allowing users to skip policy validation when mutating resources (#2365)

* allowing users to skip policy validation when mutating resources * fix unit test issue * fix comment
2025-04-08 18:15:48 +00:00 · 2021-09-08 10:42:44 +05:30 · 2021-09-08 10:42:44 +05:30 · 12530619ce
commit 12530619ce
parent 511db4372b
6 changed files with 37 additions and 3 deletions
--- a/definitions/crds/kyverno.io_clusterpolicies.yaml
+++ b/definitions/crds/kyverno.io_clusterpolicies.yaml
@ -1518,6 +1518,11 @@ spec:
                      type: array
                  type: object
                type: array
+              schemaValidation:
+                description: SchemaValidation skips policy validation checks. Optional.
+                  The default value is set to "true", it must be set to "false" to
+                  disable the validation checks.
+                type: boolean
              validationFailureAction:
                description: ValidationFailureAction controls if a validation policy
                  rule failure should disallow the admission review request (enforce),
--- a/definitions/crds/kyverno.io_policies.yaml
+++ b/definitions/crds/kyverno.io_policies.yaml
@ -1519,6 +1519,11 @@ spec:
                      type: array
                  type: object
                type: array
+              schemaValidation:
+                description: SchemaValidation skips policy validation checks. Optional.
+                  The default value is set to "true", it must be set to "false" to
+                  disable the validation checks.
+                type: boolean
              validationFailureAction:
                description: ValidationFailureAction controls if a validation policy
                  rule failure should disallow the admission review request (enforce),
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -956,6 +956,11 @@ spec:
                      type: array
                  type: object
                type: array
+              schemaValidation:
+                description: SchemaValidation skips policy validation checks. Optional.
+                  The default value is set to "true", it must be set to "false" to
+                  disable the validation checks.
+                type: boolean
              validationFailureAction:
                description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
                type: string
@ -2705,6 +2710,11 @@ spec:
                      type: array
                  type: object
                type: array
+              schemaValidation:
+                description: SchemaValidation skips policy validation checks. Optional.
+                  The default value is set to "true", it must be set to "false" to
+                  disable the validation checks.
+                type: boolean
              validationFailureAction:
                description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
                type: string
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -943,6 +943,9 @@ spec:
                      type: array
                  type: object
                type: array
+              schemaValidation:
+                description: SchemaValidation skips policy validation checks. Optional.The default value is set to "true", it must be set to "false" to disable the validation checks.
+                type: boolean
              validationFailureAction:
                description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
                type: string
@ -2664,6 +2667,9 @@ spec:
                      type: array
                  type: object
                type: array
+              schemaValidation:
+                description: SchemaValidation skips policy validation checks. Optional.The default value is set to "true", it must be set to "false" to disable the validation checks.
+                type: boolean
              validationFailureAction:
                description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
                type: string
--- a/pkg/api/kyverno/v1/policy_types.go
+++ b/pkg/api/kyverno/v1/policy_types.go
@ -54,6 +54,11 @@ type Spec struct {
 	// uses variables that are only available in the admission review request (e.g. user name).
 	// +optional
 	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
+
+	// SchemaValidation skips policy validation checks.
+	// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
+	// +optional
+	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
 }

 // Rule defines a validation, mutation, or generation control for matching resources.
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@ -167,10 +167,13 @@ func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error {
 			return err
 		}

-		err = o.ValidateResource(*patchedResource.DeepCopy(), "", kind)
-		if err != nil {
-			return err
+		if policy.Spec.SchemaValidation == nil || *policy.Spec.SchemaValidation {
+			err = o.ValidateResource(*patchedResource.DeepCopy(), "", kind)
+			if err != nil {
+				return err
+			}
 		}
+
 	}

 	return nil