mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
feat: support variables for CEL in Kyverno policies (#8103)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
967536db7d
commit
10172ae8e0
18 changed files with 963 additions and 0 deletions
|
@ -447,6 +447,12 @@ type CEL struct {
|
|||
// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
|
||||
// +optional
|
||||
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
|
||||
|
||||
// Variables contain definitions of variables that can be used in composition of other expressions.
|
||||
// Each variable is defined as a named CEL expression.
|
||||
// The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
// +optional
|
||||
Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
|
||||
}
|
||||
|
||||
func (c *CEL) HasParam() bool {
|
||||
|
|
|
@ -238,6 +238,11 @@ func (in *CEL) DeepCopyInto(out *CEL) {
|
|||
*out = make([]v1alpha1.AuditAnnotation, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Variables != nil {
|
||||
in, out := &in.Variables, &out.Variables
|
||||
*out = make([]v1alpha1.Variable, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -6515,6 +6515,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -10827,6 +10856,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -14857,6 +14916,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -19223,6 +19311,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -23618,6 +23736,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -27931,6 +28078,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -31962,6 +32139,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -36328,6 +36534,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
|
|
@ -2698,6 +2698,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -7010,6 +7039,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -11040,6 +11099,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -15406,6 +15494,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
|
|
@ -2699,6 +2699,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -7012,6 +7041,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -11043,6 +11102,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -15409,6 +15497,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
|
|
@ -6718,6 +6718,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -11030,6 +11059,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -15060,6 +15119,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -19426,6 +19514,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -23821,6 +23939,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -28134,6 +28281,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
@ -32165,6 +32342,35 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression that
|
||||
will be evaluated as the value of the variable.
|
||||
The CEL expression has access to the same identifiers
|
||||
as the CEL expressions in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier and
|
||||
unique among all variables. The variable can
|
||||
be accessed in other expressions through `variables`
|
||||
For example, if name is "foo", the variable
|
||||
will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or fail
|
||||
|
@ -36531,6 +36737,36 @@ spec:
|
|||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
variables:
|
||||
description: Variables contain definitions of variables
|
||||
that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under
|
||||
`variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
properties:
|
||||
expression:
|
||||
description: Expression is the expression
|
||||
that will be evaluated as the value of the
|
||||
variable. The CEL expression has access
|
||||
to the same identifiers as the CEL expressions
|
||||
in Validation.
|
||||
type: string
|
||||
name:
|
||||
description: Name is the name of the variable.
|
||||
The name must be a valid CEL identifier
|
||||
and unique among all variables. The variable
|
||||
can be accessed in other expressions through
|
||||
`variables` For example, if name is "foo",
|
||||
the variable will be available as `variables.foo`
|
||||
type: string
|
||||
required:
|
||||
- expression
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
description: Deny defines conditions used to pass or
|
||||
|
|
|
@ -1066,6 +1066,22 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
|
|||
<p>AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>variables</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1alpha1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1alpha1.Variable
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Variables contain definitions of variables that can be used in composition of other expressions.
|
||||
Each variable is defined as a named CEL expression.
|
||||
The variables defined here will be available under <code>variables</code> in other expressions of the policy.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
|
|
|
@ -29,6 +29,7 @@ type CELApplyConfiguration struct {
|
|||
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty"`
|
||||
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty"`
|
||||
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty"`
|
||||
Variables []v1alpha1.Variable `json:"variables,omitempty"`
|
||||
}
|
||||
|
||||
// CELApplyConfiguration constructs an declarative configuration of the CEL type for use with
|
||||
|
@ -72,3 +73,13 @@ func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnn
|
|||
}
|
||||
return b
|
||||
}
|
||||
|
||||
// WithVariables adds the given value to the Variables field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the Variables field.
|
||||
func (b *CELApplyConfiguration) WithVariables(values ...v1alpha1.Variable) *CELApplyConfiguration {
|
||||
for i := range values {
|
||||
b.Variables = append(b.Variables, values[i])
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
|
|
@ -68,6 +68,7 @@ func (h validateCELHandler) Process(
|
|||
// extract preconditions written as CEL expressions
|
||||
matchConditions := rule.CELPreconditions
|
||||
// extract CEL expressions used in validations and audit annotations
|
||||
variables := rule.Validation.CEL.Variables
|
||||
validations := rule.Validation.CEL.Expressions
|
||||
auditAnnotations := rule.Validation.CEL.AuditAnnotations
|
||||
|
||||
|
@ -75,6 +76,7 @@ func (h validateCELHandler) Process(
|
|||
validateExpressions := convertValidations(validations)
|
||||
messageExpressions := convertMessageExpressions(validations)
|
||||
auditExpressions := convertAuditAnnotations(auditAnnotations)
|
||||
variableExpressions := convertVariables(variables)
|
||||
|
||||
// get the parameter resource if exists
|
||||
if hasParam && h.client != nil {
|
||||
|
@ -106,6 +108,7 @@ func (h validateCELHandler) Process(
|
|||
if err != nil {
|
||||
return resource, handlers.WithError(rule, engineapi.Validation, "Error while creating composited compiler", err)
|
||||
}
|
||||
compositedCompiler.CompileAndStoreVariables(variableExpressions, optionalVars, environment.StoredExpressions)
|
||||
filter := compositedCompiler.Compile(validateExpressions, optionalVars, environment.StoredExpressions)
|
||||
messageExpressionfilter := compositedCompiler.Compile(messageExpressions, optionalVars, environment.StoredExpressions)
|
||||
auditAnnotationFilter := compositedCompiler.Compile(auditExpressions, optionalVars, environment.StoredExpressions)
|
||||
|
@ -206,3 +209,14 @@ func convertMatchExpressions(matchExpressions []admissionregistrationv1.MatchCon
|
|||
}
|
||||
return celExpressionAccessor
|
||||
}
|
||||
|
||||
func convertVariables(variables []admissionregistrationv1alpha1.Variable) []cel.NamedExpressionAccessor {
|
||||
namedExpressions := make([]cel.NamedExpressionAccessor, len(variables))
|
||||
for i, variable := range variables {
|
||||
namedExpressions[i] = &validatingadmissionpolicy.Variable{
|
||||
Name: variable.Name,
|
||||
Expression: variable.Expression,
|
||||
}
|
||||
}
|
||||
return namedExpressions
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- ns.yaml
|
||||
assert:
|
||||
- ns.yaml
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-assert.yaml
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: deployments-pass.yaml
|
||||
shouldFail: false
|
||||
- file: deployments-fail.yaml
|
||||
shouldFail: true
|
|
@ -0,0 +1,20 @@
|
|||
## Description
|
||||
|
||||
This test validates the use of variables in validate.cel subrule.
|
||||
|
||||
This test creates the following:
|
||||
1. Two namespaces: `production-ns` and `staging-ns`
|
||||
2. A policy that enforces that all containers of a deployment has the image repo match the environment label of its namespace. Except for "exempt" deployments, or any containers that do not belong to the "example.com" organization For example, if the namespace has a label of {"environment": "staging"}, all container images must be either staging.example.com/* or do not contain "example.com" at all, unless the deployment has {"exempt": "true"} label.
|
||||
3. Six deployments.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The following deployments is blocked:
|
||||
1. `deployment-fail-01`: It intended to be created in namespace `production-ns` but its container image is `staging.example.com/nginx` which violates the validation rule.
|
||||
2. `deployment-fail-02`: It intended to be created in namespace `staging-ns` but its container image is `example.com/nginx` which violates the validation rule.
|
||||
3. `deployment-fail-03`: It intended to be created in namespace `staging-ns` and it has a label of `exempt: "false"` but its container image is `example.com/nginx` which violates the validation rule.
|
||||
|
||||
The following deployments is created:
|
||||
1. `deployment-pass-01`, It is created in namespace `production-ns` and its container image is `prod.example.com/nginx`.
|
||||
2. `deployment-pass-02`, It is created in namespace `staging-ns` and its container image is `staging.example.com/nginx`.
|
||||
3. `deployment-pass-03`, It is created in namespace `staging-ns` and its container image is `example.com/nginx` but it has a label of `exempt: "true"` so it passes the validation rule.
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment-fail-01
|
||||
namespace: production-ns
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app
|
||||
spec:
|
||||
containers:
|
||||
- name: container2
|
||||
image: staging.example.com/nginx
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment-fail-02
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app
|
||||
spec:
|
||||
containers:
|
||||
- name: container2
|
||||
image: example.com/nginx
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment-fail-03
|
||||
namespace: staging-ns
|
||||
labels:
|
||||
exempt: "false"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app
|
||||
spec:
|
||||
containers:
|
||||
- name: container2
|
||||
image: example.com/nginx
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment-pass-01
|
||||
namespace: production-ns
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app
|
||||
spec:
|
||||
containers:
|
||||
- name: container2
|
||||
image: prod.example.com/nginx
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment-pass-02
|
||||
namespace: staging-ns
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app
|
||||
spec:
|
||||
containers:
|
||||
- name: container2
|
||||
image: staging.example.com/nginx
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment-pass-03
|
||||
namespace: staging-ns
|
||||
labels:
|
||||
exempt: "true"
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: app
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: app
|
||||
spec:
|
||||
containers:
|
||||
- name: container2
|
||||
image: example.com/nginx
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: production-ns
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-ns
|
||||
labels:
|
||||
environment: staging
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: image-matches-namespace-environment.policy.example.com
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: image-matches-namespace-environment.policy.example.com
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: image-matches-namespace-environment
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
validate:
|
||||
cel:
|
||||
variables:
|
||||
- name: environment
|
||||
expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'"
|
||||
- name: exempt
|
||||
expression: "has(object.metadata.labels) && 'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'"
|
||||
- name: containers
|
||||
expression: "object.spec.template.spec.containers"
|
||||
- name: containersToCheck
|
||||
expression: "variables.containers.filter(c, c.image.contains('example.com/'))"
|
||||
expressions:
|
||||
- expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))"
|
||||
messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name"
|
Loading…
Reference in a new issue