diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index 3425d42a5a..35caa4f4fe 100755
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -180,30 +180,6 @@ var ConditionOperators = map[string]ConditionOperator{
"DurationLessThan": ConditionOperator("DurationLessThan"),
}
-// ExcludeResources specifies resource and admission review request data for
-// which a policy rule is not applicable.
-type ExcludeResources struct {
- // Any allows specifying resources which will be ORed
- // +optional
- Any ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`
-
- // All allows specifying resources which will be ANDed
- // +optional
- All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
-
- // UserInfo contains information about the user performing the operation.
- // Specifying UserInfo directly under exclude is being deprecated.
- // Please specify under "any" or "all" instead.
- // +optional
- UserInfo `json:",omitempty" yaml:",omitempty"`
-
- // ResourceDescription contains information about the resource being created or modified.
- // Specifying ResourceDescription directly under exclude is being deprecated.
- // Please specify under "any" or "all" instead.
- // +optional
- ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
-}
-
// ResourceFilters is a slice of ResourceFilter
type ResourceFilters []ResourceFilter
diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go
index 41c61a6578..bb439c7dd4 100644
--- a/api/kyverno/v1/rule_types.go
+++ b/api/kyverno/v1/rule_types.go
@@ -32,7 +32,7 @@ type Rule struct {
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
- ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
+ ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go
index 1d9cdb930c..2260795430 100755
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@@ -305,37 +305,6 @@ func (in *Deny) DeepCopy() *Deny {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExcludeResources) DeepCopyInto(out *ExcludeResources) {
- *out = *in
- if in.Any != nil {
- in, out := &in.Any, &out.Any
- *out = make(ResourceFilters, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
- if in.All != nil {
- in, out := &in.All, &out.All
- *out = make(ResourceFilters, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
- in.UserInfo.DeepCopyInto(&out.UserInfo)
- in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeResources.
-func (in *ExcludeResources) DeepCopy() *ExcludeResources {
- if in == nil {
- return nil
- }
- out := new(ExcludeResources)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) {
*out = *in
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
index 4fa3e5501e..8b6c00581f 100644
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@@ -376,7 +376,7 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
+ description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -1740,7 +1740,7 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
+ description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -4256,7 +4256,7 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
+ description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -5620,7 +5620,7 @@ spec:
type: string
type: array
resources:
- description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead.
+ description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index e598232016..8d465e2b13 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -587,9 +587,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -2778,9 +2779,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index 25f180b11a..aefae23cc7 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -588,9 +588,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -2780,9 +2781,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
diff --git a/config/install.yaml b/config/install.yaml
index b08f6317b6..ecc3ade11b 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -603,9 +603,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -2794,9 +2795,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -6498,9 +6500,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -8690,9 +8693,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index b9ee7b3c58..446afa2023 100755
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -592,9 +592,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -2783,9 +2784,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -6463,9 +6465,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
@@ -8655,9 +8658,10 @@ spec:
type: array
resources:
description: ResourceDescription contains information about
- the resource being created or modified. Specifying ResourceDescription
- directly under exclude is being deprecated. Please specify
- under "any" or "all" instead.
+ the resource being created or modified. Requires at least
+ one tag to be specified when under MatchResources. Specifying
+ ResourceDescription directly under match is being deprecated.
+ Please specify under "any" or "all" instead.
properties:
annotations:
additionalProperties:
diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html
index 52818bee42..05ac040c72 100644
--- a/docs/crd/v1/index.html
+++ b/docs/crd/v1/index.html
@@ -703,87 +703,6 @@ See: htt
-ExcludeResources
-
-
-(Appears on:
-Rule)
-
-
-
ExcludeResources specifies resource and admission review request data for
-which a policy rule is not applicable.
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-any
-
-
-ResourceFilters
-
-
- |
-
-(Optional)
- Any allows specifying resources which will be ORed
- |
-
-
-
-all
-
-
-ResourceFilters
-
-
- |
-
-(Optional)
- All allows specifying resources which will be ANDed
- |
-
-
-
-UserInfo
-
-
-UserInfo
-
-
- |
-
-(Optional)
- UserInfo contains information about the user performing the operation.
-Specifying UserInfo directly under exclude is being deprecated.
-Please specify under “any” or “all” instead.
- |
-
-
-
-resources
-
-
-ResourceDescription
-
-
- |
-
-(Optional)
- ResourceDescription contains information about the resource being created or modified.
-Specifying ResourceDescription directly under exclude is being deprecated.
-Please specify under “any” or “all” instead.
- |
-
-
-
-
FailurePolicyType
(string alias)
@@ -1952,7 +1871,6 @@ Kubernetes authentication/v1.UserInfo
(Appears on:
-ExcludeResources,
MatchResources,
ResourceFilter)
@@ -2118,7 +2036,6 @@ ResourceDescription
([]./api/kyverno/v1.ResourceFilter alias)
(Appears on:
-ExcludeResources,
MatchResources)
@@ -2257,8 +2174,8 @@ At least one kind is required.
exclude
-
-ExcludeResources
+
+MatchResources
|
@@ -2468,7 +2385,6 @@ based on the failure policy. The default timeout is 10s, the value must be betwe
(Appears on:
-ExcludeResources,
MatchResources,
ResourceFilter)
diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go
index 746bb9e11f..9edfaabd55 100644
--- a/pkg/autogen/rule.go
+++ b/pkg/autogen/rule.go
@@ -25,7 +25,7 @@ import (
type kyvernoRule struct {
Name string `json:"name"`
MatchResources *kyverno.MatchResources `json:"match"`
- ExcludeResources *kyverno.ExcludeResources `json:"exclude,omitempty"`
+ ExcludeResources *kyverno.MatchResources `json:"exclude,omitempty"`
Context *[]kyverno.ContextEntry `json:"context,omitempty"`
AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"`
Mutation *kyverno.Mutation `json:"mutate,omitempty"`
@@ -44,7 +44,7 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule {
jsonFriendlyStruct.MatchResources = rule.MatchResources.DeepCopy()
}
- if !reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
+ if !reflect.DeepEqual(rule.ExcludeResources, kyverno.MatchResources{}) {
jsonFriendlyStruct.ExcludeResources = rule.ExcludeResources.DeepCopy()
}
@@ -133,7 +133,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
}
}
- if !reflect.DeepEqual(exclude, kyverno.ExcludeResources{}) {
+ if !reflect.DeepEqual(exclude, kyverno.MatchResources{}) {
controllerRule.ExcludeResources = exclude.DeepCopy()
}
diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go
index 56e1a85dac..61c53aa59f 100644
--- a/pkg/engine/utils_test.go
+++ b/pkg/engine/utils_test.go
@@ -1302,7 +1302,7 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) {
}
rule := v1.Rule{MatchResources: v1.MatchResources{ResourceDescription: resourceDescription},
- ExcludeResources: v1.ExcludeResources{ResourceDescription: resourceDescriptionExclude}}
+ ExcludeResources: v1.MatchResources{ResourceDescription: resourceDescriptionExclude}}
if err := MatchesResourceDescription(*resource, rule, v1.RequestInfo{}, []string{}, nil, ""); err == nil {
t.Errorf("Testcase has failed due to the following:\n Function has returned no error, even though it was supposed to fail")
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index e358f85260..1930347421 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -559,7 +559,7 @@ func doMatchAndExcludeConflict(rule kyverno.Rule) bool {
return false
}
- if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) {
+ if reflect.DeepEqual(rule.ExcludeResources, kyverno.MatchResources{}) {
return false
}