mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
Support for Context vars in cleanup (#6084)
* Added Context in CleanupPolicySpec Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added context.go file with loadVariable() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added loadAPIData() in context.go and called from handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added conditionals for not supported context variables Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted versions in CRDs Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted CRDs to v0.11.1 Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Imported fmt in handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added Context in CleanupPolicySpec Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added context.go file with loadVariable() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added loadAPIData() in context.go and called from handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added conditionals for not supported context variables Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted versions in CRDs Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reverted CRDs to v0.11.1 Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Imported fmt in handlers.go Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Removed duplicate import Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * make verify-codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Updated kuttl test Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Fixed kuttl failure Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * moved policy check to validation Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Reused functions Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added kuttl test Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Added more configMap Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * removed unecessary check Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * auto codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * updated codegen Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> * Renamed ApplyJMESPath() to applyJMESPath() Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> --------- Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
e10e1a7f8d
commit
0873a9fc02
22 changed files with 961 additions and 14 deletions
|
@ -148,6 +148,10 @@ type ClusterCleanupPolicyList struct {
|
||||||
// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
|
// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
|
||||||
// and schedule when the matching resources needs deleted.
|
// and schedule when the matching resources needs deleted.
|
||||||
type CleanupPolicySpec struct {
|
type CleanupPolicySpec struct {
|
||||||
|
// Context defines variables and data sources that can be used during rule execution.
|
||||||
|
// +optional
|
||||||
|
Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
|
||||||
|
|
||||||
// MatchResources defines when cleanuppolicy should be applied. The match
|
// MatchResources defines when cleanuppolicy should be applied. The match
|
||||||
// criteria can include resource information (e.g. kind, name, namespace, labels)
|
// criteria can include resource information (e.g. kind, name, namespace, labels)
|
||||||
// and admission review request information like the user name or role.
|
// and admission review request information like the user name or role.
|
||||||
|
@ -175,6 +179,8 @@ type CleanupPolicyStatus struct {
|
||||||
|
|
||||||
// Validate implements programmatic validation
|
// Validate implements programmatic validation
|
||||||
func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
|
func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
|
||||||
|
// Write context validation code here by following other validations.
|
||||||
|
errs = append(errs, ValidateContext(path.Child("context"), p.Context)...)
|
||||||
errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
|
errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
|
||||||
if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
|
if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
|
||||||
errs = append(errs, userInfoErrs...)
|
errs = append(errs, userInfoErrs...)
|
||||||
|
@ -192,6 +198,17 @@ func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set
|
||||||
return errs
|
return errs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) {
|
||||||
|
for _, entry := range context {
|
||||||
|
if entry.ImageRegistry != nil {
|
||||||
|
errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy"))
|
||||||
|
} else if entry.ConfigMap != nil {
|
||||||
|
errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy"))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return errs
|
||||||
|
}
|
||||||
|
|
||||||
// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
|
// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
|
||||||
func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
|
func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
|
||||||
if _, err := cron.ParseStandard(schedule); err != nil {
|
if _, err := cron.ParseStandard(schedule); err != nil {
|
||||||
|
|
|
@ -22,8 +22,9 @@ limitations under the License.
|
||||||
package v2alpha1
|
package v2alpha1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
"github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
"github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -89,6 +90,13 @@ func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
|
func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.Context != nil {
|
||||||
|
in, out := &in.Context, &out.Context
|
||||||
|
*out = make([]v1.ContextEntry, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
in.MatchResources.DeepCopyInto(&out.MatchResources)
|
in.MatchResources.DeepCopyInto(&out.MatchResources)
|
||||||
if in.ExcludeResources != nil {
|
if in.ExcludeResources != nil {
|
||||||
in, out := &in.ExcludeResources, &out.ExcludeResources
|
in, out := &in.ExcludeResources, &out.ExcludeResources
|
||||||
|
@ -117,7 +125,7 @@ func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
|
||||||
*out = *in
|
*out = *in
|
||||||
if in.Conditions != nil {
|
if in.Conditions != nil {
|
||||||
in, out := &in.Conditions, &out.Conditions
|
in, out := &in.Conditions, &out.Conditions
|
||||||
*out = make([]v1.Condition, len(*in))
|
*out = make([]metav1.Condition, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
}
|
}
|
||||||
|
|
|
@ -778,6 +778,125 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
|
context:
|
||||||
|
description: Context defines variables and data sources that can be
|
||||||
|
used during rule execution.
|
||||||
|
items:
|
||||||
|
description: ContextEntry adds variables and data sources to a rule
|
||||||
|
Context. Either a ConfigMap reference or a APILookup must be provided.
|
||||||
|
properties:
|
||||||
|
apiCall:
|
||||||
|
description: APICall is an HTTP request to the Kubernetes API
|
||||||
|
server, or other JSON web service. The data returned is stored
|
||||||
|
in the context with the name for the context entry.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the JSON response returned
|
||||||
|
from the server. For example a JMESPath of "items | length(@)"
|
||||||
|
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
|
||||||
|
will return the total count of deployments across all
|
||||||
|
namespaces.
|
||||||
|
type: string
|
||||||
|
service:
|
||||||
|
description: Service is an API call to a JSON web service
|
||||||
|
properties:
|
||||||
|
caBundle:
|
||||||
|
description: CABundle is a PEM encoded CA bundle which
|
||||||
|
will be used to validate the server certificate.
|
||||||
|
type: string
|
||||||
|
data:
|
||||||
|
description: Data specifies the POST data sent to the
|
||||||
|
server.
|
||||||
|
items:
|
||||||
|
description: RequestData contains the HTTP POST data
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: Key is a unique identifier for the
|
||||||
|
data value
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is the data value
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- value
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
requestType:
|
||||||
|
default: GET
|
||||||
|
description: Method is the HTTP request type (GET or
|
||||||
|
POST).
|
||||||
|
enum:
|
||||||
|
- GET
|
||||||
|
- POST
|
||||||
|
type: string
|
||||||
|
urlPath:
|
||||||
|
description: URL is the JSON web service URL. The typical
|
||||||
|
format is `https://{service}.{namespace}:{port}/{path}`.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- requestType
|
||||||
|
- urlPath
|
||||||
|
type: object
|
||||||
|
urlPath:
|
||||||
|
description: URLPath is the URL path to be used in the HTTP
|
||||||
|
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
||||||
|
or "/apis/apps/v1/deployments"). The format required
|
||||||
|
is the same format used by the `kubectl get --raw` command.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
configMap:
|
||||||
|
description: ConfigMap is the ConfigMap reference.
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name is the ConfigMap name.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace is the ConfigMap namespace.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
imageRegistry:
|
||||||
|
description: ImageRegistry defines requests to an OCI/Docker
|
||||||
|
V2 registry to fetch image details.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the ImageData struct returned
|
||||||
|
as a result of processing the image reference.
|
||||||
|
type: string
|
||||||
|
reference:
|
||||||
|
description: 'Reference is image reference to a container
|
||||||
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- reference
|
||||||
|
type: object
|
||||||
|
name:
|
||||||
|
description: Name is the variable name.
|
||||||
|
type: string
|
||||||
|
variable:
|
||||||
|
description: Variable defines an arbitrary JMESPath context
|
||||||
|
variable that can be defined inline.
|
||||||
|
properties:
|
||||||
|
default:
|
||||||
|
description: Default is an optional arbitrary JSON object
|
||||||
|
that the variable may take if the JMESPath expression
|
||||||
|
evaluates to nil
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JMESPath Expression
|
||||||
|
that can be used to transform the variable.
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is any arbitrary JSON object representable
|
||||||
|
in YAML or JSON form.
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
exclude:
|
exclude:
|
||||||
description: ExcludeResources defines when cleanuppolicy should not
|
description: ExcludeResources defines when cleanuppolicy should not
|
||||||
be applied. The exclude criteria can include resource information
|
be applied. The exclude criteria can include resource information
|
||||||
|
@ -2529,6 +2648,125 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
|
context:
|
||||||
|
description: Context defines variables and data sources that can be
|
||||||
|
used during rule execution.
|
||||||
|
items:
|
||||||
|
description: ContextEntry adds variables and data sources to a rule
|
||||||
|
Context. Either a ConfigMap reference or a APILookup must be provided.
|
||||||
|
properties:
|
||||||
|
apiCall:
|
||||||
|
description: APICall is an HTTP request to the Kubernetes API
|
||||||
|
server, or other JSON web service. The data returned is stored
|
||||||
|
in the context with the name for the context entry.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the JSON response returned
|
||||||
|
from the server. For example a JMESPath of "items | length(@)"
|
||||||
|
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
|
||||||
|
will return the total count of deployments across all
|
||||||
|
namespaces.
|
||||||
|
type: string
|
||||||
|
service:
|
||||||
|
description: Service is an API call to a JSON web service
|
||||||
|
properties:
|
||||||
|
caBundle:
|
||||||
|
description: CABundle is a PEM encoded CA bundle which
|
||||||
|
will be used to validate the server certificate.
|
||||||
|
type: string
|
||||||
|
data:
|
||||||
|
description: Data specifies the POST data sent to the
|
||||||
|
server.
|
||||||
|
items:
|
||||||
|
description: RequestData contains the HTTP POST data
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: Key is a unique identifier for the
|
||||||
|
data value
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is the data value
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- value
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
requestType:
|
||||||
|
default: GET
|
||||||
|
description: Method is the HTTP request type (GET or
|
||||||
|
POST).
|
||||||
|
enum:
|
||||||
|
- GET
|
||||||
|
- POST
|
||||||
|
type: string
|
||||||
|
urlPath:
|
||||||
|
description: URL is the JSON web service URL. The typical
|
||||||
|
format is `https://{service}.{namespace}:{port}/{path}`.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- requestType
|
||||||
|
- urlPath
|
||||||
|
type: object
|
||||||
|
urlPath:
|
||||||
|
description: URLPath is the URL path to be used in the HTTP
|
||||||
|
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
||||||
|
or "/apis/apps/v1/deployments"). The format required
|
||||||
|
is the same format used by the `kubectl get --raw` command.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
configMap:
|
||||||
|
description: ConfigMap is the ConfigMap reference.
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name is the ConfigMap name.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace is the ConfigMap namespace.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
imageRegistry:
|
||||||
|
description: ImageRegistry defines requests to an OCI/Docker
|
||||||
|
V2 registry to fetch image details.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the ImageData struct returned
|
||||||
|
as a result of processing the image reference.
|
||||||
|
type: string
|
||||||
|
reference:
|
||||||
|
description: 'Reference is image reference to a container
|
||||||
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- reference
|
||||||
|
type: object
|
||||||
|
name:
|
||||||
|
description: Name is the variable name.
|
||||||
|
type: string
|
||||||
|
variable:
|
||||||
|
description: Variable defines an arbitrary JMESPath context
|
||||||
|
variable that can be defined inline.
|
||||||
|
properties:
|
||||||
|
default:
|
||||||
|
description: Default is an optional arbitrary JSON object
|
||||||
|
that the variable may take if the JMESPath expression
|
||||||
|
evaluates to nil
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JMESPath Expression
|
||||||
|
that can be used to transform the variable.
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is any arbitrary JSON object representable
|
||||||
|
in YAML or JSON form.
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
exclude:
|
exclude:
|
||||||
description: ExcludeResources defines when cleanuppolicy should not
|
description: ExcludeResources defines when cleanuppolicy should not
|
||||||
be applied. The exclude criteria can include resource information
|
be applied. The exclude criteria can include resource information
|
||||||
|
|
|
@ -10,6 +10,7 @@ import (
|
||||||
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
|
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
|
||||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||||
"github.com/kyverno/kyverno/pkg/event"
|
"github.com/kyverno/kyverno/pkg/event"
|
||||||
|
@ -112,6 +113,22 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
|
||||||
kinds := sets.New(spec.MatchResources.GetKinds()...)
|
kinds := sets.New(spec.MatchResources.GetKinds()...)
|
||||||
debug := logger.V(4)
|
debug := logger.V(4)
|
||||||
var errs []error
|
var errs []error
|
||||||
|
enginectx := enginecontext.NewContext(h.jp)
|
||||||
|
|
||||||
|
if spec.Context != nil {
|
||||||
|
for _, entry := range spec.Context {
|
||||||
|
if entry.APICall != nil {
|
||||||
|
if err := engineapi.LoadAPIData(ctx, h.jp, logger, entry, enginectx, h.client); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
} else if entry.Variable != nil {
|
||||||
|
if err := engineapi.LoadVariable(logger, h.jp, entry, enginectx); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for kind := range kinds {
|
for kind := range kinds {
|
||||||
commonLabels := []attribute.KeyValue{
|
commonLabels := []attribute.KeyValue{
|
||||||
attribute.String("policy_type", policy.GetKind()),
|
attribute.String("policy_type", policy.GetKind()),
|
||||||
|
@ -185,7 +202,7 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
|
||||||
}
|
}
|
||||||
// check conditions
|
// check conditions
|
||||||
if spec.Conditions != nil {
|
if spec.Conditions != nil {
|
||||||
enginectx := enginecontext.NewContext(h.jp)
|
enginectx.Reset()
|
||||||
if err := enginectx.AddTargetResource(resource.Object); err != nil {
|
if err := enginectx.AddTargetResource(resource.Object); err != nil {
|
||||||
debug.Error(err, "failed to add resource in context")
|
debug.Error(err, "failed to add resource in context")
|
||||||
errs = append(errs, err)
|
errs = append(errs, err)
|
||||||
|
|
|
@ -131,6 +131,125 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
|
context:
|
||||||
|
description: Context defines variables and data sources that can be
|
||||||
|
used during rule execution.
|
||||||
|
items:
|
||||||
|
description: ContextEntry adds variables and data sources to a rule
|
||||||
|
Context. Either a ConfigMap reference or a APILookup must be provided.
|
||||||
|
properties:
|
||||||
|
apiCall:
|
||||||
|
description: APICall is an HTTP request to the Kubernetes API
|
||||||
|
server, or other JSON web service. The data returned is stored
|
||||||
|
in the context with the name for the context entry.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the JSON response returned
|
||||||
|
from the server. For example a JMESPath of "items | length(@)"
|
||||||
|
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
|
||||||
|
will return the total count of deployments across all
|
||||||
|
namespaces.
|
||||||
|
type: string
|
||||||
|
service:
|
||||||
|
description: Service is an API call to a JSON web service
|
||||||
|
properties:
|
||||||
|
caBundle:
|
||||||
|
description: CABundle is a PEM encoded CA bundle which
|
||||||
|
will be used to validate the server certificate.
|
||||||
|
type: string
|
||||||
|
data:
|
||||||
|
description: Data specifies the POST data sent to the
|
||||||
|
server.
|
||||||
|
items:
|
||||||
|
description: RequestData contains the HTTP POST data
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: Key is a unique identifier for the
|
||||||
|
data value
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is the data value
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- value
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
requestType:
|
||||||
|
default: GET
|
||||||
|
description: Method is the HTTP request type (GET or
|
||||||
|
POST).
|
||||||
|
enum:
|
||||||
|
- GET
|
||||||
|
- POST
|
||||||
|
type: string
|
||||||
|
urlPath:
|
||||||
|
description: URL is the JSON web service URL. The typical
|
||||||
|
format is `https://{service}.{namespace}:{port}/{path}`.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- requestType
|
||||||
|
- urlPath
|
||||||
|
type: object
|
||||||
|
urlPath:
|
||||||
|
description: URLPath is the URL path to be used in the HTTP
|
||||||
|
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
||||||
|
or "/apis/apps/v1/deployments"). The format required
|
||||||
|
is the same format used by the `kubectl get --raw` command.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
configMap:
|
||||||
|
description: ConfigMap is the ConfigMap reference.
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name is the ConfigMap name.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace is the ConfigMap namespace.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
imageRegistry:
|
||||||
|
description: ImageRegistry defines requests to an OCI/Docker
|
||||||
|
V2 registry to fetch image details.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the ImageData struct returned
|
||||||
|
as a result of processing the image reference.
|
||||||
|
type: string
|
||||||
|
reference:
|
||||||
|
description: 'Reference is image reference to a container
|
||||||
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- reference
|
||||||
|
type: object
|
||||||
|
name:
|
||||||
|
description: Name is the variable name.
|
||||||
|
type: string
|
||||||
|
variable:
|
||||||
|
description: Variable defines an arbitrary JMESPath context
|
||||||
|
variable that can be defined inline.
|
||||||
|
properties:
|
||||||
|
default:
|
||||||
|
description: Default is an optional arbitrary JSON object
|
||||||
|
that the variable may take if the JMESPath expression
|
||||||
|
evaluates to nil
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JMESPath Expression
|
||||||
|
that can be used to transform the variable.
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is any arbitrary JSON object representable
|
||||||
|
in YAML or JSON form.
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
exclude:
|
exclude:
|
||||||
description: ExcludeResources defines when cleanuppolicy should not
|
description: ExcludeResources defines when cleanuppolicy should not
|
||||||
be applied. The exclude criteria can include resource information
|
be applied. The exclude criteria can include resource information
|
||||||
|
|
|
@ -131,6 +131,125 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
|
context:
|
||||||
|
description: Context defines variables and data sources that can be
|
||||||
|
used during rule execution.
|
||||||
|
items:
|
||||||
|
description: ContextEntry adds variables and data sources to a rule
|
||||||
|
Context. Either a ConfigMap reference or a APILookup must be provided.
|
||||||
|
properties:
|
||||||
|
apiCall:
|
||||||
|
description: APICall is an HTTP request to the Kubernetes API
|
||||||
|
server, or other JSON web service. The data returned is stored
|
||||||
|
in the context with the name for the context entry.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the JSON response returned
|
||||||
|
from the server. For example a JMESPath of "items | length(@)"
|
||||||
|
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
|
||||||
|
will return the total count of deployments across all
|
||||||
|
namespaces.
|
||||||
|
type: string
|
||||||
|
service:
|
||||||
|
description: Service is an API call to a JSON web service
|
||||||
|
properties:
|
||||||
|
caBundle:
|
||||||
|
description: CABundle is a PEM encoded CA bundle which
|
||||||
|
will be used to validate the server certificate.
|
||||||
|
type: string
|
||||||
|
data:
|
||||||
|
description: Data specifies the POST data sent to the
|
||||||
|
server.
|
||||||
|
items:
|
||||||
|
description: RequestData contains the HTTP POST data
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: Key is a unique identifier for the
|
||||||
|
data value
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is the data value
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- value
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
requestType:
|
||||||
|
default: GET
|
||||||
|
description: Method is the HTTP request type (GET or
|
||||||
|
POST).
|
||||||
|
enum:
|
||||||
|
- GET
|
||||||
|
- POST
|
||||||
|
type: string
|
||||||
|
urlPath:
|
||||||
|
description: URL is the JSON web service URL. The typical
|
||||||
|
format is `https://{service}.{namespace}:{port}/{path}`.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- requestType
|
||||||
|
- urlPath
|
||||||
|
type: object
|
||||||
|
urlPath:
|
||||||
|
description: URLPath is the URL path to be used in the HTTP
|
||||||
|
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
||||||
|
or "/apis/apps/v1/deployments"). The format required
|
||||||
|
is the same format used by the `kubectl get --raw` command.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
configMap:
|
||||||
|
description: ConfigMap is the ConfigMap reference.
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name is the ConfigMap name.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace is the ConfigMap namespace.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
imageRegistry:
|
||||||
|
description: ImageRegistry defines requests to an OCI/Docker
|
||||||
|
V2 registry to fetch image details.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the ImageData struct returned
|
||||||
|
as a result of processing the image reference.
|
||||||
|
type: string
|
||||||
|
reference:
|
||||||
|
description: 'Reference is image reference to a container
|
||||||
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- reference
|
||||||
|
type: object
|
||||||
|
name:
|
||||||
|
description: Name is the variable name.
|
||||||
|
type: string
|
||||||
|
variable:
|
||||||
|
description: Variable defines an arbitrary JMESPath context
|
||||||
|
variable that can be defined inline.
|
||||||
|
properties:
|
||||||
|
default:
|
||||||
|
description: Default is an optional arbitrary JSON object
|
||||||
|
that the variable may take if the JMESPath expression
|
||||||
|
evaluates to nil
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JMESPath Expression
|
||||||
|
that can be used to transform the variable.
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is any arbitrary JSON object representable
|
||||||
|
in YAML or JSON form.
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
exclude:
|
exclude:
|
||||||
description: ExcludeResources defines when cleanuppolicy should not
|
description: ExcludeResources defines when cleanuppolicy should not
|
||||||
be applied. The exclude criteria can include resource information
|
be applied. The exclude criteria can include resource information
|
||||||
|
|
|
@ -971,6 +971,125 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
|
context:
|
||||||
|
description: Context defines variables and data sources that can be
|
||||||
|
used during rule execution.
|
||||||
|
items:
|
||||||
|
description: ContextEntry adds variables and data sources to a rule
|
||||||
|
Context. Either a ConfigMap reference or a APILookup must be provided.
|
||||||
|
properties:
|
||||||
|
apiCall:
|
||||||
|
description: APICall is an HTTP request to the Kubernetes API
|
||||||
|
server, or other JSON web service. The data returned is stored
|
||||||
|
in the context with the name for the context entry.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the JSON response returned
|
||||||
|
from the server. For example a JMESPath of "items | length(@)"
|
||||||
|
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
|
||||||
|
will return the total count of deployments across all
|
||||||
|
namespaces.
|
||||||
|
type: string
|
||||||
|
service:
|
||||||
|
description: Service is an API call to a JSON web service
|
||||||
|
properties:
|
||||||
|
caBundle:
|
||||||
|
description: CABundle is a PEM encoded CA bundle which
|
||||||
|
will be used to validate the server certificate.
|
||||||
|
type: string
|
||||||
|
data:
|
||||||
|
description: Data specifies the POST data sent to the
|
||||||
|
server.
|
||||||
|
items:
|
||||||
|
description: RequestData contains the HTTP POST data
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: Key is a unique identifier for the
|
||||||
|
data value
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is the data value
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- value
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
requestType:
|
||||||
|
default: GET
|
||||||
|
description: Method is the HTTP request type (GET or
|
||||||
|
POST).
|
||||||
|
enum:
|
||||||
|
- GET
|
||||||
|
- POST
|
||||||
|
type: string
|
||||||
|
urlPath:
|
||||||
|
description: URL is the JSON web service URL. The typical
|
||||||
|
format is `https://{service}.{namespace}:{port}/{path}`.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- requestType
|
||||||
|
- urlPath
|
||||||
|
type: object
|
||||||
|
urlPath:
|
||||||
|
description: URLPath is the URL path to be used in the HTTP
|
||||||
|
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
||||||
|
or "/apis/apps/v1/deployments"). The format required
|
||||||
|
is the same format used by the `kubectl get --raw` command.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
configMap:
|
||||||
|
description: ConfigMap is the ConfigMap reference.
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name is the ConfigMap name.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace is the ConfigMap namespace.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
imageRegistry:
|
||||||
|
description: ImageRegistry defines requests to an OCI/Docker
|
||||||
|
V2 registry to fetch image details.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the ImageData struct returned
|
||||||
|
as a result of processing the image reference.
|
||||||
|
type: string
|
||||||
|
reference:
|
||||||
|
description: 'Reference is image reference to a container
|
||||||
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- reference
|
||||||
|
type: object
|
||||||
|
name:
|
||||||
|
description: Name is the variable name.
|
||||||
|
type: string
|
||||||
|
variable:
|
||||||
|
description: Variable defines an arbitrary JMESPath context
|
||||||
|
variable that can be defined inline.
|
||||||
|
properties:
|
||||||
|
default:
|
||||||
|
description: Default is an optional arbitrary JSON object
|
||||||
|
that the variable may take if the JMESPath expression
|
||||||
|
evaluates to nil
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JMESPath Expression
|
||||||
|
that can be used to transform the variable.
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is any arbitrary JSON object representable
|
||||||
|
in YAML or JSON form.
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
exclude:
|
exclude:
|
||||||
description: ExcludeResources defines when cleanuppolicy should not
|
description: ExcludeResources defines when cleanuppolicy should not
|
||||||
be applied. The exclude criteria can include resource information
|
be applied. The exclude criteria can include resource information
|
||||||
|
@ -2722,6 +2841,125 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
|
context:
|
||||||
|
description: Context defines variables and data sources that can be
|
||||||
|
used during rule execution.
|
||||||
|
items:
|
||||||
|
description: ContextEntry adds variables and data sources to a rule
|
||||||
|
Context. Either a ConfigMap reference or a APILookup must be provided.
|
||||||
|
properties:
|
||||||
|
apiCall:
|
||||||
|
description: APICall is an HTTP request to the Kubernetes API
|
||||||
|
server, or other JSON web service. The data returned is stored
|
||||||
|
in the context with the name for the context entry.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the JSON response returned
|
||||||
|
from the server. For example a JMESPath of "items | length(@)"
|
||||||
|
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
|
||||||
|
will return the total count of deployments across all
|
||||||
|
namespaces.
|
||||||
|
type: string
|
||||||
|
service:
|
||||||
|
description: Service is an API call to a JSON web service
|
||||||
|
properties:
|
||||||
|
caBundle:
|
||||||
|
description: CABundle is a PEM encoded CA bundle which
|
||||||
|
will be used to validate the server certificate.
|
||||||
|
type: string
|
||||||
|
data:
|
||||||
|
description: Data specifies the POST data sent to the
|
||||||
|
server.
|
||||||
|
items:
|
||||||
|
description: RequestData contains the HTTP POST data
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: Key is a unique identifier for the
|
||||||
|
data value
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is the data value
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- value
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
requestType:
|
||||||
|
default: GET
|
||||||
|
description: Method is the HTTP request type (GET or
|
||||||
|
POST).
|
||||||
|
enum:
|
||||||
|
- GET
|
||||||
|
- POST
|
||||||
|
type: string
|
||||||
|
urlPath:
|
||||||
|
description: URL is the JSON web service URL. The typical
|
||||||
|
format is `https://{service}.{namespace}:{port}/{path}`.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- requestType
|
||||||
|
- urlPath
|
||||||
|
type: object
|
||||||
|
urlPath:
|
||||||
|
description: URLPath is the URL path to be used in the HTTP
|
||||||
|
GET request to the Kubernetes API server (e.g. "/api/v1/namespaces"
|
||||||
|
or "/apis/apps/v1/deployments"). The format required
|
||||||
|
is the same format used by the `kubectl get --raw` command.
|
||||||
|
type: string
|
||||||
|
type: object
|
||||||
|
configMap:
|
||||||
|
description: ConfigMap is the ConfigMap reference.
|
||||||
|
properties:
|
||||||
|
name:
|
||||||
|
description: Name is the ConfigMap name.
|
||||||
|
type: string
|
||||||
|
namespace:
|
||||||
|
description: Namespace is the ConfigMap namespace.
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
imageRegistry:
|
||||||
|
description: ImageRegistry defines requests to an OCI/Docker
|
||||||
|
V2 registry to fetch image details.
|
||||||
|
properties:
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JSON Match Expression
|
||||||
|
that can be used to transform the ImageData struct returned
|
||||||
|
as a result of processing the image reference.
|
||||||
|
type: string
|
||||||
|
reference:
|
||||||
|
description: 'Reference is image reference to a container
|
||||||
|
image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- reference
|
||||||
|
type: object
|
||||||
|
name:
|
||||||
|
description: Name is the variable name.
|
||||||
|
type: string
|
||||||
|
variable:
|
||||||
|
description: Variable defines an arbitrary JMESPath context
|
||||||
|
variable that can be defined inline.
|
||||||
|
properties:
|
||||||
|
default:
|
||||||
|
description: Default is an optional arbitrary JSON object
|
||||||
|
that the variable may take if the JMESPath expression
|
||||||
|
evaluates to nil
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
jmesPath:
|
||||||
|
description: JMESPath is an optional JMESPath Expression
|
||||||
|
that can be used to transform the variable.
|
||||||
|
type: string
|
||||||
|
value:
|
||||||
|
description: Value is any arbitrary JSON object representable
|
||||||
|
in YAML or JSON form.
|
||||||
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
exclude:
|
exclude:
|
||||||
description: ExcludeResources defines when cleanuppolicy should not
|
description: ExcludeResources defines when cleanuppolicy should not
|
||||||
be applied. The exclude criteria can include resource information
|
be applied. The exclude criteria can include resource information
|
||||||
|
|
|
@ -1154,6 +1154,7 @@ string
|
||||||
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>,
|
<a href="#kyverno.io/v1.ForEachValidation">ForEachValidation</a>,
|
||||||
<a href="#kyverno.io/v1.Rule">Rule</a>,
|
<a href="#kyverno.io/v1.Rule">Rule</a>,
|
||||||
<a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>,
|
<a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>,
|
||||||
|
<a href="#kyverno.io/v2alpha1.CleanupPolicySpec">CleanupPolicySpec</a>,
|
||||||
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)
|
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
|
@ -4970,6 +4971,20 @@ CleanupPolicySpec
|
||||||
<table class="table table-striped">
|
<table class="table table-striped">
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
|
<code>context</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ContextEntry">
|
||||||
|
[]ContextEntry
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>Context defines variables and data sources that can be used during rule execution.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
<code>match</code><br/>
|
<code>match</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||||
|
@ -5105,6 +5120,20 @@ CleanupPolicySpec
|
||||||
<table class="table table-striped">
|
<table class="table table-striped">
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
|
<code>context</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ContextEntry">
|
||||||
|
[]ContextEntry
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>Context defines variables and data sources that can be used during rule execution.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
<code>match</code><br/>
|
<code>match</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||||
|
@ -5309,6 +5338,20 @@ and schedule when the matching resources needs deleted.</p>
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
|
<code>context</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ContextEntry">
|
||||||
|
[]ContextEntry
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>Context defines variables and data sources that can be used during rule execution.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
<code>match</code><br/>
|
<code>match</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||||
|
|
|
@ -102,4 +102,4 @@ func validateVariables(logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyI
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
var allowedVariables = regexp.MustCompile(`target\.|images\.|([a-z_0-9]+\()[^{}]`)
|
var allowedVariables = regexp.MustCompile(`([a-z_0-9]+)|(target\.|images\.|([a-z_0-9]+\()[^{}])`)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
apply:
|
||||||
|
- rbac.yaml
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
apply:
|
||||||
|
- pod.yaml
|
||||||
|
assert:
|
||||||
|
- pod-assert.yaml
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
apply:
|
||||||
|
- policy.yaml
|
||||||
|
assert:
|
||||||
|
- policy.yaml
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
commands:
|
||||||
|
- command: sleep 5
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
error:
|
||||||
|
- pod-assert.yaml
|
|
@ -0,0 +1,5 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: example
|
||||||
|
namespace: default
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: example
|
||||||
|
namespace: default
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- image: nginx:latest
|
||||||
|
name: example
|
|
@ -0,0 +1,28 @@
|
||||||
|
apiVersion: kyverno.io/v2alpha1
|
||||||
|
kind: ClusterCleanupPolicy
|
||||||
|
metadata:
|
||||||
|
name: cleanup-pod
|
||||||
|
spec:
|
||||||
|
context:
|
||||||
|
- name: varNamespace
|
||||||
|
apiCall:
|
||||||
|
urlPath: "/api/v1/namespaces/default"
|
||||||
|
jmesPath: metadata.name
|
||||||
|
- name: varname
|
||||||
|
variable:
|
||||||
|
value: "example"
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
conditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ target.metadata.name }}"
|
||||||
|
operator: Equals
|
||||||
|
value: "{{ varname }}"
|
||||||
|
- key: "{{ target.metadata.namespace }}"
|
||||||
|
operator: Equals
|
||||||
|
value: "{{ varNamespace }}"
|
||||||
|
## execute every minute
|
||||||
|
schedule: "*/1 * * * *"
|
|
@ -0,0 +1,26 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: test-cleanup-pod
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
verbs:
|
||||||
|
- delete
|
||||||
|
- list
|
||||||
|
- get
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: test-cleanup-pod
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: test-cleanup-pod
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: kyverno-cleanup-controller
|
||||||
|
namespace: kyverno
|
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
apply:
|
||||||
|
- file: cleanuppolicy-with-image-registry.yaml
|
||||||
|
shouldFail: true
|
||||||
|
- file: cleanuppolicy-with-configmap.yaml
|
||||||
|
shouldFail: true
|
|
@ -0,0 +1,25 @@
|
||||||
|
apiVersion: kyverno.io/v2alpha1
|
||||||
|
kind: ClusterCleanupPolicy
|
||||||
|
metadata:
|
||||||
|
name: cleanup-pod
|
||||||
|
spec:
|
||||||
|
context:
|
||||||
|
- name: configData
|
||||||
|
configMap:
|
||||||
|
name: some-config-map
|
||||||
|
namespace: default
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
conditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ target.metadata.name }}"
|
||||||
|
operator: Equals
|
||||||
|
value: example
|
||||||
|
- key: "{{ target.metadata.namespace }}"
|
||||||
|
operator: Equals
|
||||||
|
value: default
|
||||||
|
## execute every minute
|
||||||
|
schedule: "*/1 * * * *"
|
|
@ -0,0 +1,24 @@
|
||||||
|
apiVersion: kyverno.io/v2alpha1
|
||||||
|
kind: ClusterCleanupPolicy
|
||||||
|
metadata:
|
||||||
|
name: cleanup-pod
|
||||||
|
spec:
|
||||||
|
context:
|
||||||
|
- name: imageData
|
||||||
|
imageRegistry:
|
||||||
|
reference: "ghcr.io/kyverno/kyverno"
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
conditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ target.metadata.name }}"
|
||||||
|
operator: Equals
|
||||||
|
value: "example"
|
||||||
|
- key: "{{ target.metadata.namespace }}"
|
||||||
|
operator: Equals
|
||||||
|
value: default
|
||||||
|
## execute every minute
|
||||||
|
schedule: "*/1 * * * *"
|
Loading…
Add table
Reference in a new issue