mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

feat: add background only policy support (#6666)

Browse source 
* feat: add background only policy support

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* webhook

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* validation

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* all disabled

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-28 14:54:27 +02:00 committed by GitHub
parent 1cf9f43b8b
commit 1d5fe217da
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
26 changed files with 585 additions and 194 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
api/kyverno/v1/clusterpolicy_types.go
View file

@ -14,15 +14,16 @@ import (
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno
// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
// +kubebuilder:storageversion
@ -79,6 +80,11 @@ func (p *ClusterPolicy) HasVerifyImages() bool {
return p.Spec.HasVerifyImages()
}
// AdmissionProcessingEnabled checks if admission is set to true
func (p *ClusterPolicy) AdmissionProcessingEnabled() bool {
return p.Spec.AdmissionProcessingEnabled()
}
// BackgroundProcessingEnabled checks if background is set to true
func (p *ClusterPolicy) BackgroundProcessingEnabled() bool {
return p.Spec.BackgroundProcessingEnabled()

1
api/kyverno/v1/policy_interface.go
View file

@ -10,6 +10,7 @@ import (
// +kubebuilder:object:generate=false
type PolicyInterface interface {
metav1.Object
AdmissionProcessingEnabled() bool
BackgroundProcessingEnabled() bool
IsNamespaced() bool
GetSpec() *Spec

26
api/kyverno/v1/policy_types.go
View file

@ -12,17 +12,18 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:resource:shortName=pol,categories=kyverno
// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
// +kubebuilder:resource:shortName=pol,categories=kyverno
// +kubebuilder:storageversion
// Policy declares validation, mutation, and generation behaviors for matching resources.
@ -80,6 +81,11 @@ func (p *Policy) HasVerifyImages() bool {
return p.Spec.HasVerifyImages()
}
// AdmissionProcessingEnabled checks if admission is set to true
func (p *Policy) AdmissionProcessingEnabled() bool {
return p.Spec.AdmissionProcessingEnabled()
}
// BackgroundProcessingEnabled checks if background is set to true
func (p *Policy) BackgroundProcessingEnabled() bool {
return p.Spec.BackgroundProcessingEnabled()

15
api/kyverno/v1/spec_types.go
View file

@ -80,6 +80,12 @@ type Spec struct {
// +optional
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
// Admission controls if rules are applied during admission.
// Optional. Default value is "true".
// +optional
// +kubebuilder:default=true
Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
@ -187,6 +193,15 @@ func (s *Spec) HasVerifyManifests() bool {
return false
}
// AdmissionProcessingEnabled checks if admission is set to true
func (s *Spec) AdmissionProcessingEnabled() bool {
if s.Admission == nil {
return true
}
return *s.Admission
}
// BackgroundProcessingEnabled checks if background is set to true
func (s *Spec) BackgroundProcessingEnabled() bool {
if s.Background == nil {

5
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -1296,6 +1296,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Admission != nil {
in, out := &in.Admission, &out.Admission
*out = new(bool)
**out = **in
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(bool)

24
api/kyverno/v2beta1/clusterpolicy_types.go
View file

@ -15,15 +15,16 @@ import (
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno
// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
// ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
@ -79,6 +80,11 @@ func (p *ClusterPolicy) HasVerifyImages() bool {
return p.Spec.HasVerifyImages()
}
// AdmissionProcessingEnabled checks if admission is set to true
func (p *ClusterPolicy) AdmissionProcessingEnabled() bool {
return p.Spec.AdmissionProcessingEnabled()
}
// BackgroundProcessingEnabled checks if background is set to true
func (p *ClusterPolicy) BackgroundProcessingEnabled() bool {
return p.Spec.BackgroundProcessingEnabled()

24
api/kyverno/v2beta1/policy_types.go
View file

@ -13,15 +13,16 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
// +kubebuilder:resource:shortName=pol,categories=kyverno
@ -79,6 +80,11 @@ func (p *Policy) HasVerifyImages() bool {
return p.Spec.HasVerifyImages()
}
// AdmissionProcessingEnabled checks if admission is set to true
func (p *Policy) AdmissionProcessingEnabled() bool {
return p.Spec.AdmissionProcessingEnabled()
}
// BackgroundProcessingEnabled checks if background is set to true
func (p *Policy) BackgroundProcessingEnabled() bool {
return p.Spec.BackgroundProcessingEnabled()

15
api/kyverno/v2beta1/spec_types.go
View file

@ -41,6 +41,12 @@ type Spec struct {
// +optional
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
// Admission controls if rules are applied during admission.
// Optional. Default value is "true".
// +optional
// +kubebuilder:default=true
Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
@ -154,6 +160,15 @@ func (s *Spec) HasVerifyManifests() bool {
return false
}
// AdmissionProcessingEnabled checks if admission is set to true
func (s *Spec) AdmissionProcessingEnabled() bool {
if s.Admission == nil {
return true
}
return *s.Admission
}
// BackgroundProcessingEnabled checks if background is set to true
func (s *Spec) BackgroundProcessingEnabled() bool {
if s.Background == nil {

5
api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

@ -465,6 +465,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Admission != nil {
in, out := &in.Admission, &out.Admission
*out = new(bool)
**out = **in
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(bool)

128
charts/kyverno/templates/crds/crds.yaml
View file

@ -3836,36 +3836,39 @@ spec:
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -3892,6 +3895,11 @@ spec:
spec:
description: Spec declares policy behaviors.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -11955,36 +11963,39 @@ spec:
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -12011,6 +12022,11 @@ spec:
spec:
description: Spec declares policy behaviors.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -19814,36 +19830,39 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -19871,6 +19890,11 @@ spec:
spec:
description: Spec defines policy behaviors and contains one or more rules.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -27935,36 +27959,39 @@ spec:
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -27992,6 +28019,11 @@ spec:
spec:
description: Spec defines policy behaviors and contains one or more rules.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`

64
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -20,36 +20,39 @@ spec:
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -76,6 +79,11 @@ spec:
spec:
description: Spec declares policy behaviors.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -8139,36 +8147,39 @@ spec:
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -8195,6 +8206,11 @@ spec:
spec:
description: Spec declares policy behaviors.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`

64
config/crds/kyverno.io_policies.yaml
View file

@ -20,36 +20,39 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -77,6 +80,11 @@ spec:
spec:
description: Spec defines policy behaviors and contains one or more rules.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -8141,36 +8149,39 @@ spec:
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -8198,6 +8209,11 @@ spec:
spec:
description: Spec defines policy behaviors and contains one or more rules.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`

128
config/install-latest-testing.yaml
View file

@ -4039,36 +4039,39 @@ spec:
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -4095,6 +4098,11 @@ spec:
spec:
description: Spec declares policy behaviors.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -12158,36 +12166,39 @@ spec:
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -12214,6 +12225,11 @@ spec:
spec:
description: Spec declares policy behaviors.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -20017,36 +20033,39 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -20074,6 +20093,11 @@ spec:
spec:
description: Spec defines policy behaviors and contains one or more rules.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`
@ -28138,36 +28162,39 @@ spec:
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: Background
name: BACKGROUND
type: boolean
- jsonPath: .spec.validationFailureAction
name: Validate Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
priority: 1
name: VALIDATE ACTION
type: string
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: Ready
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: Validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: Mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: Generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: Verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
@ -28195,6 +28222,11 @@ spec:
spec:
description: Spec defines policy behaviors and contains one or more rules.
properties:
admission:
default: true
description: Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
applyRules:
description: ApplyRules controls how rules in a policy are applied.
Rule are processed in the order of declaration. When set to `One`

78
docs/user/crd/index.html
View file

@ -185,6 +185,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace
</tr>
<tr>
<td>
<code>admission</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
@ -423,6 +436,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace
</tr>
<tr>
<td>
<code>admission</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
@ -3563,6 +3589,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace
</tr>
<tr>
<td>
<code>admission</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
@ -5941,6 +5980,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace
</tr>
<tr>
<td>
<code>admission</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
@ -6178,6 +6230,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace
</tr>
<tr>
<td>
<code>admission</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
@ -7087,6 +7152,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace
</tr>
<tr>
<td>
<code>admission</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool

7
pkg/controllers/policycache/controller.go
View file

@ -99,7 +99,12 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
}
return err
}
return c.cache.Set(key, policy, c.client.Discovery())
if policy.AdmissionProcessingEnabled() {
return c.cache.Set(key, policy, c.client.Discovery())
} else {
c.cache.Unset(key)
return nil
}
}
func (c *controller) loadPolicy(namespace, name string) (kyvernov1.PolicyInterface, error) {

28
pkg/controllers/webhook/controller.go
View file

@ -628,12 +628,14 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte
}
c.recordPolicyState(config.MutatingWebhookConfigurationName, policies...)
for _, p := range policies {
spec := p.GetSpec()
if spec.HasMutate() || spec.HasVerifyImages() {
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
c.mergeWebhook(ignore, p, false)
} else {
c.mergeWebhook(fail, p, false)
if p.AdmissionProcessingEnabled() {
spec := p.GetSpec()
if spec.HasMutate() || spec.HasVerifyImages() {
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
c.mergeWebhook(ignore, p, false)
} else {
c.mergeWebhook(fail, p, false)
}
}
}
}
@ -750,12 +752,14 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con
}
c.recordPolicyState(config.ValidatingWebhookConfigurationName, policies...)
for _, p := range policies {
spec := p.GetSpec()
if spec.HasValidate() || spec.HasGenerate() || spec.HasMutate() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() {
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
c.mergeWebhook(ignore, p, true)
} else {
c.mergeWebhook(fail, p, true)
if p.AdmissionProcessingEnabled() {
spec := p.GetSpec()
if spec.HasValidate() || spec.HasGenerate() || spec.HasMutate() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() {
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
c.mergeWebhook(ignore, p, true)
} else {
c.mergeWebhook(fail, p, true)
}
}
}
}

8
pkg/validation/policy/validate.go
View file

@ -179,6 +179,14 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
return warnings, err
}
}
if !policy.AdmissionProcessingEnabled() && !policy.BackgroundProcessingEnabled() {
return warnings, fmt.Errorf("disabling both admission and background processing is not allowed")
}
if !policy.AdmissionProcessingEnabled() {
if spec.HasMutate() || spec.HasGenerate() || spec.HasVerifyImages() {
return warnings, fmt.Errorf("disabling admission processing is only allowed with validation policies")
}
}
if err := immutableGenerateFields(policy, oldPolicy); err != nil {
return warnings, err

10
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/01-policy.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: policy-validate.yaml
- file: policy-mutate.yaml
shouldFail: true
- file: policy-generate.yaml
shouldFail: true
- file: policy-verify-image.yaml
shouldFail: true

7
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
This test tries to create various policies with `admission` set to `false`.
## Expected Behavior
Policies containing mutation, image verification or generation rules should be rejected.

24
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
name: generate
spec:
validationFailureAction: Audit
admission: false
background: true
rules:
- name: generate
match:
any:
- resources:
kinds:
- Namespace
generate:
apiVersion: v1
kind: Secret
name: regcred
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: regcred

22
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate
spec:
validationFailureAction: Audit
admission: false
background: true
rules:
- name: mutate
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar

17
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate
spec:
validationFailureAction: Audit
admission: false
background: true
rules:
- name: validate
match:
any:
- resources:
kinds:
- Pod
validate:
deny: {}

26
test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image
spec:
validationFailureAction: Audit
admission: false
background: true
rules:
- name: verify-image
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----

5
test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/01-policy.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: policy.yaml
shouldFail: true

7
test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/README.md Normal file
View file

@ -0,0 +1,7 @@
## Description
This test tries to create a policy with both `admission` and `background` set to `false`.
## Expected Behavior
Policy should be rejected.

17
test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/policy.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: all-disabled
spec:
validationFailureAction: Audit
admission: false
background: false
rules:
- name: validate
match:
any:
- resources:
kinds:
- Pod
validate:
deny: {}