mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

refactor: replace ExcludeResources by MatchResources (#3444)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-03-22 15:24:40 +01:00 committed by GitHub
parent 51254b2d5a
commit 11bbb4f83e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 60 additions and 187 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
api/kyverno/v1/common_types.go
View file

@ -180,30 +180,6 @@ var ConditionOperators = map[string]ConditionOperator{
"DurationLessThan": ConditionOperator("DurationLessThan"),
}
// ExcludeResources specifies resource and admission review request data for
// which a policy rule is not applicable.
type ExcludeResources struct {
// Any allows specifying resources which will be ORed
// +optional
Any ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`
// All allows specifying resources which will be ANDed
// +optional
All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
// UserInfo contains information about the user performing the operation.
// Specifying UserInfo directly under exclude is being deprecated.
// Please specify under "any" or "all" instead.
// +optional
UserInfo `json:",omitempty" yaml:",omitempty"`
// ResourceDescription contains information about the resource being created or modified.
// Specifying ResourceDescription directly under exclude is being deprecated.
// Please specify under "any" or "all" instead.
// +optional
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}
// ResourceFilters is a slice of ResourceFilter
type ResourceFilters []ResourceFilter

2
api/kyverno/v1/rule_types.go
View file

@ -32,7 +32,7 @@ type Rule struct {
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list

31
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -305,37 +305,6 @@ func (in *Deny) DeepCopy() *Deny {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExcludeResources) DeepCopyInto(out *ExcludeResources) {
*out = *in
if in.Any != nil {
in, out := &in.Any, &out.Any
*out = make(ResourceFilters, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.All != nil {
in, out := &in.All, &out.All
*out = make(ResourceFilters, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
in.UserInfo.DeepCopyInto(&out.UserInfo)
in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeResources.
func (in *ExcludeResources) DeepCopy() *ExcludeResources {
if in == nil {
return nil
}
out := new(ExcludeResources)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) {
*out = *in

8
charts/kyverno/templates/crds.yaml
View file

@ -376,7 +376,7 @@ spec:
type: string
type: array
resources:
description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -1740,7 +1740,7 @@ spec:
type: string
type: array
resources:
description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -4256,7 +4256,7 @@ spec:
type: string
type: array
resources:
description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -5620,7 +5620,7 @@ spec:
type: string
type: array
resources:
description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:

14
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -587,9 +587,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -2778,9 +2779,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:

14
config/crds/kyverno.io_policies.yaml
View file

@ -588,9 +588,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -2780,9 +2781,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:

28
config/install.yaml
View file

@ -603,9 +603,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -2794,9 +2795,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -6498,9 +6500,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -8690,9 +8693,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:

28
config/install_debug.yaml
View file

@ -592,9 +592,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -2783,9 +2784,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -6463,9 +6465,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@ -8655,9 +8658,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified. Specifying ResourceDescription
directly under exclude is being deprecated. Please specify
under "any" or "all" instead.
the resource being created or modified. Requires at least
one tag to be specified when under MatchResources. Specifying
ResourceDescription directly under match is being deprecated.
Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:

88
docs/crd/v1/index.html
View file

@ -703,87 +703,6 @@ See: <a href="https://kyverno.io/docs/writing-policies/validate/#deny-rules">htt
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ExcludeResources">ExcludeResources
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.Rule">Rule</a>)
</p>
<p>
<p>ExcludeResources specifies resource and admission review request data for
which a policy rule is not applicable.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>any</code></br>
<em>
<a href="#kyverno.io/v1.ResourceFilters">
ResourceFilters
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Any allows specifying resources which will be ORed</p>
</td>
</tr>
<tr>
<td>
<code>all</code></br>
<em>
<a href="#kyverno.io/v1.ResourceFilters">
ResourceFilters
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>All allows specifying resources which will be ANDed</p>
</td>
</tr>
<tr>
<td>
<code>UserInfo</code></br>
<em>
<a href="#kyverno.io/v1.UserInfo">
UserInfo
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>UserInfo contains information about the user performing the operation.
Specifying UserInfo directly under exclude is being deprecated.
Please specify under &ldquo;any&rdquo; or &ldquo;all&rdquo; instead.</p>
</td>
</tr>
<tr>
<td>
<code>resources</code></br>
<em>
<a href="#kyverno.io/v1.ResourceDescription">
ResourceDescription
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>ResourceDescription contains information about the resource being created or modified.
Specifying ResourceDescription directly under exclude is being deprecated.
Please specify under &ldquo;any&rdquo; or &ldquo;all&rdquo; instead.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.FailurePolicyType">FailurePolicyType
(<code>string</code> alias)</p></h3>
<p>
@ -1952,7 +1871,6 @@ Kubernetes authentication/v1.UserInfo
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ExcludeResources">ExcludeResources</a>,
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>,
<a href="#kyverno.io/v1.ResourceFilter">ResourceFilter</a>)
</p>
@ -2118,7 +2036,6 @@ ResourceDescription
(<code>[]./api/kyverno/v1.ResourceFilter</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ExcludeResources">ExcludeResources</a>,
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>)
</p>
<p>
@ -2257,8 +2174,8 @@ At least one kind is required.</p>
<td>
<code>exclude</code></br>
<em>
<a href="#kyverno.io/v1.ExcludeResources">
ExcludeResources
<a href="#kyverno.io/v1.MatchResources">
MatchResources
</a>
</em>
</td>
@ -2468,7 +2385,6 @@ based on the failure policy. The default timeout is 10s, the value must be betwe
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ExcludeResources">ExcludeResources</a>,
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>,
<a href="#kyverno.io/v1.ResourceFilter">ResourceFilter</a>)
</p>

6
pkg/autogen/rule.go
View file

@ -25,7 +25,7 @@ import (
type kyvernoRule struct {
Name string `json:"name"`
MatchResources *kyverno.MatchResources `json:"match"`
ExcludeResources *kyverno.ExcludeResources `json:"exclude,omitempty"`
ExcludeResources *kyverno.MatchResources `json:"exclude,omitempty"`
Context *[]kyverno.ContextEntry `json:"context,omitempty"`
AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"`
Mutation *kyverno.Mutation `json:"mutate,omitempty"`
@ -44,7 +44,7 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule {
jsonFriendlyStruct.MatchResources = rule.MatchResources.DeepCopy()
}
if !reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
if !reflect.DeepEqual(rule.ExcludeResources, kyverno.MatchResources{}) {
jsonFriendlyStruct.ExcludeResources = rule.ExcludeResources.DeepCopy()
}
@ -133,7 +133,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
}
}
if !reflect.DeepEqual(exclude, kyverno.ExcludeResources{}) {
if !reflect.DeepEqual(exclude, kyverno.MatchResources{}) {
controllerRule.ExcludeResources = exclude.DeepCopy()
}

2
pkg/engine/utils_test.go
View file

@ -1302,7 +1302,7 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) {
}
rule := v1.Rule{MatchResources: v1.MatchResources{ResourceDescription: resourceDescription},
ExcludeResources: v1.ExcludeResources{ResourceDescription: resourceDescriptionExclude}}
ExcludeResources: v1.MatchResources{ResourceDescription: resourceDescriptionExclude}}
if err := MatchesResourceDescription(*resource, rule, v1.RequestInfo{}, []string{}, nil, ""); err == nil {
t.Errorf("Testcase has failed due to the following:\n Function has returned no error, even though it was supposed to fail")

2
pkg/policy/validate.go
View file

@ -559,7 +559,7 @@ func doMatchAndExcludeConflict(rule kyverno.Rule) bool {
return false
}
if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
if reflect.DeepEqual(rule.ExcludeResources, kyverno.MatchResources{}) {
return false
}