diff --git a/Makefile b/Makefile
index c55f231324..8a0b2b38f4 100644
--- a/Makefile
+++ b/Makefile
@@ -591,6 +591,7 @@ codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
$(call generate_crd,kyverno.io_clusterbackgroundscanreports.yaml,kyverno,kyverno.io,kyverno,clusterbackgroundscanreports)
$(call generate_crd,kyverno.io_clustercleanuppolicies.yaml,kyverno,kyverno.io,kyverno,clustercleanuppolicies)
$(call generate_crd,kyverno.io_clusterpolicies.yaml,kyverno,kyverno.io,kyverno,clusterpolicies)
+ $(call generate_crd,kyverno.io_globalcontextentries.yaml,kyverno,kyverno.io,kyverno,globalcontextentries)
$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)
diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index 862322dc62..ac32f29ce3 100644
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -184,52 +184,6 @@ type GlobalContextEntryReference struct {
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}
-// KubernetesResource stores infos about kubernetes resource that should be cached
-type KubernetesResource struct {
- // Group defines the group of the resource
- Group string `json:"group,omitempty" yaml:"group,omitempty"`
- // Version defines the version of the resource
- Version string `json:"version,omitempty" yaml:"version,omitempty"`
- // Resource defines the type of the resource
- Resource string `json:"resource,omitempty" yaml:"resource,omitempty"`
- // Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
- // +kubebuilder:validation:Optional
- Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
-}
-
-// Validate implements programmatic validation
-func (k *KubernetesResource) Validate(path *field.Path) (errs field.ErrorList) {
- if k.Group == "" {
- errs = append(errs, field.Required(path.Child("group"), "An Resource entry requires a group"))
- }
- if k.Version == "" {
- errs = append(errs, field.Required(path.Child("version"), "An Resource entry requires a version"))
- }
- if k.Resource == "" {
- errs = append(errs, field.Required(path.Child("resource"), "An Resource entry requires a resource"))
- }
- return errs
-}
-
-// ExternalAPICall stores infos about API call that should be cached
-type ExternalAPICall struct {
- APICall `json:",inline,omitempty" yaml:",inline,omitempty"`
- // RefreshIntervalSeconds defines the interval at which to poll the APICall
- // +kubebuilder:default=0
- RefreshIntervalSeconds int64 `json:"refreshIntervalSeconds,omitempty" yaml:"refreshIntervalSeconds,omitempty"`
-}
-
-// Validate implements programmatic validation
-func (e *ExternalAPICall) Validate(path *field.Path) (errs field.ErrorList) {
- if e.Service.URL == "" {
- errs = append(errs, field.Required(path.Child("url"), "An External API Call entry requires a url"))
- }
- if e.RefreshIntervalSeconds <= 0 {
- errs = append(errs, field.Required(path.Child("refreshIntervalSeconds"), "An Resource entry requires a refresh interval greater than 0 seconds"))
- }
- return errs
-}
-
type ServiceCall struct {
// URL is the JSON web service URL. A typical form is
// `https://{service}.{namespace}:{port}/{path}`.
diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go
index c1f0e3bd27..939eb5d592 100755
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@@ -516,23 +516,6 @@ func (in *DryRunOption) DeepCopy() *DryRunOption {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalAPICall) DeepCopyInto(out *ExternalAPICall) {
- *out = *in
- in.APICall.DeepCopyInto(&out.APICall)
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAPICall.
-func (in *ExternalAPICall) DeepCopy() *ExternalAPICall {
- if in == nil {
- return nil
- }
- out := new(ExternalAPICall)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) {
*out = *in
@@ -876,22 +859,6 @@ func (in *KeylessAttestor) DeepCopy() *KeylessAttestor {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesResource) DeepCopyInto(out *KubernetesResource) {
- *out = *in
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesResource.
-func (in *KubernetesResource) DeepCopy() *KubernetesResource {
- if in == nil {
- return nil
- }
- out := new(KubernetesResource)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Manifests) DeepCopyInto(out *Manifests) {
*out = *in
diff --git a/api/kyverno/v2alpha1/global_context_entry_types.go b/api/kyverno/v2alpha1/global_context_entry_types.go
index 4d58369fae..e7b5d76d8c 100644
--- a/api/kyverno/v2alpha1/global_context_entry_types.go
+++ b/api/kyverno/v2alpha1/global_context_entry_types.go
@@ -29,15 +29,15 @@ import (
// GlobalContextEntry declares resources to be cached.
type GlobalContextEntry struct {
- metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
- metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+ metav1.TypeMeta `json:",inline,omitempty"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec GlobalContextEntrySpec `json:"spec" yaml:"spec"`
// Status contains globalcontextentry runtime data.
// +optional
- Status GlobalContextEntryStatus `json:"status,omitempty" yaml:"status,omitempty"`
+ Status GlobalContextEntryStatus `json:"status,omitempty"`
}
// GetStatus returns the globalcontextentry status
@@ -60,11 +60,11 @@ func (c *GlobalContextEntry) IsNamespaced() bool {
type GlobalContextEntrySpec struct {
// KubernetesResource stores infos about kubernetes resource that should be cached
// +kubebuilder:validation:Optional
- KubernetesResource *kyvernov1.KubernetesResource `json:"kubernetesResource,omitempty" yaml:"kubernetesResource,omitempty"`
+ KubernetesResource *KubernetesResource `json:"kubernetesResource,omitempty"`
// APICall stores infos about API call that should be cached
// +kubebuilder:validation:Optional
- APICall *kyvernov1.ExternalAPICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`
+ APICall *ExternalAPICall `json:"apiCall,omitempty"`
}
func (c *GlobalContextEntrySpec) IsAPICall() bool {
@@ -94,7 +94,53 @@ func (c *GlobalContextEntrySpec) Validate(path *field.Path) (errs field.ErrorLis
// GlobalContextEntryList is a list of Cached Context Entries
type GlobalContextEntryList struct {
- metav1.TypeMeta `json:",inline" yaml:",inline"`
- metav1.ListMeta `json:"metadata" yaml:"metadata"`
- Items []GlobalContextEntry `json:"items" yaml:"items"`
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+ Items []GlobalContextEntry `json:"items"`
+}
+
+// KubernetesResource stores infos about kubernetes resource that should be cached
+type KubernetesResource struct {
+ // Group defines the group of the resource
+ Group string `json:"group,omitempty"`
+ // Version defines the version of the resource
+ Version string `json:"version,omitempty"`
+ // Resource defines the type of the resource
+ Resource string `json:"resource,omitempty"`
+ // Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
+ // +kubebuilder:validation:Optional
+ Namespace string `json:"namespace,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (k *KubernetesResource) Validate(path *field.Path) (errs field.ErrorList) {
+ if k.Group == "" {
+ errs = append(errs, field.Required(path.Child("group"), "An Resource entry requires a group"))
+ }
+ if k.Version == "" {
+ errs = append(errs, field.Required(path.Child("version"), "An Resource entry requires a version"))
+ }
+ if k.Resource == "" {
+ errs = append(errs, field.Required(path.Child("resource"), "An Resource entry requires a resource"))
+ }
+ return errs
+}
+
+// ExternalAPICall stores infos about API call that should be cached
+type ExternalAPICall struct {
+ kyvernov1.APICall `json:",inline,omitempty"`
+ // RefreshIntervalSeconds defines the interval at which to poll the APICall
+ // +kubebuilder:default=0
+ RefreshIntervalSeconds int64 `json:"refreshIntervalSeconds,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (e *ExternalAPICall) Validate(path *field.Path) (errs field.ErrorList) {
+ if e.Service.URL == "" {
+ errs = append(errs, field.Required(path.Child("url"), "An External API Call entry requires a url"))
+ }
+ if e.RefreshIntervalSeconds <= 0 {
+ errs = append(errs, field.Required(path.Child("refreshIntervalSeconds"), "An Resource entry requires a refresh interval greater than 0 seconds"))
+ }
+ return errs
}
diff --git a/api/kyverno/v2alpha1/zz_generated.deepcopy.go b/api/kyverno/v2alpha1/zz_generated.deepcopy.go
index 41a91746fa..1739785a14 100644
--- a/api/kyverno/v2alpha1/zz_generated.deepcopy.go
+++ b/api/kyverno/v2alpha1/zz_generated.deepcopy.go
@@ -22,9 +22,8 @@ limitations under the License.
package v2alpha1
import (
- v1 "github.com/kyverno/kyverno/api/kyverno/v1"
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -150,6 +149,23 @@ func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalAPICall) DeepCopyInto(out *ExternalAPICall) {
+ *out = *in
+ in.APICall.DeepCopyInto(&out.APICall)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAPICall.
+func (in *ExternalAPICall) DeepCopy() *ExternalAPICall {
+ if in == nil {
+ return nil
+ }
+ out := new(ExternalAPICall)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GlobalContextEntry) DeepCopyInto(out *GlobalContextEntry) {
*out = *in
@@ -216,12 +232,12 @@ func (in *GlobalContextEntrySpec) DeepCopyInto(out *GlobalContextEntrySpec) {
*out = *in
if in.KubernetesResource != nil {
in, out := &in.KubernetesResource, &out.KubernetesResource
- *out = new(v1.KubernetesResource)
+ *out = new(KubernetesResource)
**out = **in
}
if in.APICall != nil {
in, out := &in.APICall, &out.APICall
- *out = new(v1.ExternalAPICall)
+ *out = new(ExternalAPICall)
(*in).DeepCopyInto(*out)
}
return
@@ -242,7 +258,7 @@ func (in *GlobalContextEntryStatus) DeepCopyInto(out *GlobalContextEntryStatus)
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
- *out = make([]metav1.Condition, len(*in))
+ *out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
@@ -260,6 +276,22 @@ func (in *GlobalContextEntryStatus) DeepCopy() *GlobalContextEntryStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesResource) DeepCopyInto(out *KubernetesResource) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesResource.
+func (in *KubernetesResource) DeepCopy() *KubernetesResource {
+ if in == nil {
+ return nil
+ }
+ out := new(KubernetesResource)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyException) DeepCopyInto(out *PolicyException) {
*out = *in
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 96b04793ef..0e9bc76988 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -257,7 +257,7 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
-| crds.groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` |
+| crds.groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` |
| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
| crds.annotations | object | `{}` | Additional CRDs annotations |
diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md
index 97cdc943df..75ec9d7393 100644
--- a/charts/kyverno/charts/crds/README.md
+++ b/charts/kyverno/charts/crds/README.md
@@ -6,7 +6,7 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
-| groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
new file mode 100644
index 0000000000..0c0baf012d
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
@@ -0,0 +1,209 @@
+{{- if .Values.groups.kyverno.globalcontextentries }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ {{- include "kyverno.crds.labels" . | nindent 4 }}
+ annotations:
+ {{- with .Values.annotations }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.12.0
+ name: globalcontextentries.kyverno.io
+spec:
+ group: kyverno.io
+ names:
+ categories:
+ - kyverno
+ kind: GlobalContextEntry
+ listKind: GlobalContextEntryList
+ plural: globalcontextentries
+ shortNames:
+ - gctxentry
+ singular: globalcontextentry
+ scope: Cluster
+ versions:
+ - name: v2alpha1
+ schema:
+ openAPIV3Schema:
+ description: GlobalContextEntry declares resources to be cached.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy exception behaviors.
+ properties:
+ apiCall:
+ description: APICall stores infos about API call that should be cached
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression that
+ can be used to transform the JSON response returned from the
+ server. For example a JMESPath of "items | length(@)" applied
+ to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ refreshIntervalSeconds:
+ default: 0
+ description: RefreshIntervalSeconds defines the interval at which
+ to poll the APICall
+ format: int64
+ type: integer
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which will
+ be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical form
+ is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP GET
+ or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces"
+ or "/apis/apps/v1/deployments"). The format required is the
+ same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ kubernetesResource:
+ description: KubernetesResource stores infos about kubernetes resource
+ that should be cached
+ properties:
+ group:
+ description: Group defines the group of the resource
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the resource.
+ Leave empty for cluster scoped resources.
+ type: string
+ resource:
+ description: Resource defines the type of the resource
+ type: string
+ version:
+ description: Version defines the version of the resource
+ type: string
+ type: object
+ type: object
+ status:
+ description: Status contains globalcontextentry runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ ready:
+ description: Deprecated in favor of Conditions
+ type: boolean
+ required:
+ - ready
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+{{- end }}
diff --git a/charts/kyverno/charts/crds/values.yaml b/charts/kyverno/charts/crds/values.yaml
index cdfe7fafcb..6969f5f797 100644
--- a/charts/kyverno/charts/crds/values.yaml
+++ b/charts/kyverno/charts/crds/values.yaml
@@ -17,6 +17,7 @@ groups:
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
+ globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index da9b68bee5..5466822a6c 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -73,6 +73,7 @@ crds:
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
+ globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 27609b5c3e..fe32e8d8ad 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -28141,6 +28141,215 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
+metadata:
+ labels:
+ app.kubernetes.io/component: crds
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno-crds
+ app.kubernetes.io/version: v0.0.0
+ helm.sh/chart: crds-v0.0.0
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.12.0
+ name: globalcontextentries.kyverno.io
+spec:
+ group: kyverno.io
+ names:
+ categories:
+ - kyverno
+ kind: GlobalContextEntry
+ listKind: GlobalContextEntryList
+ plural: globalcontextentries
+ shortNames:
+ - gctxentry
+ singular: globalcontextentry
+ scope: Cluster
+ versions:
+ - name: v2alpha1
+ schema:
+ openAPIV3Schema:
+ description: GlobalContextEntry declares resources to be cached.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy exception behaviors.
+ properties:
+ apiCall:
+ description: APICall stores infos about API call that should be cached
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression that
+ can be used to transform the JSON response returned from the
+ server. For example a JMESPath of "items | length(@)" applied
+ to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ refreshIntervalSeconds:
+ default: 0
+ description: RefreshIntervalSeconds defines the interval at which
+ to poll the APICall
+ format: int64
+ type: integer
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which will
+ be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical form
+ is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP GET
+ or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces"
+ or "/apis/apps/v1/deployments"). The format required is the
+ same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ kubernetesResource:
+ description: KubernetesResource stores infos about kubernetes resource
+ that should be cached
+ properties:
+ group:
+ description: Group defines the group of the resource
+ type: string
+ namespace:
+ description: Namespace defines the namespace of the resource.
+ Leave empty for cluster scoped resources.
+ type: string
+ resource:
+ description: Resource defines the type of the resource
+ type: string
+ version:
+ description: Version defines the version of the resource
+ type: string
+ type: object
+ type: object
+ status:
+ description: Status contains globalcontextentry runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ ready:
+ description: Deprecated in favor of Conditions
+ type: boolean
+ required:
+ - ready
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index aa4cc7be9e..431d63bff6 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -611,7 +611,7 @@ PolicyStatus
(Appears on:
ContextEntry,
-ExternalAPICall)
+ExternalAPICall)
@@ -1571,52 +1571,6 @@ string
-ExternalAPICall
-
-
-(Appears on:
-GlobalContextEntrySpec)
-
-
-
ExternalAPICall stores infos about API call that should be cached
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-APICall
-
-
-APICall
-
-
- |
-
-
-(Members of APICall are embedded into this type.)
-
- |
-
-
-
-refreshIntervalSeconds
-
-int64
-
- |
-
- RefreshIntervalSeconds defines the interval at which to poll the APICall
- |
-
-
-
-
FailurePolicyType
(string alias)
@@ -2605,70 +2559,6 @@ map[string]string
-KubernetesResource
-
-
-(Appears on:
-GlobalContextEntrySpec)
-
-
-
KubernetesResource stores infos about kubernetes resource that should be cached
-
-
-
-
-| Field |
-Description |
-
-
-
-
-
-group
-
-string
-
- |
-
- Group defines the group of the resource
- |
-
-
-
-version
-
-string
-
- |
-
- Version defines the version of the resource
- |
-
-
-
-resource
-
-string
-
- |
-
- Resource defines the type of the resource
- |
-
-
-
-namespace
-
-string
-
- |
-
- Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
- |
-
-
-
-
Manifests
@@ -7907,7 +7797,7 @@ GlobalContextEntrySpec
kubernetesResource
-
+
KubernetesResource
@@ -7920,7 +7810,7 @@ KubernetesResource
|
apiCall
-
+
ExternalAPICall
@@ -8087,6 +7977,52 @@ Applicable only to policies that have validate.podSecurity subrule.
CleanupPolicyInterface abstracts the concrete policy type (CleanupPolicy vs ClusterCleanupPolicy)
+ExternalAPICall
+
+
+(Appears on:
+GlobalContextEntrySpec)
+
+
+ ExternalAPICall stores infos about API call that should be cached
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+APICall
+
+
+APICall
+
+
+ |
+
+
+(Members of APICall are embedded into this type.)
+
+ |
+
+
+
+refreshIntervalSeconds
+
+int64
+
+ |
+
+ RefreshIntervalSeconds defines the interval at which to poll the APICall
+ |
+
+
+
+
GlobalContextEntrySpec
@@ -8108,7 +8044,7 @@ Applicable only to policies that have validate.podSecurity subrule.
|
kubernetesResource
-
+
KubernetesResource
@@ -8121,7 +8057,7 @@ KubernetesResource
|
apiCall
-
+
ExternalAPICall
@@ -8176,6 +8112,70 @@ bool
+KubernetesResource
+
+
+(Appears on:
+GlobalContextEntrySpec)
+
+
+ KubernetesResource stores infos about kubernetes resource that should be cached
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+group
+
+string
+
+ |
+
+ Group defines the group of the resource
+ |
+
+
+
+version
+
+string
+
+ |
+
+ Version defines the version of the resource
+ |
+
+
+
+resource
+
+string
+
+ |
+
+ Resource defines the type of the resource
+ |
+
+
+
+namespace
+
+string
+
+ |
+
+ Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
+ |
+
+
+
+
kyverno.io/v2beta1
Resource Types:
-
diff --git a/pkg/client/applyconfigurations/kyverno/v1/externalapicall.go b/pkg/client/applyconfigurations/kyverno/v2alpha1/externalapicall.go
similarity index 89%
rename from pkg/client/applyconfigurations/kyverno/v1/externalapicall.go
rename to pkg/client/applyconfigurations/kyverno/v2alpha1/externalapicall.go
index 58b3138e94..5f641a47cc 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/externalapicall.go
+++ b/pkg/client/applyconfigurations/kyverno/v2alpha1/externalapicall.go
@@ -16,17 +16,18 @@ limitations under the License.
// Code generated by applyconfiguration-gen. DO NOT EDIT.
-package v1
+package v2alpha1
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
)
// ExternalAPICallApplyConfiguration represents an declarative configuration of the ExternalAPICall type for use
// with apply.
type ExternalAPICallApplyConfiguration struct {
- APICallApplyConfiguration `json:",omitempty,inline"`
- RefreshIntervalSeconds *int64 `json:"refreshIntervalSeconds,omitempty"`
+ v1.APICallApplyConfiguration `json:",omitempty,inline"`
+ RefreshIntervalSeconds *int64 `json:"refreshIntervalSeconds,omitempty"`
}
// ExternalAPICallApplyConfiguration constructs an declarative configuration of the ExternalAPICall type for use with
@@ -54,7 +55,7 @@ func (b *ExternalAPICallApplyConfiguration) WithMethod(value kyvernov1.Method) *
// WithData adds the given value to the Data field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Data field.
-func (b *ExternalAPICallApplyConfiguration) WithData(values ...*RequestDataApplyConfiguration) *ExternalAPICallApplyConfiguration {
+func (b *ExternalAPICallApplyConfiguration) WithData(values ...*v1.RequestDataApplyConfiguration) *ExternalAPICallApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithData")
@@ -67,7 +68,7 @@ func (b *ExternalAPICallApplyConfiguration) WithData(values ...*RequestDataApply
// WithService sets the Service field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Service field is set to the value of the last call.
-func (b *ExternalAPICallApplyConfiguration) WithService(value *ServiceCallApplyConfiguration) *ExternalAPICallApplyConfiguration {
+func (b *ExternalAPICallApplyConfiguration) WithService(value *v1.ServiceCallApplyConfiguration) *ExternalAPICallApplyConfiguration {
b.Service = value
return b
}
diff --git a/pkg/client/applyconfigurations/kyverno/v2alpha1/globalcontextentryspec.go b/pkg/client/applyconfigurations/kyverno/v2alpha1/globalcontextentryspec.go
index 33853a72a2..339a0b9335 100644
--- a/pkg/client/applyconfigurations/kyverno/v2alpha1/globalcontextentryspec.go
+++ b/pkg/client/applyconfigurations/kyverno/v2alpha1/globalcontextentryspec.go
@@ -18,15 +18,11 @@ limitations under the License.
package v2alpha1
-import (
- v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
-)
-
// GlobalContextEntrySpecApplyConfiguration represents an declarative configuration of the GlobalContextEntrySpec type for use
// with apply.
type GlobalContextEntrySpecApplyConfiguration struct {
- KubernetesResource *v1.KubernetesResourceApplyConfiguration `json:"kubernetesResource,omitempty"`
- APICall *v1.ExternalAPICallApplyConfiguration `json:"apiCall,omitempty"`
+ KubernetesResource *KubernetesResourceApplyConfiguration `json:"kubernetesResource,omitempty"`
+ APICall *ExternalAPICallApplyConfiguration `json:"apiCall,omitempty"`
}
// GlobalContextEntrySpecApplyConfiguration constructs an declarative configuration of the GlobalContextEntrySpec type for use with
@@ -38,7 +34,7 @@ func GlobalContextEntrySpec() *GlobalContextEntrySpecApplyConfiguration {
// WithKubernetesResource sets the KubernetesResource field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the KubernetesResource field is set to the value of the last call.
-func (b *GlobalContextEntrySpecApplyConfiguration) WithKubernetesResource(value *v1.KubernetesResourceApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
+func (b *GlobalContextEntrySpecApplyConfiguration) WithKubernetesResource(value *KubernetesResourceApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
b.KubernetesResource = value
return b
}
@@ -46,7 +42,7 @@ func (b *GlobalContextEntrySpecApplyConfiguration) WithKubernetesResource(value
// WithAPICall sets the APICall field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APICall field is set to the value of the last call.
-func (b *GlobalContextEntrySpecApplyConfiguration) WithAPICall(value *v1.ExternalAPICallApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
+func (b *GlobalContextEntrySpecApplyConfiguration) WithAPICall(value *ExternalAPICallApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
b.APICall = value
return b
}
diff --git a/pkg/client/applyconfigurations/kyverno/v1/kubernetesresource.go b/pkg/client/applyconfigurations/kyverno/v2alpha1/kubernetesresource.go
similarity index 99%
rename from pkg/client/applyconfigurations/kyverno/v1/kubernetesresource.go
rename to pkg/client/applyconfigurations/kyverno/v2alpha1/kubernetesresource.go
index 933cc92aa7..cff6c9220d 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/kubernetesresource.go
+++ b/pkg/client/applyconfigurations/kyverno/v2alpha1/kubernetesresource.go
@@ -16,7 +16,7 @@ limitations under the License.
// Code generated by applyconfiguration-gen. DO NOT EDIT.
-package v1
+package v2alpha1
// KubernetesResourceApplyConfiguration represents an declarative configuration of the KubernetesResource type for use
// with apply.
diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go
index d0a6f55a69..c3eb9e835c 100644
--- a/pkg/client/applyconfigurations/utils.go
+++ b/pkg/client/applyconfigurations/utils.go
@@ -77,8 +77,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.DenyApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("DryRunOption"):
return &kyvernov1.DryRunOptionApplyConfiguration{}
- case v1.SchemeGroupVersion.WithKind("ExternalAPICall"):
- return &kyvernov1.ExternalAPICallApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ForEachMutation"):
return &kyvernov1.ForEachMutationApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ForEachValidation"):
@@ -95,8 +93,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.ImageVerificationApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("KeylessAttestor"):
return &kyvernov1.KeylessAttestorApplyConfiguration{}
- case v1.SchemeGroupVersion.WithKind("KubernetesResource"):
- return &kyvernov1.KubernetesResourceApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Manifests"):
return &kyvernov1.ManifestsApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("MatchResources"):
@@ -225,12 +221,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov2alpha1.CleanupPolicyApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("ClusterCleanupPolicy"):
return &kyvernov2alpha1.ClusterCleanupPolicyApplyConfiguration{}
+ case v2alpha1.SchemeGroupVersion.WithKind("ExternalAPICall"):
+ return &kyvernov2alpha1.ExternalAPICallApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("GlobalContextEntry"):
return &kyvernov2alpha1.GlobalContextEntryApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("GlobalContextEntrySpec"):
return &kyvernov2alpha1.GlobalContextEntrySpecApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("GlobalContextEntryStatus"):
return &kyvernov2alpha1.GlobalContextEntryStatusApplyConfiguration{}
+ case v2alpha1.SchemeGroupVersion.WithKind("KubernetesResource"):
+ return &kyvernov2alpha1.KubernetesResourceApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("PolicyException"):
return &kyvernov2alpha1.PolicyExceptionApplyConfiguration{}
|