diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 46d47a710a..b68709c5f9 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -447,6 +447,12 @@ type CEL struct { // AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. // +optional AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"` + + // Variables contain definitions of variables that can be used in composition of other expressions. + // Each variable is defined as a named CEL expression. + // The variables defined here will be available under `variables` in other expressions of the policy. + // +optional + Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"` } func (c *CEL) HasParam() bool { diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 00f6d2b168..99e609353b 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -238,6 +238,11 @@ func (in *CEL) DeepCopyInto(out *CEL) { *out = make([]v1alpha1.AuditAnnotation, len(*in)) copy(*out, *in) } + if in.Variables != nil { + in, out := &in.Variables, &out.Variables + *out = make([]v1alpha1.Variable, len(*in)) + copy(*out, *in) + } return } diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml index 41ee260efe..e8fd336c43 100644 --- a/charts/kyverno/templates/crds/crds.yaml +++ b/charts/kyverno/templates/crds/crds.yaml @@ -6515,6 +6515,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -10827,6 +10856,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -14857,6 +14916,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -19223,6 +19311,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -23618,6 +23736,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -27931,6 +28078,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -31962,6 +32139,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -36328,6 +36534,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 487fb97907..100e463c68 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2698,6 +2698,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -7010,6 +7039,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -11040,6 +11099,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -15406,6 +15494,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 97120d76b2..b52b6ec5b5 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2699,6 +2699,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -7012,6 +7041,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -11043,6 +11102,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -15409,6 +15497,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index bfcec41163..0c93ef12de 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -6718,6 +6718,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -11030,6 +11059,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -15060,6 +15119,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -19426,6 +19514,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -23821,6 +23939,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -28134,6 +28281,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or @@ -32165,6 +32342,35 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or fail @@ -36531,6 +36737,36 @@ spec: x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array type: object deny: description: Deny defines conditions used to pass or diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 40b63ee24b..ab7d19a108 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1066,6 +1066,22 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
+variables
Variables contain definitions of variables that can be used in composition of other expressions.
+Each variable is defined as a named CEL expression.
+The variables defined here will be available under variables
in other expressions of the policy.