mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

chore: rename validationFailureAction to failureAction under the rule (#10893)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-08-27 23:07:57 +03:00 committed by GitHub
parent ee5fdcad47
commit 2140a0239b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
427 changed files with 3478 additions and 3478 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
api/kyverno/v1/common_types.go
View file

@ -451,18 +451,18 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in any) {
// Validation defines checks to be performed on matching resources.
type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block
// FailureAction defines if a validation policy rule violation should block
// the admission review request (Enforce), or allow (Audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
// FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
// namespace-wise. It overrides FailureAction for the specified namespaces.
// +optional
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
FailureActionOverrides []ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure.
// +optional

2
api/kyverno/v1/image_verification_types.go
View file

@ -44,7 +44,7 @@ type ImageVerification struct {
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// Type specifies the method of signature validation. The allowed options
// are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.

2
api/kyverno/v1/spec_types.go
View file

@ -175,7 +175,7 @@ func (s *Spec) HasValidate() bool {
func (s *Spec) HasValidateEnforce() bool {
for _, rule := range s.Rules {
if rule.HasValidate() {
action := rule.Validation.ValidationFailureAction
action := rule.Validation.FailureAction
if action != nil && action.Enforce() {
return true
}

12
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -846,8 +846,8 @@ func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
*out = *in
if in.ValidationFailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
if in.FailureAction != nil {
in, out := &in.FailureAction, &out.FailureAction
*out = new(ValidationFailureAction)
**out = **in
}
@ -1637,13 +1637,13 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Validation) DeepCopyInto(out *Validation) {
*out = *in
if in.ValidationFailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
if in.FailureAction != nil {
in, out := &in.FailureAction, &out.FailureAction
*out = new(ValidationFailureAction)
**out = **in
}
if in.ValidationFailureActionOverrides != nil {
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
if in.FailureActionOverrides != nil {
in, out := &in.FailureActionOverrides, &out.FailureActionOverrides
*out = make([]ValidationFailureActionOverride, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])

10
api/kyverno/v2beta1/common_types.go
View file

@ -11,18 +11,18 @@ type AssertionTree = kjson.Any
// Validation defines checks to be performed on matching resources.
type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block
// FailureAction defines if a validation policy rule violation should block
// the admission review request (Enforce), or allow (Audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
// FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
// namespace-wise. It overrides FailureAction for the specified namespaces.
// +optional
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
FailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure.
// +optional

2
api/kyverno/v2beta1/image_verification_types.go
View file

@ -12,7 +12,7 @@ type ImageVerification struct {
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// Type specifies the method of signature validation. The allowed options
// are Cosign and Notary. By default Cosign is used if a type is not specified.

2
api/kyverno/v2beta1/spec_types.go
View file

@ -139,7 +139,7 @@ func (s *Spec) HasValidate() bool {
func (s *Spec) HasValidateEnforce() bool {
for _, rule := range s.Rules {
if rule.HasValidate() {
action := rule.Validation.ValidationFailureAction
action := rule.Validation.FailureAction
if action != nil && action.Enforce() {
return true
}

12
api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

@ -368,8 +368,8 @@ func (in *Exception) DeepCopy() *Exception {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
*out = *in
if in.ValidationFailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
if in.FailureAction != nil {
in, out := &in.FailureAction, &out.FailureAction
*out = new(v1.ValidationFailureAction)
**out = **in
}
@ -833,13 +833,13 @@ func (in *Spec) DeepCopy() *Spec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Validation) DeepCopyInto(out *Validation) {
*out = *in
if in.ValidationFailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
if in.FailureAction != nil {
in, out := &in.FailureAction, &out.FailureAction
*out = new(v1.ValidationFailureAction)
**out = **in
}
if in.ValidationFailureActionOverrides != nil {
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
if in.FailureActionOverrides != nil {
in, out := &in.FailureActionOverrides, &out.FailureActionOverrides
*out = make([]v1.ValidationFailureActionOverride, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])

696
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -3099,6 +3099,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -3842,87 +3923,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -4611,6 +4611,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -4707,12 +4713,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -7902,6 +7902,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -8657,87 +8738,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -9440,6 +9440,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -9537,12 +9543,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have
@ -12523,6 +12523,87 @@ spec:
type: array
type: object
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -13266,87 +13347,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -14019,6 +14019,12 @@ spec:
type: array
type: object
type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14100,12 +14106,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -17295,6 +17295,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -18050,87 +18131,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -18833,6 +18833,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -18930,12 +18936,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have

696
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -3100,6 +3100,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -3843,87 +3924,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -4612,6 +4612,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -4708,12 +4714,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -7904,6 +7904,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -8659,87 +8740,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -9442,6 +9442,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -9539,12 +9545,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have
@ -12526,6 +12526,87 @@ spec:
type: array
type: object
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -13269,87 +13350,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -14022,6 +14022,12 @@ spec:
type: array
type: object
type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14103,12 +14109,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -17298,6 +17298,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -18053,87 +18134,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -18836,6 +18836,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -18933,12 +18939,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have

2
cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml
View file

@ -34,7 +34,7 @@ spec:
kinds:
- Namespace
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: "You must have label 'purpose' with value 'production' set on all new namespaces."
pattern:
metadata:

4
cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml
View file

@ -18,7 +18,7 @@ spec:
- Pod
name: pods-require-account
validate:
validationFailureAction: Audit
failureAction: Audit
message: User pods must include an account for charging
pattern:
metadata:
@ -31,7 +31,7 @@ spec:
- Pod
name: pods-require-limits
validate:
validationFailureAction: Audit
failureAction: Audit
message: CPU and memory resource requests and limits are required for user pods
pattern:
spec:

4
cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml
View file

@ -18,7 +18,7 @@ spec:
- Pod
name: pods-require-account
validate:
validationFailureAction: Audit
failureAction: Audit
message: User pods must include an account for charging
pattern:
metadata:
@ -31,7 +31,7 @@ spec:
- Pod
name: pods-require-limits
validate:
validationFailureAction: Audit
failureAction: Audit
message: CPU and memory resource requests and limits are required for user pods
pattern:
spec:

2
cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml
View file

@ -32,4 +32,4 @@ spec:
required: true
useCache: true
verifyDigest: true
validationFailureAction: Audit
failureAction: Audit

2
cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml
View file

@ -56,4 +56,4 @@ spec:
- CREATE
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
resource is protected. Admin or allowed users can change the resource'
validationFailureAction: Audit
failureAction: Audit

4
cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml
View file

@ -18,7 +18,7 @@ spec:
- Pod
name: pods-require-account
validate:
validationFailureAction: Audit
failureAction: Audit
message: User pods must include an account for charging
pattern:
metadata:
@ -42,4 +42,4 @@ spec:
requests:
cpu: ?*
memory: ?*
validationFailureAction: Audit
failureAction: Audit

2
cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml
View file

@ -30,7 +30,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: audit
failureAction: audit
message: CPU and memory resource requests and limits are required for user pods
pattern:
spec:

4
cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml
View file

@ -19,7 +19,7 @@ spec:
- Pod
name: pods-require-account
validate:
validationFailureAction: Audit
failureAction: Audit
message: User pods must include an account for charging
pattern:
metadata:
@ -32,7 +32,7 @@ spec:
- Pod
name: pods-require-limits
validate:
validationFailureAction: Audit
failureAction: Audit
message: CPU and memory resource requests and limits are required for user pods
pattern:
spec:

2
cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
View file

@ -20,4 +20,4 @@ spec:
podSecurity:
level: restricted
version: latest
validationFailureAction: Audit
failureAction: Audit

696
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3093,6 +3093,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -3836,87 +3917,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -4605,6 +4605,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -4701,12 +4707,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -7896,6 +7896,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -8651,87 +8732,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -9434,6 +9434,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -9531,12 +9537,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have
@ -12517,6 +12517,87 @@ spec:
type: array
type: object
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -13260,87 +13341,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -14013,6 +14013,12 @@ spec:
type: array
type: object
type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14094,12 +14100,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -17289,6 +17289,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -18044,87 +18125,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -18827,6 +18827,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -18924,12 +18930,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have

696
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -3094,6 +3094,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -3837,87 +3918,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -4606,6 +4606,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -4702,12 +4708,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -7898,6 +7898,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -8653,87 +8734,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -9436,6 +9436,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -9533,12 +9539,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have
@ -12520,6 +12520,87 @@ spec:
type: array
type: object
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -13263,87 +13344,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -14016,6 +14016,12 @@ spec:
type: array
type: object
type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14097,12 +14103,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -17292,6 +17292,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -18047,87 +18128,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -18830,6 +18830,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -18927,12 +18933,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have

696
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -3093,6 +3093,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -3836,87 +3917,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -4605,6 +4605,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -4701,12 +4707,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -7896,6 +7896,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -8651,87 +8732,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -9434,6 +9434,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -9531,12 +9537,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have
@ -12517,6 +12517,87 @@ spec:
type: array
type: object
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -13260,87 +13341,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -14013,6 +14013,12 @@ spec:
type: array
type: object
type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14094,12 +14100,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -17289,6 +17289,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -18044,87 +18125,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -18827,6 +18827,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -18924,12 +18930,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have

696
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -3094,6 +3094,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -3837,87 +3918,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -4606,6 +4606,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -4702,12 +4708,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -7898,6 +7898,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -8653,87 +8734,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -9436,6 +9436,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -9533,12 +9539,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have
@ -12520,6 +12520,87 @@ spec:
type: array
type: object
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the
@ -13263,87 +13344,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -14016,6 +14016,12 @@ spec:
type: array
type: object
type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences:
description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14097,12 +14103,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have a
@ -17292,6 +17292,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry
@ -18047,87 +18128,6 @@ spec:
- latest
type: string
type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object
verifyImages:
description: VerifyImages is used to verify image signatures
@ -18830,6 +18830,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false.
type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image:
description: Deprecated. Use ImageReferences instead.
type: string
@ -18927,12 +18933,6 @@ spec:
description: UseCache enables caching of image verify
responses for this rule.
type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest:
default: true
description: VerifyDigest validates that images have

1392
config/install-latest-testing.yaml
View file

File diff suppressed because it is too large Load diff

24
docs/user/crd/index.html
View file

@ -2509,7 +2509,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tbody>
<tr>
<td>
<code>validationFailureAction</code><br/>
<code>failureAction</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
@ -4619,7 +4619,7 @@ It is an empty string when validating admission policy is successfully generated
<tbody>
<tr>
<td>
<code>validationFailureAction</code><br/>
<code>failureAction</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
@ -4628,7 +4628,7 @@ ValidationFailureAction
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureAction defines if a validation policy rule violation should block
<p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p>
@ -4636,7 +4636,7 @@ Allowed values are Audit or Enforce.</p>
</tr>
<tr>
<td>
<code>validationFailureActionOverrides</code><br/>
<code>failureActionOverrides</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
[]ValidationFailureActionOverride
@ -4645,8 +4645,8 @@ Allowed values are Audit or Enforce.</p>
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.</p>
</td>
</tr>
<tr>
@ -8640,7 +8640,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tbody>
<tr>
<td>
<code>validationFailureAction</code><br/>
<code>failureAction</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
@ -9523,7 +9523,7 @@ WebhookConfiguration
<tbody>
<tr>
<td>
<code>validationFailureAction</code><br/>
<code>failureAction</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
@ -9532,7 +9532,7 @@ ValidationFailureAction
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureAction defines if a validation policy rule violation should block
<p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p>
@ -9540,7 +9540,7 @@ Allowed values are Audit or Enforce.</p>
</tr>
<tr>
<td>
<code>validationFailureActionOverrides</code><br/>
<code>failureActionOverrides</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
[]ValidationFailureActionOverride
@ -9549,8 +9549,8 @@ Allowed values are Audit or Enforce.</p>
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.</p>
</td>
</tr>
<tr>

12
docs/user/crd/kyverno.v1.html
View file

@ -4945,7 +4945,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tr>
<td><code>validationFailureAction</code>
<td><code>failureAction</code>
</br>
@ -9285,7 +9285,7 @@ It is an empty string when validating admission policy is successfully generated
<tr>
<td><code>validationFailureAction</code>
<td><code>failureAction</code>
</br>
@ -9301,7 +9301,7 @@ It is an empty string when validating admission policy is successfully generated
<td>
<p>ValidationFailureAction defines if a validation policy rule violation should block
<p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p>
@ -9317,7 +9317,7 @@ Allowed values are Audit or Enforce.</p>
<tr>
<td><code>validationFailureActionOverrides</code>
<td><code>failureActionOverrides</code>
</br>
@ -9333,8 +9333,8 @@ Allowed values are Audit or Enforce.</p>
<td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.</p>

12
docs/user/crd/kyverno.v2beta1.html
View file

@ -2774,7 +2774,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tr>
<td><code>validationFailureAction</code>
<td><code>failureAction</code>
</br>
@ -4550,7 +4550,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<tr>
<td><code>validationFailureAction</code>
<td><code>failureAction</code>
</br>
@ -4566,7 +4566,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>ValidationFailureAction defines if a validation policy rule violation should block
<p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p>
@ -4582,7 +4582,7 @@ Allowed values are Audit or Enforce.</p>
<tr>
<td><code>validationFailureActionOverrides</code>
<td><code>failureActionOverrides</code>
</br>
@ -4598,8 +4598,8 @@ Allowed values are Audit or Enforce.</p>
<td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.</p>

6
pkg/autogen/autogen_test.go
View file

@ -242,7 +242,7 @@ func Test_GetSupportedControllers(t *testing.T) {
},
{
name: "rule-with-validate-podsecurity",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
expectedControllers: PodControllers,
},
}
@ -539,7 +539,7 @@ kA==
}
func Test_PodSecurityWithNoExceptions(t *testing.T) {
policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
policies, _, _, err := yamlutils.GetPolicy([]byte(policy))
assert.NilError(t, err)
assert.Equal(t, 1, len(policies))
@ -573,7 +573,7 @@ func Test_ValidateWithCELExpressions(t *testing.T) {
]
},
"validate": {
"validationFailureAction": "Enforce",
"failureAction": "Enforce",
"cel": {
"expressions": [
{

40
pkg/autogen/rule.go
View file

@ -129,9 +129,9 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
}
if target := rule.Validation.GetPattern(); target != nil {
newValidate := kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
ValidationFailureAction: rule.Validation.ValidationFailureAction,
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides,
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
FailureAction: rule.Validation.FailureAction,
FailureActionOverrides: rule.Validation.FailureActionOverrides,
}
newValidate.SetPattern(
map[string]interface{}{
@ -145,10 +145,10 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
}
if rule.Validation.Deny != nil {
deny := kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"),
Deny: rule.Validation.Deny,
ValidationFailureAction: rule.Validation.ValidationFailureAction,
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides,
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"),
Deny: rule.Validation.Deny,
FailureAction: rule.Validation.FailureAction,
FailureActionOverrides: rule.Validation.FailureActionOverrides,
}
rule.Validation = deny
return rule
@ -163,8 +163,8 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
Version: rule.Validation.PodSecurity.Version,
Exclude: newExclude,
},
ValidationFailureAction: rule.Validation.ValidationFailureAction,
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides,
FailureAction: rule.Validation.FailureAction,
FailureActionOverrides: rule.Validation.FailureActionOverrides,
}
rule.Validation = podSecurity
return rule
@ -183,12 +183,12 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
}
patterns = append(patterns, newPattern)
}
validationFailureAction := rule.Validation.ValidationFailureAction
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
failureAction := rule.Validation.FailureAction
failureActionOverrides := rule.Validation.FailureActionOverrides
rule.Validation = kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"),
ValidationFailureAction: validationFailureAction,
ValidationFailureActionOverrides: validationFailureActionOverrides,
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"),
FailureAction: failureAction,
FailureActionOverrides: failureActionOverrides,
}
rule.Validation.SetAnyPattern(patterns)
return rule
@ -196,13 +196,13 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil {
newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation))
copy(newForeachValidate, rule.Validation.ForEachValidation)
validationFailureAction := rule.Validation.ValidationFailureAction
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
failureAction := rule.Validation.FailureAction
failureActionOverrides := rule.Validation.FailureActionOverrides
rule.Validation = kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
ForEachValidation: newForeachValidate,
ValidationFailureAction: validationFailureAction,
ValidationFailureActionOverrides: validationFailureActionOverrides,
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
ForEachValidation: newForeachValidate,
FailureAction: failureAction,
FailureActionOverrides: failureActionOverrides,
}
return rule
}

10
pkg/client/applyconfigurations/kyverno/v1/imageverification.go
View file

@ -25,7 +25,7 @@ import (
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
// with apply.
type ImageVerificationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
Type *v1.ImageVerificationType `json:"type,omitempty"`
Image *string `json:"image,omitempty"`
ImageReferences []string `json:"imageReferences,omitempty"`
@ -53,11 +53,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration {
return &ImageVerificationApplyConfiguration{}
}
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
b.ValidationFailureAction = &value
// If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
b.FailureAction = &value
return b
}

40
pkg/client/applyconfigurations/kyverno/v1/validation.go
View file

@ -27,17 +27,17 @@ import (
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply.
type ValidationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
Message *string `json:"message,omitempty"`
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *CELApplyConfiguration `json:"cel,omitempty"`
Assert *v1alpha1.Any `json:"assert,omitempty"`
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
FailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"`
Message *string `json:"message,omitempty"`
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *CELApplyConfiguration `json:"cel,omitempty"`
Assert *v1alpha1.Any `json:"assert,omitempty"`
}
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@ -46,23 +46,23 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{}
}
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.ValidationFailureAction = &value
// If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.FailureAction = &value
return b
}
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
// WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
// If called multiple times, values provided by each call will be appended to the FailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithValidationFailureActionOverrides")
panic("nil value passed to WithFailureActionOverrides")
}
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i])
}
return b
}

10
pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go
View file

@ -26,7 +26,7 @@ import (
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
// with apply.
type ImageVerificationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
Type *v1.ImageVerificationType `json:"type,omitempty"`
ImageReferences []string `json:"imageReferences,omitempty"`
SkipImageReferences []string `json:"skipImageReferences,omitempty"`
@ -46,11 +46,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration {
return &ImageVerificationApplyConfiguration{}
}
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
b.ValidationFailureAction = &value
// If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
b.FailureAction = &value
return b
}

40
pkg/client/applyconfigurations/kyverno/v2beta1/validation.go
View file

@ -28,17 +28,17 @@ import (
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply.
type ValidationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
Message *string `json:"message,omitempty"`
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
RawPattern *kyverno.Any `json:"pattern,omitempty"`
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
Assert *v1alpha1.Any `json:"assert,omitempty"`
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
FailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"`
Message *string `json:"message,omitempty"`
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
RawPattern *kyverno.Any `json:"pattern,omitempty"`
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
Assert *v1alpha1.Any `json:"assert,omitempty"`
}
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@ -47,23 +47,23 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{}
}
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.ValidationFailureAction = &value
// If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.FailureAction = &value
return b
}
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
// WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
// If called multiple times, values provided by each call will be appended to the FailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithValidationFailureActionOverrides")
panic("nil value passed to WithFailureActionOverrides")
}
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i])
}
return b
}

10
pkg/engine/api/engineresponse.go
View file

@ -201,7 +201,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
spec := pol.AsKyvernoPolicy().GetSpec()
for _, r := range spec.Rules {
if r.HasValidate() {
for _, v := range r.Validation.ValidationFailureActionOverrides {
for _, v := range r.Validation.FailureActionOverrides {
if !v.Action.IsValid() {
continue
}
@ -224,12 +224,12 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
}
}
if r.Validation.ValidationFailureAction != nil {
return *r.Validation.ValidationFailureAction
if r.Validation.FailureAction != nil {
return *r.Validation.FailureAction
}
} else if r.HasVerifyImages() {
if r.VerifyImages[0].ValidationFailureAction != nil {
return *r.VerifyImages[0].ValidationFailureAction
if r.VerifyImages[0].FailureAction != nil {
return *r.VerifyImages[0].FailureAction
}
}
}

44
pkg/engine/api/engineresponse_test.go
View file

@ -717,7 +717,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &audit,
FailureAction: &audit,
},
},
},
@ -732,7 +732,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
FailureAction: &enforce,
},
},
},
@ -773,8 +773,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"*"},
}},
@ -792,8 +792,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: "invalid",
Namespaces: []string{"*"},
}},
@ -970,8 +970,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"foo"},
}},
@ -990,8 +990,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"bar"},
}},
@ -1013,8 +1013,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
@ -1040,8 +1040,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
@ -1067,8 +1067,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"foo"},
NamespaceSelector: &metav1.LabelSelector{
@ -1095,8 +1095,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"bar"},
NamespaceSelector: &metav1.LabelSelector{
@ -1123,8 +1123,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"foo"},
NamespaceSelector: &metav1.LabelSelector{
@ -1151,8 +1151,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
FailureAction: &enforce,
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"*"},
NamespaceSelector: &metav1.LabelSelector{

4
pkg/engine/handlers/validation/validate_resource_test.go
View file

@ -60,7 +60,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext {
]
},
"validate": {
"validationFailureAction": "Enforce",
"failureAction": "Enforce",
"message": "The label size is required",
"pattern": {
"metadata": {
@ -88,7 +88,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext {
]
},
"validate": {
"validationFailureAction": "Enforce",
"failureAction": "Enforce",
"message": "The label size cannot be changed for a namespace",
"deny": {
"conditions": {

16
pkg/engine/utils/utils_test.go
View file

@ -846,7 +846,7 @@ func TestMatchesResourceDescription(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: false,
},
{
@ -873,7 +873,7 @@ func TestMatchesResourceDescription(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
areErrorsExpected: true,
},
{
@ -882,7 +882,7 @@ func TestMatchesResourceDescription(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: true,
},
{
@ -1742,7 +1742,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
areErrorsExpected: false,
},
{
@ -1751,7 +1751,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: false,
},
{
@ -1769,7 +1769,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
areErrorsExpected: true,
},
{
@ -1778,7 +1778,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
areErrorsExpected: true,
},
{
@ -1787,7 +1787,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: true,
},
{

18
pkg/engine/validation_test.go
View file

@ -689,7 +689,7 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "Enforce",
"failureAction": "Enforce",
"foreach": [
{
"list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds",
@ -1960,7 +1960,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing.
}
},
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.",
"deny": {
"conditions": [
@ -2151,7 +2151,7 @@ func Test_BlockLabelRemove(t *testing.T) {
]
},
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"message": "not allowed",
"deny": {
"conditions": {
@ -2269,7 +2269,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) {
}
],
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"message": "restrict pod counts to be no more than 10 on node minikube",
"deny": {
"conditions": [
@ -2372,7 +2372,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) {
}
],
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"deny": {
"conditions": [
{
@ -2457,7 +2457,7 @@ func Test_StringInDenyCondition(t *testing.T) {
}
],
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"deny": {
"conditions": [
{
@ -3006,7 +3006,7 @@ func Test_outof_foreach_element_validation(t *testing.T) {
"name": "test",
"match": {"resources": { "kinds": [ "Pod" ] } },
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"message": "Invalid name",
"pattern": {
"name": "{{ element.name }}"
@ -3045,7 +3045,7 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"message": "unknown registry",
"foreach": [
{
@ -3216,7 +3216,7 @@ func Test_delete_ignore_pattern(t *testing.T) {
"name": "test",
"match": {"resources": { "kinds": [ "Pod" ] } },
"validate": {
"validationFailureAction": "enforce",
"failureAction": "enforce",
"message": "Invalid label",
"pattern": {
"metadata" : {

4
pkg/policycache/cache.go
View file

@ -87,12 +87,12 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
}
// if the field isn't set, use the higher level policy setting
validationFailureAction := rule.Validation.ValidationFailureAction
validationFailureAction := rule.Validation.FailureAction
if validationFailureAction == nil {
validationFailureAction = &policy.GetSpec().ValidationFailureAction
}
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
validationFailureActionOverrides := rule.Validation.FailureActionOverrides
if len(validationFailureActionOverrides) == 0 {
validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides
}

4
pkg/policycache/store.go
View file

@ -109,11 +109,11 @@ func (m *policyMap) set(key string, policy kyvernov1.PolicyInterface, client Res
kindStates := map[policyKey]state{}
for _, rule := range autogen.ComputeRules(policy, "") {
if rule.HasValidate() {
action := rule.Validation.ValidationFailureAction
action := rule.Validation.FailureAction
if action != nil && action.Enforce() {
enforcePolicy = true
}
for _, k := range rule.Validation.ValidationFailureActionOverrides {
for _, k := range rule.Validation.FailureActionOverrides {
if k.Action.Enforce() {
enforcePolicy = true
}

2
pkg/validatingadmissionpolicy/builder.go
View file

@ -123,7 +123,7 @@ func BuildValidatingAdmissionPolicyBinding(
// set validation action for vap binding
var validationActions []admissionregistrationv1alpha1.ValidationAction
validateAction := cpol.GetSpec().Rules[0].Validation.ValidationFailureAction
validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
if validateAction != nil {
if validateAction.Enforce() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)

2
pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
View file

@ -67,7 +67,7 @@ func checkPolicy(spec *kyvernov1.Spec) (bool, string) {
return false, msg
}
if ok, msg := checkValidationFailureActionOverrides(rule.Validation.ValidationFailureActionOverrides); !ok {
if ok, msg := checkValidationFailureActionOverrides(rule.Validation.FailureActionOverrides); !ok {
return false, msg
}

8
pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
View file

@ -649,8 +649,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
]
},
"validate": {
"validationFailureAction": "Enforce",
"validationFailureActionOverrides": [
"failureAction": "Enforce",
"failureActionOverrides": [
{
"action": "Enforce",
"namespaces": [
@ -704,8 +704,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
]
},
"validate": {
"validationFailureAction": "Enforce",
"validationFailureActionOverrides": [
"failureAction": "Enforce",
"failureActionOverrides": [
{
"action": "Enforce",
"namespaces": [

8
pkg/validation/policy/validate.go
View file

@ -140,8 +140,8 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...)
for _, rule := range spec.Rules {
if rule.HasValidate() {
if rule.Validation.ValidationFailureAction != nil {
warnings = append(warnings, checkValidationFailureAction(*rule.Validation.ValidationFailureAction, rule.Validation.ValidationFailureActionOverrides)...)
if rule.Validation.FailureAction != nil {
warnings = append(warnings, checkValidationFailureAction(*rule.Validation.FailureAction, rule.Validation.FailureActionOverrides)...)
}
}
}
@ -207,7 +207,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
if !policy.IsNamespaced() {
for i, r := range spec.Rules {
if r.HasValidate() {
err := validateNamespaces(r.Validation.ValidationFailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides"))
err := validateNamespaces(r.Validation.FailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides"))
if err != nil {
return warnings, err
}
@ -337,7 +337,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
verifyImagePath := rulePath.Child("verifyImages")
for index, i := range rule.VerifyImages {
action := i.ValidationFailureAction
action := i.FailureAction
if action != nil {
if action.Audit() {
isAuditFailureAction = true

56
pkg/webhooks/resource/validation_test.go
View file

@ -1071,8 +1071,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "audit",
"validationFailureActionOverrides":
"failureAction": "audit",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1141,8 +1141,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "audit",
"validationFailureActionOverrides":
"failureAction": "audit",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1213,8 +1213,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "audit",
"validationFailureActionOverrides":
"failureAction": "audit",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1283,8 +1283,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1353,8 +1353,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1425,8 +1425,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1495,8 +1495,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "enforce",
@ -1568,8 +1568,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "audit",
@ -1644,8 +1644,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "audit",
@ -1717,8 +1717,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "audit",
@ -1790,8 +1790,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "audit",
@ -1866,8 +1866,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "enforce",
"validationFailureActionOverrides":
"failureAction": "enforce",
"failureActionOverrides":
[
{
"action": "audit",
@ -1942,8 +1942,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "audit",
"validationFailureActionOverrides":
"failureAction": "audit",
"failureActionOverrides":
[
{
"action": "enforce",
@ -2017,8 +2017,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
}
},
"validate": {
"validationFailureAction": "audit",
"validationFailureActionOverrides":
"failureAction": "audit",
"failureActionOverrides":
[
{
"action": "enforce",

4
pkg/webhooks/utils/block_test.go
View file

@ -72,7 +72,7 @@ func TestBlockRequest(t *testing.T) {
{
Name: "rule-audit",
Validation: kyvernov1.Validation{
ValidationFailureAction: &audit,
FailureAction: &audit,
},
},
},
@ -88,7 +88,7 @@ func TestBlockRequest(t *testing.T) {
{
Name: "rule-enforce",
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
FailureAction: &enforce,
},
},
},

2
test/cli/apply/policies-set/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Audit
failureAction: Audit
message: "The foo label must be set."
pattern:
metadata:

4
test/cli/apply/policies/policy.yaml
View file

@ -19,7 +19,7 @@ spec:
- Pod
name: validate-image-tag
validate:
validationFailureAction: Audit
failureAction: Audit
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:
@ -48,7 +48,7 @@ spec:
operator: NotEquals
value: DELETE
validate:
validationFailureAction: Audit
failureAction: Audit
foreach:
- deny:
conditions:

4
test/cli/registry/image-example.yaml
View file

@ -19,7 +19,7 @@ spec:
operator: NotEquals
value: DELETE
validate:
validationFailureAction: Enforce
failureAction: Enforce
foreach:
- context:
- imageRegistry:
@ -57,7 +57,7 @@ spec:
operator: NotEquals
value: DELETE
validate:
validationFailureAction: Enforce
failureAction: Enforce
foreach:
- context:
- imageRegistry:

2
test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod
name: validate-default-proc-mount
validate:
validationFailureAction: Audit
failureAction: Audit
message: Default proc mount should set to Unmasked
pattern:
spec:

2
test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod
name: validate-selinux-options
validate:
validationFailureAction: Audit
failureAction: Audit
message: SELinux level is required
pattern:
spec:

2
test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod
name: validate-volumes-whitelist
validate:
validationFailureAction: Audit
failureAction: Audit
anyPattern:
- spec:
volumes:

2
test/cli/test-exceptions/exceptions-1/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`.

2
test/cli/test-exceptions/exceptions-2/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: "A maximum of 2 containers are allowed inside a Pod."
deny:
conditions:

2
test/cli/test-exceptions/exceptions-3/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
failureAction: Enforce
podSecurity:
level: baseline
version: latest

2
test/cli/test-fail/invalid-ns/policy.yaml
View file

@ -36,4 +36,4 @@ spec:
labels:
=(schiff.telekom.de/owner): '!schiff'
platform.das-schiff.telekom.de/owner: '!das-schiff'
validationFailureAction: Enforce
failureAction: Enforce

4
test/cli/test-fail/missing-policy/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- test
name: require-image-tag
validate:
validationFailureAction: Audit
failureAction: Audit
message: An image tag is required.
pattern:
spec:
@ -41,4 +41,4 @@ spec:
spec:
containers:
- image: '!*:latest'
validationFailureAction: Audit
failureAction: Audit

4
test/cli/test-fail/missing-resource/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- test
name: require-image-tag
validate:
validationFailureAction: Audit
failureAction: Audit
message: An image tag is required.
pattern:
spec:
@ -41,4 +41,4 @@ spec:
spec:
containers:
- image: '!*:latest'
validationFailureAction: Audit
failureAction: Audit

4
test/cli/test-fail/missing-rule/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- test
name: require-image-tag
validate:
validationFailureAction: Audit
failureAction: Audit
message: An image tag is required.
pattern:
spec:
@ -41,4 +41,4 @@ spec:
spec:
containers:
- image: '!*:latest'
validationFailureAction: Audit
failureAction: Audit

4
test/cli/test/admission_user_info/disallow_latest_tag.yaml
View file

@ -21,7 +21,7 @@ spec:
- Pod
name: require-image-tag
validate:
validationFailureAction: Audit
failureAction: Audit
message: An image tag is required.
pattern:
spec:
@ -34,7 +34,7 @@ spec:
- Pod
name: validate-image-tag
validate:
validationFailureAction: Audit
failureAction: Audit
message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern:
spec:

2
test/cli/test/any-all-wildcard/policy.yaml
View file

@ -17,6 +17,6 @@ spec:
- namespace2
name: disallow
validate:
validationFailureAction: Enforce
failureAction: Enforce
deny: {}
message: This resource is protected and changes are not allowed.

2
test/cli/test/any-namespaceSelector/policy.yaml
View file

@ -20,7 +20,7 @@ spec:
- managed
name: validate-name
validate:
validationFailureAction: Audit
failureAction: Audit
message: The Pod must end with -nginx
pattern:
metadata:

2
test/cli/test/anypattern_skip_error/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Service
name: check-loadbalancer-public
validate:
validationFailureAction: Enforce
failureAction: Enforce
anyPattern:
- metadata:
annotations:

2
test/cli/test/autogen-values/policy.yaml
View file

@ -28,4 +28,4 @@ spec:
validate:
message: Do nothing!
pattern: {}
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/autogen/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod
name: check-for-labels
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: Both `app` and `owner` labels must be set on all workloads
pattern:
metadata:

2
test/cli/test/cel-preconditions/disallow-host-path.yaml
View file

@ -15,7 +15,7 @@ spec:
- expression: "object.metadata.labels['color'] == 'red'"
name: "Label should be red"
validate:
validationFailureAction: Audit
failureAction: Audit
cel:
expressions:
- expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"

2
test/cli/test/check-deployment-namespace-cel/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds:
- Deployment
validate:
validationFailureAction: Audit
failureAction: Audit
cel:
expressions:
- expression: "namespaceObject.metadata.name != 'default'"

2
test/cli/test/container_reorder/policy.yml
View file

@ -32,4 +32,4 @@ spec:
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
failureAction: Enforce

22
test/cli/test/context-entries/policies.yaml
View file

@ -21,7 +21,7 @@ spec:
- Pod
name: defined-value
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ example.test.nested.value }}'
@ -38,7 +38,7 @@ spec:
- Pod
name: defined-jmespath
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ objName }}'
@ -56,7 +56,7 @@ spec:
- Pod
name: defined-jmespath-with-default
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ objName }}'
@ -74,7 +74,7 @@ spec:
- Pod
name: defined-value-with-variable
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ obj.name }}'
@ -92,7 +92,7 @@ spec:
- Pod
name: defined-jmespath-with-default-variable
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ objName }}'
@ -111,7 +111,7 @@ spec:
- Pod
name: defined-value-jmespath
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ objName }}'
@ -133,7 +133,7 @@ spec:
- Pod
name: defined-value-jmespath-variable
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ objName }}'
@ -155,7 +155,7 @@ spec:
- Pod
name: value-override
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
any:
@ -178,7 +178,7 @@ spec:
- Pod
name: wildcard-match
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: A=*
@ -205,7 +205,7 @@ spec:
- Pod
name: items
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ obj }}'
@ -234,7 +234,7 @@ spec:
- Pod
name: unused-var
validate:
validationFailureAction: Audit
failureAction: Audit
deny:
conditions:
- key: '{{ modifiedObj }}'

2
test/cli/test/context-foreach/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod
name: block-images
validate:
validationFailureAction: Audit
failureAction: Audit
foreach:
- context:
- imageRegistry:

14
test/cli/test/custom-functions/policy.yaml
View file

@ -19,7 +19,7 @@ spec:
- key: '{{base64_decode(request.object.data.value)}}'
operator: NotEquals
value: '{{request.object.metadata.labels.value}}'
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -42,7 +42,7 @@ spec:
- key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}'
operator: Equals
value: false
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -78,7 +78,7 @@ spec:
- key: '{{ element.hostPath.path }}'
operator: NotEquals
value: ""
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -101,7 +101,7 @@ spec:
operator: NotEquals
value: b
message: Test JMESPath
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -124,7 +124,7 @@ spec:
operator: NotEquals
value: a
message: Test JMESPath
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -148,7 +148,7 @@ spec:
value: '{{request.object.metadata.annotations.test | parse_yaml(@).array
}}'
message: Test JMESPath
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -175,4 +175,4 @@ spec:
message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N
}}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N
}}"'
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/default_value_to_create/check-supplemental-groups.yaml
View file

@ -39,4 +39,4 @@ spec:
spec:
=(securityContext):
=(supplementalGroups): 100-200 | 500-600
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml
View file

@ -30,4 +30,4 @@ spec:
deny: {}
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
should not be modified by non-admin users.
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml
View file

@ -26,4 +26,4 @@ spec:
deny: {}
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
should not be modified by non-admin users.
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml
View file

@ -35,4 +35,4 @@ spec:
deny: {}
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
should not be modified by non-admin users.
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml
View file

@ -14,7 +14,7 @@ spec:
operations:
- DELETE
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: Pod cannot be deleted
deny: {}

2
test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds:
- Pod
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: Pod cannot be deleted
deny:
conditions:

2
test/cli/test/depecated_apis/policy.yaml
View file

@ -33,4 +33,4 @@ spec:
deny: {}
message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated
and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/disallow-service/policy.yaml
View file

@ -28,4 +28,4 @@ spec:
anyPattern:
- kind: '!Service'
message: Can't create a service. Sorry...
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/exclude/policy.yaml
View file

@ -36,7 +36,7 @@ spec:
matchLabels:
require-requests-limits.kyverno.io/exclude: "true"
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: "CPU and memory resource requests and limits are required."
pattern:
spec:

2
test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml
View file

@ -41,4 +41,4 @@ spec:
operator: Equals
value: "false"
message: Exec'ing into Pods protected with the label `exec=false` is forbidden.
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/foreach-preconditions/policies.yaml
View file

@ -32,4 +32,4 @@ spec:
operator: NotEquals
value: ""
message: Limits may not exceed 2.5x the requests.
validationFailureAction: Enforce
failureAction: Enforce

8
test/cli/test/foreach/policies.yaml
View file

@ -25,7 +25,7 @@ spec:
- (name): '{{element.name}}'
mountPath: /tmp/*
message: emptyDir volumes must be mounted under /tmp
validationFailureAction: Audit
failureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -56,7 +56,7 @@ spec:
volumeMounts:
- <(name): '{{element.name}}'
message: ephemeral-storage requests and limits are required for emptyDir volumes
validationFailureAction: Audit
failureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -82,7 +82,7 @@ spec:
value: ghcr.io
list: request.object.spec.containers[].image
message: images must begin with ghcr.io
validationFailureAction: Audit
failureAction: Audit
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -109,4 +109,4 @@ spec:
elementScope: true
list: request.object.spec.containers[].image
message: images must begin with ghcr.io
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/globalcontext/policy.yaml
View file

@ -24,7 +24,7 @@ spec:
- CREATE
- UPDATE
validate:
validationFailureAction: Enforce
failureAction: Enforce
deny:
conditions:
any:

2
test/cli/test/images/digest/policies.yaml
View file

@ -22,4 +22,4 @@ spec:
required: false
useCache: true
verifyDigest: true
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/images/secure-images/policies.yaml
View file

@ -23,5 +23,5 @@ spec:
required: true
useCache: true
verifyDigest: false
validationFailureAction: Enforce
failureAction: Enforce
webhookTimeoutSeconds: 30

2
test/cli/test/images/signatures/policies.yaml
View file

@ -36,4 +36,4 @@ spec:
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
failureAction: Enforce

4
test/cli/test/images/verify-signature/policies.yaml
View file

@ -37,7 +37,7 @@ spec:
required: true
useCache: true
verifyDigest: true
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -81,4 +81,4 @@ spec:
required: true
useCache: true
verifyDigest: false
validationFailureAction: Enforce
failureAction: Enforce

4
test/cli/test/jmespath-brackets/policy.yaml
View file

@ -26,7 +26,7 @@ spec:
a: "1"
test: ""
message: All pod labels must match except test
validationFailureAction: Enforce
failureAction: Enforce
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -51,4 +51,4 @@ spec:
value: false
message: For creating a namespace you need to set the objectid of the Azure
AD Group that needs access to this namespace as the aadobjectid label
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml
View file

@ -56,4 +56,4 @@ spec:
- CREATE
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
resource is protected. Admin or allowed users can change the resource'
validationFailureAction: Audit
failureAction: Audit

4
test/cli/test/manifests/verify-signature/policies.yaml
View file

@ -16,7 +16,7 @@ spec:
name: test*
name: validate-yaml
validate:
validationFailureAction: Enforce
failureAction: Enforce
manifests:
attestors:
- count: 1
@ -43,7 +43,7 @@ spec:
name: test*
name: validate-yaml-multi-sig
validate:
validationFailureAction: Enforce
failureAction: Enforce
manifests:
attestors:
- entries:

2
test/cli/test/mixed/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- user-?*
name: ondemand-managed_by
validate:
validationFailureAction: Audit
failureAction: Audit
message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand'
pattern:
metadata:

4
test/cli/test/multiple-validate-rules/policy.yaml
View file

@ -17,7 +17,7 @@ spec:
operator: Equals
value: 'LoadBalancer'
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: >-
Only approved ports may be used for LoadBalancer services.
foreach:
@ -38,7 +38,7 @@ spec:
kinds:
- Service
validate:
validationFailureAction: Enforce
failureAction: Enforce
message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
pattern:
spec:

2
test/cli/test/multiple_condition_keys/policy.yaml
View file

@ -23,4 +23,4 @@ spec:
value:
- busybox
- busybox1
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml
View file

@ -44,4 +44,4 @@ spec:
metadata:
labels:
foo: '*'
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml
View file

@ -37,4 +37,4 @@ spec:
operator: NotEquals
value: 2400
message: certificate duration must be < than 2400h (100 days)
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/node-status/check_node_for_cve_2022_0185.yaml
View file

@ -32,4 +32,4 @@ spec:
status:
nodeInfo:
kernelVersion: '!5.10.84-1 & !5.15.5-2'
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/owner_references/policy.yaml
View file

@ -28,4 +28,4 @@ spec:
periodSeconds: '>0'
readinessProbe:
periodSeconds: '>0'
validationFailureAction: Enforce
failureAction: Enforce

2
test/cli/test/policy-reports-skip-validation/policy.yaml
View file

@ -33,4 +33,4 @@ spec:
operator: AnyNotIn
value: '{{request.object.metadata.keys(@)}}'
message: naked pods are not allowed
validationFailureAction: Audit
failureAction: Audit

2
test/cli/test/preconditions/policy.yaml
View file

@ -24,4 +24,4 @@ spec:
spec:
containers:
- name: '*busybox*'
validationFailureAction: Enforce
failureAction: Enforce

Some files were not shown because too many files have changed in this diff Show more