diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go index dc5ac75a7f..a3cef4dea1 100644 --- a/api/kyverno/v1/clusterpolicy_types.go +++ b/api/kyverno/v1/clusterpolicy_types.go @@ -14,15 +14,16 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:subresource:status // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno -// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction" -// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1 -// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` -// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 -// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 -// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 -// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 +// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" +// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" +// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" +// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 +// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 +// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 +// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 +// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 // +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message` // +kubebuilder:storageversion @@ -79,6 +80,11 @@ func (p *ClusterPolicy) HasVerifyImages() bool { return p.Spec.HasVerifyImages() } +// AdmissionProcessingEnabled checks if admission is set to true +func (p *ClusterPolicy) AdmissionProcessingEnabled() bool { + return p.Spec.AdmissionProcessingEnabled() +} + // BackgroundProcessingEnabled checks if background is set to true func (p *ClusterPolicy) BackgroundProcessingEnabled() bool { return p.Spec.BackgroundProcessingEnabled() diff --git a/api/kyverno/v1/policy_interface.go b/api/kyverno/v1/policy_interface.go index f1c70cc71a..20658c2de6 100644 --- a/api/kyverno/v1/policy_interface.go +++ b/api/kyverno/v1/policy_interface.go @@ -10,6 +10,7 @@ import ( // +kubebuilder:object:generate=false type PolicyInterface interface { metav1.Object + AdmissionProcessingEnabled() bool BackgroundProcessingEnabled() bool IsNamespaced() bool GetSpec() *Spec diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go index aed1110500..19be0bc05f 100644 --- a/api/kyverno/v1/policy_types.go +++ b/api/kyverno/v1/policy_types.go @@ -12,17 +12,18 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:subresource:status -// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction" -// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1 -// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` -// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 -// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 -// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 -// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 -// +kubebuilder:resource:shortName=pol,categories=kyverno +// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" +// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" +// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" +// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 +// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 +// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 +// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 +// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 // +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message` +// +kubebuilder:resource:shortName=pol,categories=kyverno // +kubebuilder:storageversion // Policy declares validation, mutation, and generation behaviors for matching resources. @@ -80,6 +81,11 @@ func (p *Policy) HasVerifyImages() bool { return p.Spec.HasVerifyImages() } +// AdmissionProcessingEnabled checks if admission is set to true +func (p *Policy) AdmissionProcessingEnabled() bool { + return p.Spec.AdmissionProcessingEnabled() +} + // BackgroundProcessingEnabled checks if background is set to true func (p *Policy) BackgroundProcessingEnabled() bool { return p.Spec.BackgroundProcessingEnabled() diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 30337f2159..973f50c336 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -80,6 +80,12 @@ type Spec struct { // +optional ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` + // Admission controls if rules are applied during admission. + // Optional. Default value is "true". + // +optional + // +kubebuilder:default=true + Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"` + // Background controls if rules are applied to existing resources during a background scan. // Optional. Default value is "true". The value must be set to "false" if the policy rule // uses variables that are only available in the admission review request (e.g. user name). @@ -187,6 +193,15 @@ func (s *Spec) HasVerifyManifests() bool { return false } +// AdmissionProcessingEnabled checks if admission is set to true +func (s *Spec) AdmissionProcessingEnabled() bool { + if s.Admission == nil { + return true + } + + return *s.Admission +} + // BackgroundProcessingEnabled checks if background is set to true func (s *Spec) BackgroundProcessingEnabled() bool { if s.Background == nil { diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index b90e217696..d6254b806d 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1296,6 +1296,11 @@ func (in *Spec) DeepCopyInto(out *Spec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Admission != nil { + in, out := &in.Admission, &out.Admission + *out = new(bool) + **out = **in + } if in.Background != nil { in, out := &in.Background, &out.Background *out = new(bool) diff --git a/api/kyverno/v2beta1/clusterpolicy_types.go b/api/kyverno/v2beta1/clusterpolicy_types.go index 739e5a3f67..0a5cf02b07 100644 --- a/api/kyverno/v2beta1/clusterpolicy_types.go +++ b/api/kyverno/v2beta1/clusterpolicy_types.go @@ -15,15 +15,16 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:subresource:status // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno -// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction" -// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1 -// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` -// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 -// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 -// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 -// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 +// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" +// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" +// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" +// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 +// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 +// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 +// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 +// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 // +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message` // ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. @@ -79,6 +80,11 @@ func (p *ClusterPolicy) HasVerifyImages() bool { return p.Spec.HasVerifyImages() } +// AdmissionProcessingEnabled checks if admission is set to true +func (p *ClusterPolicy) AdmissionProcessingEnabled() bool { + return p.Spec.AdmissionProcessingEnabled() +} + // BackgroundProcessingEnabled checks if background is set to true func (p *ClusterPolicy) BackgroundProcessingEnabled() bool { return p.Spec.BackgroundProcessingEnabled() diff --git a/api/kyverno/v2beta1/policy_types.go b/api/kyverno/v2beta1/policy_types.go index 1227427ba6..9add862433 100644 --- a/api/kyverno/v2beta1/policy_types.go +++ b/api/kyverno/v2beta1/policy_types.go @@ -13,15 +13,16 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:object:root=true // +kubebuilder:subresource:status -// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction" -// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1 -// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` -// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 -// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 -// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 -// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 +// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" +// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" +// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" +// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` +// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 +// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1 +// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1 +// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1 +// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1 // +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message` // +kubebuilder:resource:shortName=pol,categories=kyverno @@ -79,6 +80,11 @@ func (p *Policy) HasVerifyImages() bool { return p.Spec.HasVerifyImages() } +// AdmissionProcessingEnabled checks if admission is set to true +func (p *Policy) AdmissionProcessingEnabled() bool { + return p.Spec.AdmissionProcessingEnabled() +} + // BackgroundProcessingEnabled checks if background is set to true func (p *Policy) BackgroundProcessingEnabled() bool { return p.Spec.BackgroundProcessingEnabled() diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 32009e79df..6478b75382 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -41,6 +41,12 @@ type Spec struct { // +optional ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` + // Admission controls if rules are applied during admission. + // Optional. Default value is "true". + // +optional + // +kubebuilder:default=true + Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"` + // Background controls if rules are applied to existing resources during a background scan. // Optional. Default value is "true". The value must be set to "false" if the policy rule // uses variables that are only available in the admission review request (e.g. user name). @@ -154,6 +160,15 @@ func (s *Spec) HasVerifyManifests() bool { return false } +// AdmissionProcessingEnabled checks if admission is set to true +func (s *Spec) AdmissionProcessingEnabled() bool { + if s.Admission == nil { + return true + } + + return *s.Admission +} + // BackgroundProcessingEnabled checks if background is set to true func (s *Spec) BackgroundProcessingEnabled() bool { if s.Background == nil { diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index 8f38766027..3f1962e3a0 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -465,6 +465,11 @@ func (in *Spec) DeepCopyInto(out *Spec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Admission != nil { + in, out := &in.Admission, &out.Admission + *out = new(bool) + **out = **in + } if in.Background != nil { in, out := &in.Background, &out.Background *out = new(bool) diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml index 85d273b1b3..2740442b2c 100644 --- a/charts/kyverno/templates/crds/crds.yaml +++ b/charts/kyverno/templates/crds/crds.yaml @@ -3836,36 +3836,39 @@ spec: scope: Cluster versions: - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -3892,6 +3895,11 @@ spec: spec: description: Spec declares policy behaviors. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -11955,36 +11963,39 @@ spec: subresources: status: {} - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -12011,6 +12022,11 @@ spec: spec: description: Spec declares policy behaviors. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -19814,36 +19830,39 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -19871,6 +19890,11 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -27935,36 +27959,39 @@ spec: subresources: status: {} - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -27992,6 +28019,11 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index bbf47e4edc..4b8d990f15 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -20,36 +20,39 @@ spec: scope: Cluster versions: - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -76,6 +79,11 @@ spec: spec: description: Spec declares policy behaviors. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -8139,36 +8147,39 @@ spec: subresources: status: {} - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -8195,6 +8206,11 @@ spec: spec: description: Spec declares policy behaviors. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 67ced1084d..de5a1aeb62 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -20,36 +20,39 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -77,6 +80,11 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -8141,36 +8149,39 @@ spec: subresources: status: {} - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -8198,6 +8209,11 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 75e1f76c15..8edceca52f 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -4039,36 +4039,39 @@ spec: scope: Cluster versions: - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -4095,6 +4098,11 @@ spec: spec: description: Spec declares policy behaviors. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -12158,36 +12166,39 @@ spec: subresources: status: {} - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -12214,6 +12225,11 @@ spec: spec: description: Spec declares policy behaviors. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -20017,36 +20033,39 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -20074,6 +20093,11 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` @@ -28138,36 +28162,39 @@ spec: subresources: status: {} - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean - jsonPath: .spec.background - name: Background + name: BACKGROUND type: boolean - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 + name: VALIDATE ACTION type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status - name: Ready + name: READY type: string - jsonPath: .metadata.creationTimestamp - name: Age + name: AGE type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string - jsonPath: .status.rulecount.validate - name: Validate + name: VALIDATE priority: 1 type: integer - jsonPath: .status.rulecount.mutate - name: Mutate + name: MUTATE priority: 1 type: integer - jsonPath: .status.rulecount.generate - name: Generate + name: GENERATE priority: 1 type: integer - jsonPath: .status.rulecount.verifyimages - name: Verifyimages + name: VERIFY IMAGES priority: 1 type: integer - jsonPath: .status.conditions[?(@.type == "Ready")].message @@ -28195,6 +28222,11 @@ spec: spec: description: Spec defines policy behaviors and contains one or more rules. properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean applyRules: description: ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 4fe91c8079..004ca18a4f 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -185,6 +185,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace +admission
+ +bool + + + +(Optional) +

Admission controls if rules are applied during admission. +Optional. Default value is “true”.

+ + + + background
bool @@ -423,6 +436,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace +admission
+ +bool + + + +(Optional) +

Admission controls if rules are applied during admission. +Optional. Default value is “true”.

+ + + + background
bool @@ -3563,6 +3589,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace +admission
+ +bool + + + +(Optional) +

Admission controls if rules are applied during admission. +Optional. Default value is “true”.

+ + + + background
bool @@ -5941,6 +5980,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace +admission
+ +bool + + + +(Optional) +

Admission controls if rules are applied during admission. +Optional. Default value is “true”.

+ + + + background
bool @@ -6178,6 +6230,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace +admission
+ +bool + + + +(Optional) +

Admission controls if rules are applied during admission. +Optional. Default value is “true”.

+ + + + background
bool @@ -7087,6 +7152,19 @@ namespace-wise. It overrides ValidationFailureAction for the specified namespace +admission
+ +bool + + + +(Optional) +

Admission controls if rules are applied during admission. +Optional. Default value is “true”.

+ + + + background
bool diff --git a/pkg/controllers/policycache/controller.go b/pkg/controllers/policycache/controller.go index 3093b0ed51..a5993530b5 100644 --- a/pkg/controllers/policycache/controller.go +++ b/pkg/controllers/policycache/controller.go @@ -99,7 +99,12 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam } return err } - return c.cache.Set(key, policy, c.client.Discovery()) + if policy.AdmissionProcessingEnabled() { + return c.cache.Set(key, policy, c.client.Discovery()) + } else { + c.cache.Unset(key) + return nil + } } func (c *controller) loadPolicy(namespace, name string) (kyvernov1.PolicyInterface, error) { diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index aef354c08e..6d9091f000 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -628,12 +628,14 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte } c.recordPolicyState(config.MutatingWebhookConfigurationName, policies...) for _, p := range policies { - spec := p.GetSpec() - if spec.HasMutate() || spec.HasVerifyImages() { - if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { - c.mergeWebhook(ignore, p, false) - } else { - c.mergeWebhook(fail, p, false) + if p.AdmissionProcessingEnabled() { + spec := p.GetSpec() + if spec.HasMutate() || spec.HasVerifyImages() { + if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { + c.mergeWebhook(ignore, p, false) + } else { + c.mergeWebhook(fail, p, false) + } } } } @@ -750,12 +752,14 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con } c.recordPolicyState(config.ValidatingWebhookConfigurationName, policies...) for _, p := range policies { - spec := p.GetSpec() - if spec.HasValidate() || spec.HasGenerate() || spec.HasMutate() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() { - if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { - c.mergeWebhook(ignore, p, true) - } else { - c.mergeWebhook(fail, p, true) + if p.AdmissionProcessingEnabled() { + spec := p.GetSpec() + if spec.HasValidate() || spec.HasGenerate() || spec.HasMutate() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() { + if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { + c.mergeWebhook(ignore, p, true) + } else { + c.mergeWebhook(fail, p, true) + } } } } diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 8ce0009ef9..68c90d4044 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -179,6 +179,14 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf return warnings, err } } + if !policy.AdmissionProcessingEnabled() && !policy.BackgroundProcessingEnabled() { + return warnings, fmt.Errorf("disabling both admission and background processing is not allowed") + } + if !policy.AdmissionProcessingEnabled() { + if spec.HasMutate() || spec.HasGenerate() || spec.HasVerifyImages() { + return warnings, fmt.Errorf("disabling admission processing is only allowed with validation policies") + } + } if err := immutableGenerateFields(policy, oldPolicy); err != nil { return warnings, err diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/01-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/01-policy.yaml new file mode 100644 index 0000000000..57d0184b5b --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-validate.yaml +- file: policy-mutate.yaml + shouldFail: true +- file: policy-generate.yaml + shouldFail: true +- file: policy-verify-image.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/README.md new file mode 100644 index 0000000000..610d979c5e --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies with `admission` set to `false`. + +## Expected Behavior + +Policies containing mutation, image verification or generation rules should be rejected. diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml new file mode 100644 index 0000000000..c81b03bebc --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: generate + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml new file mode 100644 index 0000000000..2095b90f5a --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: mutate + match: + resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml new file mode 100644 index 0000000000..49e9184d56 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml new file mode 100644 index 0000000000..84169ccd46 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/01-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/01-policy.yaml new file mode 100644 index 0000000000..cc374cb853 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/01-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/README.md new file mode 100644 index 0000000000..7e39604238 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create a policy with both `admission` and `background` set to `false`. + +## Expected Behavior + +Policy should be rejected. diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/policy.yaml new file mode 100644 index 0000000000..0370eaa4f7 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/all-disabled/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: all-disabled +spec: + validationFailureAction: Audit + admission: false + background: false + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {}