

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Imported fmt in handlers.go

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Removed duplicate import

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* make verify-codegen

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Updated kuttl test

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Fixed kuttl failure

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* moved policy check to validation

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Reused functions

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added kuttl test

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Added more configMap

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* removed unecessary check

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* auto codegen

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* updated codegen

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

* Renamed ApplyJMESPath() to applyJMESPath()

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>

---------

Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Md Sahil 2023-04-20 12:36:13 +05:30 committed by GitHub
parent e10e1a7f8d
commit 0873a9fc02
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 961 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
api/kyverno/v2alpha1/cleanup_policy_types.go
View file

@ -148,6 +148,10 @@ type ClusterCleanupPolicyList struct {
// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete // CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
// and schedule when the matching resources needs deleted. // and schedule when the matching resources needs deleted.
type CleanupPolicySpec struct { type CleanupPolicySpec struct {
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
// MatchResources defines when cleanuppolicy should be applied. The match // MatchResources defines when cleanuppolicy should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels) // criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the user name or role. // and admission review request information like the user name or role.
@ -175,6 +179,8 @@ type CleanupPolicyStatus struct {
// Validate implements programmatic validation // Validate implements programmatic validation
func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) { func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
// Write context validation code here by following other validations.
errs = append(errs, ValidateContext(path.Child("context"), p.Context)...)
errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...) errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 { if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
errs = append(errs, userInfoErrs...) errs = append(errs, userInfoErrs...)
@ -192,6 +198,17 @@ func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set
return errs return errs
} }
func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) {
for _, entry := range context {
if entry.ImageRegistry != nil {
errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy"))
} else if entry.ConfigMap != nil {
errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy"))
}
}
return errs
}
// ValidateSchedule validates whether the schedule specified is in proper cron format or not. // ValidateSchedule validates whether the schedule specified is in proper cron format or not.
func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) { func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
if _, err := cron.ParseStandard(schedule); err != nil { if _, err := cron.ParseStandard(schedule); err != nil {

12
api/kyverno/v2alpha1/zz_generated.deepcopy.go
View file

@ -22,8 +22,9 @@ limitations under the License.
package v2alpha1 package v2alpha1
import ( import (
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/api/kyverno/v2beta1" "github.com/kyverno/kyverno/api/kyverno/v2beta1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
) )
@ -89,6 +90,13 @@ func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) { func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
*out = *in *out = *in
if in.Context != nil {
in, out := &in.Context, &out.Context
*out = make([]v1.ContextEntry, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
in.MatchResources.DeepCopyInto(&out.MatchResources) in.MatchResources.DeepCopyInto(&out.MatchResources)
if in.ExcludeResources != nil { if in.ExcludeResources != nil {
in, out := &in.ExcludeResources, &out.ExcludeResources in, out := &in.ExcludeResources, &out.ExcludeResources
@ -117,7 +125,7 @@ func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
*out = *in *out = *in
if in.Conditions != nil { if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in)) *out = make([]metav1.Condition, len(*in))
for i := range *in { for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i]) (*in)[i].DeepCopyInto(&(*out)[i])
} }

238
charts/kyverno/templates/crds/crds.yaml
View file

@ -778,6 +778,125 @@ spec:
type: object type: object
type: array type: array
type: object type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
description: APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type: string
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent to the
server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the
data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET or
POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL. The typical
format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required
is the same format used by the `kubectl get --raw` command.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type: string
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude: exclude:
description: ExcludeResources defines when cleanuppolicy should not description: ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information be applied. The exclude criteria can include resource information
@ -2529,6 +2648,125 @@ spec:
type: object type: object
type: array type: array
type: object type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
description: APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type: string
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent to the
server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the
data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET or
POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL. The typical
format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required
is the same format used by the `kubectl get --raw` command.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type: string
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude: exclude:
description: ExcludeResources defines when cleanuppolicy should not description: ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information be applied. The exclude criteria can include resource information

19
cmd/cleanup-controller/handlers/cleanup/handlers.go
View file

@ -10,6 +10,7 @@ import (
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1" kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context" enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/event"
@ -112,6 +113,22 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
kinds := sets.New(spec.MatchResources.GetKinds()...) kinds := sets.New(spec.MatchResources.GetKinds()...)
debug := logger.V(4) debug := logger.V(4)
var errs []error var errs []error
enginectx := enginecontext.NewContext(h.jp)
if spec.Context != nil {
for _, entry := range spec.Context {
if entry.APICall != nil {
if err := engineapi.LoadAPIData(ctx, h.jp, logger, entry, enginectx, h.client); err != nil {
return err
}
} else if entry.Variable != nil {
if err := engineapi.LoadVariable(logger, h.jp, entry, enginectx); err != nil {
return err
}
}
}
}
for kind := range kinds { for kind := range kinds {
commonLabels := []attribute.KeyValue{ commonLabels := []attribute.KeyValue{
attribute.String("policy_type", policy.GetKind()), attribute.String("policy_type", policy.GetKind()),
@ -185,7 +202,7 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
} }
// check conditions // check conditions
if spec.Conditions != nil { if spec.Conditions != nil {
enginectx := enginecontext.NewContext(h.jp) enginectx.Reset()
if err := enginectx.AddTargetResource(resource.Object); err != nil { if err := enginectx.AddTargetResource(resource.Object); err != nil {
debug.Error(err, "failed to add resource in context") debug.Error(err, "failed to add resource in context")
errs = append(errs, err) errs = append(errs, err)

119
config/crds/kyverno.io_cleanuppolicies.yaml
View file

@ -131,6 +131,125 @@ spec:
type: object type: object
type: array type: array
type: object type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
description: APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type: string
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent to the
server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the
data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET or
POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL. The typical
format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required
is the same format used by the `kubectl get --raw` command.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type: string
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude: exclude:
description: ExcludeResources defines when cleanuppolicy should not description: ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information be applied. The exclude criteria can include resource information

119
config/crds/kyverno.io_clustercleanuppolicies.yaml
View file

@ -131,6 +131,125 @@ spec:
type: object type: object
type: array type: array
type: object type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
description: APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type: string
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent to the
server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the
data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET or
POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL. The typical
format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required
is the same format used by the `kubectl get --raw` command.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type: string
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude: exclude:
description: ExcludeResources defines when cleanuppolicy should not description: ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information be applied. The exclude criteria can include resource information

238
config/install-latest-testing.yaml
View file

@ -971,6 +971,125 @@ spec:
type: object type: object
type: array type: array
type: object type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
description: APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type: string
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent to the
server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the
data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET or
POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL. The typical
format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required
is the same format used by the `kubectl get --raw` command.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type: string
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude: exclude:
description: ExcludeResources defines when cleanuppolicy should not description: ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information be applied. The exclude criteria can include resource information
@ -2722,6 +2841,125 @@ spec:
type: object type: object
type: array type: array
type: object type: object
context:
description: Context defines variables and data sources that can be
used during rule execution.
items:
description: ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties:
apiCall:
description: APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type: string
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent to the
server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the
data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET or
POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL. The typical
format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required
is the same format used by the `kubectl get --raw` command.
type: string
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
properties:
name:
description: Name is the ConfigMap name.
type: string
namespace:
description: Namespace is the ConfigMap namespace.
type: string
required:
- name
type: object
imageRegistry:
description: ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type: string
reference:
description: 'Reference is image reference to a container
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
type: string
required:
- reference
type: object
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude: exclude:
description: ExcludeResources defines when cleanuppolicy should not description: ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information be applied. The exclude criteria can include resource information

43
docs/user/crd/index.html
View file

@ -1154,6 +1154,7 @@ string
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>, <a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>,
<a href="#kyverno.io/v1.Rule">Rule</a>, <a href="#kyverno.io/v1.Rule">Rule</a>,
<a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>, <a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>,
<a href="#kyverno.io/v2alpha1.CleanupPolicySpec">CleanupPolicySpec</a>,
<a href="#kyverno.io/v2beta1.Rule">Rule</a>) <a href="#kyverno.io/v2beta1.Rule">Rule</a>)
</p> </p>
<p> <p>
@ -4970,6 +4971,20 @@ CleanupPolicySpec
<table class="table table-striped"> <table class="table table-striped">
<tr> <tr>
<td> <td>
<code>context</code><br/>
<em>
<a href="#kyverno.io/v1.ContextEntry">
[]ContextEntry
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Context defines variables and data sources that can be used during rule execution.</p>
</td>
</tr>
<tr>
<td>
<code>match</code><br/> <code>match</code><br/>
<em> <em>
<a href="#kyverno.io/v2beta1.MatchResources"> <a href="#kyverno.io/v2beta1.MatchResources">
@ -5105,6 +5120,20 @@ CleanupPolicySpec
<table class="table table-striped"> <table class="table table-striped">
<tr> <tr>
<td> <td>
<code>context</code><br/>
<em>
<a href="#kyverno.io/v1.ContextEntry">
[]ContextEntry
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Context defines variables and data sources that can be used during rule execution.</p>
</td>
</tr>
<tr>
<td>
<code>match</code><br/> <code>match</code><br/>
<em> <em>
<a href="#kyverno.io/v2beta1.MatchResources"> <a href="#kyverno.io/v2beta1.MatchResources">
@ -5309,6 +5338,20 @@ and schedule when the matching resources needs deleted.</p>
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>context</code><br/>
<em>
<a href="#kyverno.io/v1.ContextEntry">
[]ContextEntry
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Context defines variables and data sources that can be used during rule execution.</p>
</td>
</tr>
<tr>
<td>
<code>match</code><br/> <code>match</code><br/>
<em> <em>
<a href="#kyverno.io/v2beta1.MatchResources"> <a href="#kyverno.io/v2beta1.MatchResources">

2
pkg/validation/cleanuppolicy/validate.go
View file

@ -102,4 +102,4 @@ func validateVariables(logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyI
return nil return nil
} }
var allowedVariables = regexp.MustCompile(`target\.|images\.|([a-z_0-9]+\()[^{}]`) var allowedVariables = regexp.MustCompile(`([a-z_0-9]+)|(target\.|images\.|([a-z_0-9]+\()[^{}])`)

4
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- rbac.yaml

6
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- pod.yaml
assert:
- pod-assert.yaml

6
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy.yaml

4
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: sleep 5

4
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/05-check.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
error:
- pod-assert.yaml

5
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/pod-assert.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default

9
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: example
namespace: default
spec:
containers:
- image: nginx:latest
name: example

28
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/policy.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
metadata:
name: cleanup-pod
spec:
context:
- name: varNamespace
apiCall:
urlPath: "/api/v1/namespaces/default"
jmesPath: metadata.name
- name: varname
variable:
value: "example"
match:
any:
- resources:
kinds:
- Pod
conditions:
all:
- key: "{{ target.metadata.name }}"
operator: Equals
value: "{{ varname }}"
- key: "{{ target.metadata.namespace }}"
operator: Equals
value: "{{ varNamespace }}"
## execute every minute
schedule: "*/1 * * * *"

26
test/conformance/kuttl/cleanup/clusterpolicy/context-cleanup-pod/rbac.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: test-cleanup-pod
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-cleanup-pod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test-cleanup-pod
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-controller
namespace: kyverno

7
test/conformance/kuttl/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: cleanuppolicy-with-image-registry.yaml
shouldFail: true
- file: cleanuppolicy-with-configmap.yaml
shouldFail: true

25
test/conformance/kuttl/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-configmap.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
metadata:
name: cleanup-pod
spec:
context:
- name: configData
configMap:
name: some-config-map
namespace: default
match:
any:
- resources:
kinds:
- Pod
conditions:
all:
- key: "{{ target.metadata.name }}"
operator: Equals
value: example
- key: "{{ target.metadata.namespace }}"
operator: Equals
value: default
## execute every minute
schedule: "*/1 * * * *"

24
test/conformance/kuttl/cleanup/validation/not-supported-attributes-in-context/cleanuppolicy-with-image-registry.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kyverno.io/v2alpha1
kind: ClusterCleanupPolicy
metadata:
name: cleanup-pod
spec:
context:
- name: imageData
imageRegistry:
reference: "ghcr.io/kyverno/kyverno"
match:
any:
- resources:
kinds:
- Pod
conditions:
all:
- key: "{{ target.metadata.name }}"
operator: Equals
value: "example"
- key: "{{ target.metadata.namespace }}"
operator: Equals
value: default
## execute every minute
schedule: "*/1 * * * *"