diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index 46d47a710a..b68709c5f9 100644
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -447,6 +447,12 @@ type CEL struct {
// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
// +optional
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
+
+ // Variables contain definitions of variables that can be used in composition of other expressions.
+ // Each variable is defined as a named CEL expression.
+ // The variables defined here will be available under `variables` in other expressions of the policy.
+ // +optional
+ Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
}
func (c *CEL) HasParam() bool {
diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go
index 00f6d2b168..99e609353b 100755
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@@ -238,6 +238,11 @@ func (in *CEL) DeepCopyInto(out *CEL) {
*out = make([]v1alpha1.AuditAnnotation, len(*in))
copy(*out, *in)
}
+ if in.Variables != nil {
+ in, out := &in.Variables, &out.Variables
+ *out = make([]v1alpha1.Variable, len(*in))
+ copy(*out, *in)
+ }
return
}
diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml
index 41ee260efe..e8fd336c43 100644
--- a/charts/kyverno/templates/crds/crds.yaml
+++ b/charts/kyverno/templates/crds/crds.yaml
@@ -6515,6 +6515,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -10827,6 +10856,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -14857,6 +14916,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -19223,6 +19311,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -23618,6 +23736,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -27931,6 +28078,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -31962,6 +32139,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -36328,6 +36534,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index 487fb97907..100e463c68 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -2698,6 +2698,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -7010,6 +7039,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -11040,6 +11099,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -15406,6 +15494,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index 97120d76b2..b52b6ec5b5 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -2699,6 +2699,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -7012,6 +7041,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -11043,6 +11102,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -15409,6 +15497,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index bfcec41163..0c93ef12de 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -6718,6 +6718,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -11030,6 +11059,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -15060,6 +15119,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -19426,6 +19514,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -23821,6 +23939,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -28134,6 +28281,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
@@ -32165,6 +32342,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression that
+ will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers
+ as the CEL expressions in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier and
+ unique among all variables. The variable can
+ be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable
+ will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@@ -36531,6 +36737,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
+ variables:
+ description: Variables contain definitions of variables
+ that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under
+ `variables` in other expressions of the policy.
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition.
+ properties:
+ expression:
+ description: Expression is the expression
+ that will be evaluated as the value of the
+ variable. The CEL expression has access
+ to the same identifiers as the CEL expressions
+ in Validation.
+ type: string
+ name:
+ description: Name is the name of the variable.
+ The name must be a valid CEL identifier
+ and unique among all variables. The variable
+ can be accessed in other expressions through
+ `variables` For example, if name is "foo",
+ the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
type: object
deny:
description: Deny defines conditions used to pass or
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index 40b63ee24b..ab7d19a108 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -1066,6 +1066,22 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
+
+
+variables
+
+
+[]Kubernetes admissionregistration/v1alpha1.Variable
+
+
+ |
+
+(Optional)
+ Variables contain definitions of variables that can be used in composition of other expressions.
+Each variable is defined as a named CEL expression.
+The variables defined here will be available under variables in other expressions of the policy.
+ |
+
diff --git a/pkg/client/applyconfigurations/kyverno/v1/cel.go b/pkg/client/applyconfigurations/kyverno/v1/cel.go
index d776c63e13..aba9af9f76 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/cel.go
+++ b/pkg/client/applyconfigurations/kyverno/v1/cel.go
@@ -29,6 +29,7 @@ type CELApplyConfiguration struct {
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty"`
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty"`
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+ Variables []v1alpha1.Variable `json:"variables,omitempty"`
}
// CELApplyConfiguration constructs an declarative configuration of the CEL type for use with
@@ -72,3 +73,13 @@ func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnn
}
return b
}
+
+// WithVariables adds the given value to the Variables field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Variables field.
+func (b *CELApplyConfiguration) WithVariables(values ...v1alpha1.Variable) *CELApplyConfiguration {
+ for i := range values {
+ b.Variables = append(b.Variables, values[i])
+ }
+ return b
+}
diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go
index bcf7e1f13e..6d52ae4b24 100644
--- a/pkg/engine/handlers/validation/validate_cel.go
+++ b/pkg/engine/handlers/validation/validate_cel.go
@@ -68,6 +68,7 @@ func (h validateCELHandler) Process(
// extract preconditions written as CEL expressions
matchConditions := rule.CELPreconditions
// extract CEL expressions used in validations and audit annotations
+ variables := rule.Validation.CEL.Variables
validations := rule.Validation.CEL.Expressions
auditAnnotations := rule.Validation.CEL.AuditAnnotations
@@ -75,6 +76,7 @@ func (h validateCELHandler) Process(
validateExpressions := convertValidations(validations)
messageExpressions := convertMessageExpressions(validations)
auditExpressions := convertAuditAnnotations(auditAnnotations)
+ variableExpressions := convertVariables(variables)
// get the parameter resource if exists
if hasParam && h.client != nil {
@@ -106,6 +108,7 @@ func (h validateCELHandler) Process(
if err != nil {
return resource, handlers.WithError(rule, engineapi.Validation, "Error while creating composited compiler", err)
}
+ compositedCompiler.CompileAndStoreVariables(variableExpressions, optionalVars, environment.StoredExpressions)
filter := compositedCompiler.Compile(validateExpressions, optionalVars, environment.StoredExpressions)
messageExpressionfilter := compositedCompiler.Compile(messageExpressions, optionalVars, environment.StoredExpressions)
auditAnnotationFilter := compositedCompiler.Compile(auditExpressions, optionalVars, environment.StoredExpressions)
@@ -206,3 +209,14 @@ func convertMatchExpressions(matchExpressions []admissionregistrationv1.MatchCon
}
return celExpressionAccessor
}
+
+func convertVariables(variables []admissionregistrationv1alpha1.Variable) []cel.NamedExpressionAccessor {
+ namedExpressions := make([]cel.NamedExpressionAccessor, len(variables))
+ for i, variable := range variables {
+ namedExpressions[i] = &validatingadmissionpolicy.Variable{
+ Name: variable.Name,
+ Expression: variable.Expression,
+ }
+ }
+ return namedExpressions
+}
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/01-ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/01-ns.yaml
new file mode 100644
index 0000000000..1427e92e17
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/01-ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- ns.yaml
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/02-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/02-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/02-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/03-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/03-resources.yaml
new file mode 100644
index 0000000000..3cd9308b0a
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/03-resources.yaml
@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: deployments-pass.yaml
+ shouldFail: false
+- file: deployments-fail.yaml
+ shouldFail: true
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/README.md
new file mode 100644
index 0000000000..da0fd3a0df
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/README.md
@@ -0,0 +1,20 @@
+## Description
+
+This test validates the use of variables in validate.cel subrule.
+
+This test creates the following:
+1. Two namespaces: `production-ns` and `staging-ns`
+2. A policy that enforces that all containers of a deployment has the image repo match the environment label of its namespace. Except for "exempt" deployments, or any containers that do not belong to the "example.com" organization For example, if the namespace has a label of {"environment": "staging"}, all container images must be either staging.example.com/* or do not contain "example.com" at all, unless the deployment has {"exempt": "true"} label.
+3. Six deployments.
+
+## Expected Behavior
+
+The following deployments is blocked:
+1. `deployment-fail-01`: It intended to be created in namespace `production-ns` but its container image is `staging.example.com/nginx` which violates the validation rule.
+2. `deployment-fail-02`: It intended to be created in namespace `staging-ns` but its container image is `example.com/nginx` which violates the validation rule.
+3. `deployment-fail-03`: It intended to be created in namespace `staging-ns` and it has a label of `exempt: "false"` but its container image is `example.com/nginx` which violates the validation rule.
+
+The following deployments is created:
+1. `deployment-pass-01`, It is created in namespace `production-ns` and its container image is `prod.example.com/nginx`.
+2. `deployment-pass-02`, It is created in namespace `staging-ns` and its container image is `staging.example.com/nginx`.
+3. `deployment-pass-03`, It is created in namespace `staging-ns` and its container image is `example.com/nginx` but it has a label of `exempt: "true"` so it passes the validation rule.
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/deployments-fail.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/deployments-fail.yaml
new file mode 100644
index 0000000000..19068b5f63
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/deployments-fail.yaml
@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: deployment-fail-01
+ namespace: production-ns
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: container2
+ image: staging.example.com/nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: deployment-fail-02
+ namespace: staging-ns
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: container2
+ image: example.com/nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: deployment-fail-03
+ namespace: staging-ns
+ labels:
+ exempt: "false"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: container2
+ image: example.com/nginx
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/deployments-pass.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/deployments-pass.yaml
new file mode 100644
index 0000000000..8ec7ba2e2e
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/deployments-pass.yaml
@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: deployment-pass-01
+ namespace: production-ns
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: container2
+ image: prod.example.com/nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: deployment-pass-02
+ namespace: staging-ns
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: container2
+ image: staging.example.com/nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: deployment-pass-03
+ namespace: staging-ns
+ labels:
+ exempt: "true"
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app
+ template:
+ metadata:
+ labels:
+ app: app
+ spec:
+ containers:
+ - name: container2
+ image: example.com/nginx
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/ns.yaml
new file mode 100644
index 0000000000..a9dc28210c
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/ns.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: production-ns
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: staging-ns
+ labels:
+ environment: staging
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/policy-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/policy-assert.yaml
new file mode 100644
index 0000000000..acb6a9fa1c
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/policy-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: image-matches-namespace-environment.policy.example.com
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml
new file mode 100644
index 0000000000..e1274adcdf
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml
@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: image-matches-namespace-environment.policy.example.com
+spec:
+ validationFailureAction: Enforce
+ background: false
+ rules:
+ - name: image-matches-namespace-environment
+ match:
+ any:
+ - resources:
+ kinds:
+ - Deployment
+ validate:
+ cel:
+ variables:
+ - name: environment
+ expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'"
+ - name: exempt
+ expression: "has(object.metadata.labels) && 'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'"
+ - name: containers
+ expression: "object.spec.template.spec.containers"
+ - name: containersToCheck
+ expression: "variables.containers.filter(c, c.image.contains('example.com/'))"
+ expressions:
+ - expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))"
+ messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name"