diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 53d94bc238..dc634e72dd 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -451,18 +451,18 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in any) { // Validation defines checks to be performed on matching resources. type Validation struct { - // ValidationFailureAction defines if a validation policy rule violation should block + // FailureAction defines if a validation policy rule violation should block // the admission review request (Enforce), or allow (Audit) the admission review request // and report an error in a policy report. Optional. // Allowed values are Audit or Enforce. // +optional // +kubebuilder:validation:Enum=Audit;Enforce - ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"` - // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + // FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + // namespace-wise. It overrides FailureAction for the specified namespaces. // +optional - ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` + FailureActionOverrides []ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"` // Message specifies a custom message to be displayed on failure. // +optional diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 0da5308452..8f0ab29d73 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -44,7 +44,7 @@ type ImageVerification struct { // Allowed values are Audit or Enforce. // +optional // +kubebuilder:validation:Enum=Audit;Enforce - ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"` // Type specifies the method of signature validation. The allowed options // are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 901cf0f651..d8cf8237e5 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -175,7 +175,7 @@ func (s *Spec) HasValidate() bool { func (s *Spec) HasValidateEnforce() bool { for _, rule := range s.Rules { if rule.HasValidate() { - action := rule.Validation.ValidationFailureAction + action := rule.Validation.FailureAction if action != nil && action.Enforce() { return true } diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index bb1154a3ba..733d0d5024 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -846,8 +846,8 @@ func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { *out = *in - if in.ValidationFailureAction != nil { - in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + if in.FailureAction != nil { + in, out := &in.FailureAction, &out.FailureAction *out = new(ValidationFailureAction) **out = **in } @@ -1637,13 +1637,13 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Validation) DeepCopyInto(out *Validation) { *out = *in - if in.ValidationFailureAction != nil { - in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + if in.FailureAction != nil { + in, out := &in.FailureAction, &out.FailureAction *out = new(ValidationFailureAction) **out = **in } - if in.ValidationFailureActionOverrides != nil { - in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides + if in.FailureActionOverrides != nil { + in, out := &in.FailureActionOverrides, &out.FailureActionOverrides *out = make([]ValidationFailureActionOverride, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go index bce28ac00e..a6fb446225 100644 --- a/api/kyverno/v2beta1/common_types.go +++ b/api/kyverno/v2beta1/common_types.go @@ -11,18 +11,18 @@ type AssertionTree = kjson.Any // Validation defines checks to be performed on matching resources. type Validation struct { - // ValidationFailureAction defines if a validation policy rule violation should block + // FailureAction defines if a validation policy rule violation should block // the admission review request (Enforce), or allow (Audit) the admission review request // and report an error in a policy report. Optional. // Allowed values are Audit or Enforce. // +optional // +kubebuilder:validation:Enum=Audit;Enforce - ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"` - // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + // FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + // namespace-wise. It overrides FailureAction for the specified namespaces. // +optional - ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` + FailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"` // Message specifies a custom message to be displayed on failure. // +optional diff --git a/api/kyverno/v2beta1/image_verification_types.go b/api/kyverno/v2beta1/image_verification_types.go index d6a270c5b0..a92918aaae 100644 --- a/api/kyverno/v2beta1/image_verification_types.go +++ b/api/kyverno/v2beta1/image_verification_types.go @@ -12,7 +12,7 @@ type ImageVerification struct { // Allowed values are Audit or Enforce. // +optional // +kubebuilder:validation:Enum=Audit;Enforce - ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"` // Type specifies the method of signature validation. The allowed options // are Cosign and Notary. By default Cosign is used if a type is not specified. diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 11f72bf2b3..7f87861789 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -139,7 +139,7 @@ func (s *Spec) HasValidate() bool { func (s *Spec) HasValidateEnforce() bool { for _, rule := range s.Rules { if rule.HasValidate() { - action := rule.Validation.ValidationFailureAction + action := rule.Validation.FailureAction if action != nil && action.Enforce() { return true } diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index d115186769..6fcc17e5a9 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -368,8 +368,8 @@ func (in *Exception) DeepCopy() *Exception { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { *out = *in - if in.ValidationFailureAction != nil { - in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + if in.FailureAction != nil { + in, out := &in.FailureAction, &out.FailureAction *out = new(v1.ValidationFailureAction) **out = **in } @@ -833,13 +833,13 @@ func (in *Spec) DeepCopy() *Spec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Validation) DeepCopyInto(out *Validation) { *out = *in - if in.ValidationFailureAction != nil { - in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + if in.FailureAction != nil { + in, out := &in.FailureAction, &out.FailureAction *out = new(v1.ValidationFailureAction) **out = **in } - if in.ValidationFailureActionOverrides != nil { - in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides + if in.FailureActionOverrides != nil { + in, out := &in.FailureActionOverrides, &out.FailureActionOverrides *out = make([]v1.ValidationFailureActionOverride, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 0bf5d7aa74..0653d6316a 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -3099,6 +3099,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -3842,87 +3923,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4611,6 +4611,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -4707,12 +4713,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7902,6 +7902,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -8657,87 +8738,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9440,6 +9440,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9537,12 +9543,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -12523,6 +12523,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -13266,87 +13347,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14019,6 +14019,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -14100,12 +14106,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -17295,6 +17295,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -18050,87 +18131,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -18833,6 +18833,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -18930,12 +18936,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 2baa674ced..34e0bc99d4 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -3100,6 +3100,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -3843,87 +3924,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4612,6 +4612,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -4708,12 +4714,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7904,6 +7904,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -8659,87 +8740,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9442,6 +9442,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9539,12 +9545,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -12526,6 +12526,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -13269,87 +13350,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14022,6 +14022,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -14103,12 +14109,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -17298,6 +17298,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -18053,87 +18134,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -18836,6 +18836,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -18933,12 +18939,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml index 8dc690aa2f..40d9b5cb52 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml @@ -34,7 +34,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "You must have label 'purpose' with value 'production' set on all new namespaces." pattern: metadata: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml index 2b9137d169..9ff26f577f 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml @@ -18,7 +18,7 @@ spec: - Pod name: pods-require-account validate: - validationFailureAction: Audit + failureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -31,7 +31,7 @@ spec: - Pod name: pods-require-limits validate: - validationFailureAction: Audit + failureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml index 2b9137d169..9ff26f577f 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml @@ -18,7 +18,7 @@ spec: - Pod name: pods-require-account validate: - validationFailureAction: Audit + failureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -31,7 +31,7 @@ spec: - Pod name: pods-require-limits validate: - validationFailureAction: Audit + failureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml index 34b5af5fd1..c32186327b 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Audit + failureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml index c6bc85b85f..7cf71bc478 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml @@ -56,4 +56,4 @@ spec: - CREATE message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource' - validationFailureAction: Audit + failureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml index 095c6af952..9750c40162 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml @@ -18,7 +18,7 @@ spec: - Pod name: pods-require-account validate: - validationFailureAction: Audit + failureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -42,4 +42,4 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit + failureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml index 2f0347e5c5..ef74927bc1 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml @@ -30,7 +30,7 @@ spec: kinds: - Pod validate: - validationFailureAction: audit + failureAction: audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml index 0398149107..78fdfb81af 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml @@ -19,7 +19,7 @@ spec: - Pod name: pods-require-account validate: - validationFailureAction: Audit + failureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -32,7 +32,7 @@ spec: - Pod name: pods-require-limits validate: - validationFailureAction: Audit + failureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml index 6007ec75a4..43780533f1 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml @@ -20,4 +20,4 @@ spec: podSecurity: level: restricted version: latest - validationFailureAction: Audit + failureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 5be955d0f3..7bd0e709cb 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3093,6 +3093,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -3836,87 +3917,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4605,6 +4605,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -4701,12 +4707,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7896,6 +7896,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -8651,87 +8732,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9434,6 +9434,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9531,12 +9537,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -12517,6 +12517,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -13260,87 +13341,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14013,6 +14013,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -14094,12 +14100,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -17289,6 +17289,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -18044,87 +18125,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -18827,6 +18827,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -18924,12 +18930,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 680caa298a..a28d26774f 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3094,6 +3094,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -3837,87 +3918,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4606,6 +4606,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -4702,12 +4708,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7898,6 +7898,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -8653,87 +8734,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9436,6 +9436,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9533,12 +9539,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -12520,6 +12520,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -13263,87 +13344,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14016,6 +14016,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -14097,12 +14103,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -17292,6 +17292,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -18047,87 +18128,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -18830,6 +18830,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -18927,12 +18933,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 5be955d0f3..7bd0e709cb 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -3093,6 +3093,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -3836,87 +3917,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4605,6 +4605,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -4701,12 +4707,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7896,6 +7896,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -8651,87 +8732,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9434,6 +9434,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9531,12 +9537,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -12517,6 +12517,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -13260,87 +13341,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14013,6 +14013,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -14094,12 +14100,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -17289,6 +17289,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -18044,87 +18125,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -18827,6 +18827,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -18924,12 +18930,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 680caa298a..a28d26774f 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -3094,6 +3094,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -3837,87 +3918,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4606,6 +4606,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -4702,12 +4708,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7898,6 +7898,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -8653,87 +8734,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9436,6 +9436,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9533,12 +9539,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -12520,6 +12520,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -13263,87 +13344,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14016,6 +14016,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -14097,12 +14103,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -17292,6 +17292,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -18047,87 +18128,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -18830,6 +18830,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -18927,12 +18933,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index a9e97ae4ca..ba15733681 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -8291,6 +8291,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -9034,87 +9115,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9803,6 +9803,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -9899,12 +9905,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -13094,6 +13094,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -13849,87 +13930,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -14632,6 +14632,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -14729,12 +14735,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -17715,6 +17715,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -18458,87 +18539,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -19211,6 +19211,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -19292,12 +19298,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -22487,6 +22487,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -23242,87 +23323,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -24025,6 +24025,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -24122,12 +24128,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -27623,6 +27623,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -28366,87 +28447,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -29135,6 +29135,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -29231,12 +29237,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -32427,6 +32427,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -33182,87 +33263,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -33965,6 +33965,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -34062,12 +34068,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -37049,6 +37049,87 @@ spec: type: array type: object type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the @@ -37792,87 +37873,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the policy - validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -38545,6 +38545,12 @@ spec: type: array type: object type: array + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string imageReferences: description: |- ImageReferences is a list of matching image reference patterns. At least one pattern in the @@ -38626,12 +38632,6 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -41821,6 +41821,87 @@ spec: See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object + failureAction: + description: |- + FailureAction defines if a validation policy rule violation should block + the admission review request (Enforce), or allow (Audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string + failureActionOverrides: + description: |- + FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction + namespace-wise. It overrides FailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array foreach: description: ForEach applies validate rules to a list of sub-elements by creating a context for each entry @@ -42576,87 +42657,6 @@ spec: - latest type: string type: object - validationFailureAction: - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (Enforce), or allow (Audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string - validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - items: - properties: - action: - description: ValidationFailureAction defines the - policy validation failure action - enum: - - audit - - enforce - - Audit - - Enforce - type: string - namespaceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - items: - type: string - type: array - type: object - type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -43359,6 +43359,12 @@ spec: CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. Defaults to false. type: boolean + failureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string image: description: Deprecated. Use ImageReferences instead. type: string @@ -43456,12 +43462,6 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean - validationFailureAction: - description: Allowed values are Audit or Enforce. - enum: - - Audit - - Enforce - type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 553be85855..a1b3947101 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -2509,7 +2509,7 @@ mutated to include the SHA digest retrieved during the registration.

-validationFailureAction
+failureAction
ValidationFailureAction @@ -4619,7 +4619,7 @@ It is an empty string when validating admission policy is successfully generated -validationFailureAction
+failureAction
 ValidationFailureAction @@ -4628,7 +4628,7 @@ ValidationFailureAction (Optional) -

ValidationFailureAction defines if a validation policy rule violation should block +

FailureAction defines if a validation policy rule violation should block the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. Allowed values are Audit or Enforce.

@@ -4636,7 +4636,7 @@ Allowed values are Audit or Enforce.

-validationFailureActionOverrides
+failureActionOverrides
 []ValidationFailureActionOverride @@ -4645,8 +4645,8 @@ Allowed values are Audit or Enforce.

(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction +namespace-wise. It overrides FailureAction for the specified namespaces.

@@ -8640,7 +8640,7 @@ mutated to include the SHA digest retrieved during the registration.

-validationFailureAction
+failureAction
 ValidationFailureAction @@ -9523,7 +9523,7 @@ WebhookConfiguration -validationFailureAction
+failureAction
 ValidationFailureAction @@ -9532,7 +9532,7 @@ ValidationFailureAction (Optional) -

ValidationFailureAction defines if a validation policy rule violation should block +

FailureAction defines if a validation policy rule violation should block the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. Allowed values are Audit or Enforce.

@@ -9540,7 +9540,7 @@ Allowed values are Audit or Enforce.

-validationFailureActionOverrides
+failureActionOverrides
 []ValidationFailureActionOverride @@ -9549,8 +9549,8 @@ Allowed values are Audit or Enforce.

(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction +namespace-wise. It overrides FailureAction for the specified namespaces.

diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index eb5e461934..4828996e13 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -4945,7 +4945,7 @@ mutated to include the SHA digest retrieved during the registration.

- validationFailureAction + failureAction
@@ -9285,7 +9285,7 @@ It is an empty string when validating admission policy is successfully generated - validationFailureAction + failureAction
@@ -9301,7 +9301,7 @@ It is an empty string when validating admission policy is successfully generated -

ValidationFailureAction defines if a validation policy rule violation should block +

FailureAction defines if a validation policy rule violation should block the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. Allowed values are Audit or Enforce.

@@ -9317,7 +9317,7 @@ Allowed values are Audit or Enforce.

- validationFailureActionOverrides + failureActionOverrides
@@ -9333,8 +9333,8 @@ Allowed values are Audit or Enforce.

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction +namespace-wise. It overrides FailureAction for the specified namespaces.

diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html index 4724cb3297..92fb73e606 100644 --- a/docs/user/crd/kyverno.v2beta1.html +++ b/docs/user/crd/kyverno.v2beta1.html @@ -2774,7 +2774,7 @@ mutated to include the SHA digest retrieved during the registration.

- validationFailureAction + failureAction
@@ -4550,7 +4550,7 @@ Defaults to "false" if not specified.

- validationFailureAction + failureAction
@@ -4566,7 +4566,7 @@ Defaults to "false" if not specified.

-

ValidationFailureAction defines if a validation policy rule violation should block +

FailureAction defines if a validation policy rule violation should block the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. Allowed values are Audit or Enforce.

@@ -4582,7 +4582,7 @@ Allowed values are Audit or Enforce.

- validationFailureActionOverrides + failureActionOverrides
@@ -4598,8 +4598,8 @@ Allowed values are Audit or Enforce.

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction +namespace-wise. It overrides FailureAction for the specified namespaces.

diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index 1ce2b90f9f..4174f1561a 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -242,7 +242,7 @@ func Test_GetSupportedControllers(t *testing.T) { }, { name: "rule-with-validate-podsecurity", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), expectedControllers: PodControllers, }, } @@ -539,7 +539,7 @@ kA== } func Test_PodSecurityWithNoExceptions(t *testing.T) { - policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) + policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) policies, _, _, err := yamlutils.GetPolicy([]byte(policy)) assert.NilError(t, err) assert.Equal(t, 1, len(policies)) @@ -573,7 +573,7 @@ func Test_ValidateWithCELExpressions(t *testing.T) { ] }, "validate": { - "validationFailureAction": "Enforce", + "failureAction": "Enforce", "cel": { "expressions": [ { diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index 9cb03dfbba..b52742f851 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -129,9 +129,9 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } if target := rule.Validation.GetPattern(); target != nil { newValidate := kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), - ValidationFailureAction: rule.Validation.ValidationFailureAction, - ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + FailureAction: rule.Validation.FailureAction, + FailureActionOverrides: rule.Validation.FailureActionOverrides, } newValidate.SetPattern( map[string]interface{}{ @@ -145,10 +145,10 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } if rule.Validation.Deny != nil { deny := kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), - Deny: rule.Validation.Deny, - ValidationFailureAction: rule.Validation.ValidationFailureAction, - ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), + Deny: rule.Validation.Deny, + FailureAction: rule.Validation.FailureAction, + FailureActionOverrides: rule.Validation.FailureActionOverrides, } rule.Validation = deny return rule @@ -163,8 +163,8 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds Version: rule.Validation.PodSecurity.Version, Exclude: newExclude, }, - ValidationFailureAction: rule.Validation.ValidationFailureAction, - ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, + FailureAction: rule.Validation.FailureAction, + FailureActionOverrides: rule.Validation.FailureActionOverrides, } rule.Validation = podSecurity return rule @@ -183,12 +183,12 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } patterns = append(patterns, newPattern) } - validationFailureAction := rule.Validation.ValidationFailureAction - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + failureAction := rule.Validation.FailureAction + failureActionOverrides := rule.Validation.FailureActionOverrides rule.Validation = kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), - ValidationFailureAction: validationFailureAction, - ValidationFailureActionOverrides: validationFailureActionOverrides, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), + FailureAction: failureAction, + FailureActionOverrides: failureActionOverrides, } rule.Validation.SetAnyPattern(patterns) return rule @@ -196,13 +196,13 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil { newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation)) copy(newForeachValidate, rule.Validation.ForEachValidation) - validationFailureAction := rule.Validation.ValidationFailureAction - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + failureAction := rule.Validation.FailureAction + failureActionOverrides := rule.Validation.FailureActionOverrides rule.Validation = kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), - ForEachValidation: newForeachValidate, - ValidationFailureAction: validationFailureAction, - ValidationFailureActionOverrides: validationFailureActionOverrides, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + ForEachValidation: newForeachValidate, + FailureAction: failureAction, + FailureActionOverrides: failureActionOverrides, } return rule } diff --git a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go index b03d1002dc..c6795df1b6 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go +++ b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go @@ -25,7 +25,7 @@ import ( // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // with apply. type ImageVerificationApplyConfiguration struct { - ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` + FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"` Image *string `json:"image,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"` @@ -53,11 +53,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration { return &ImageVerificationApplyConfiguration{} } -// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// WithFailureAction sets the FailureAction field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the ValidationFailureAction field is set to the value of the last call. -func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { - b.ValidationFailureAction = &value +// If called multiple times, the FailureAction field is set to the value of the last call. +func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { + b.FailureAction = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v1/validation.go b/pkg/client/applyconfigurations/kyverno/v1/validation.go index 32785f8fd4..2be4fe82b7 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/validation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/validation.go @@ -27,17 +27,17 @@ import ( // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // with apply. type ValidationApplyConfiguration struct { - ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` - ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"` - Message *string `json:"message,omitempty"` - Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` - ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` - RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` - RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` - Deny *DenyApplyConfiguration `json:"deny,omitempty"` - PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` - CEL *CELApplyConfiguration `json:"cel,omitempty"` - Assert *v1alpha1.Any `json:"assert,omitempty"` + FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"` + FailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"` + Message *string `json:"message,omitempty"` + Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` + ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` + RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` + RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` + Deny *DenyApplyConfiguration `json:"deny,omitempty"` + PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` + CEL *CELApplyConfiguration `json:"cel,omitempty"` + Assert *v1alpha1.Any `json:"assert,omitempty"` } // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with @@ -46,23 +46,23 @@ func Validation() *ValidationApplyConfiguration { return &ValidationApplyConfiguration{} } -// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// WithFailureAction sets the FailureAction field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the ValidationFailureAction field is set to the value of the last call. -func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { - b.ValidationFailureAction = &value +// If called multiple times, the FailureAction field is set to the value of the last call. +func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { + b.FailureAction = &value return b } -// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration +// WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field. -func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { +// If called multiple times, values provided by each call will be appended to the FailureActionOverrides field. +func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { for i := range values { if values[i] == nil { - panic("nil value passed to WithValidationFailureActionOverrides") + panic("nil value passed to WithFailureActionOverrides") } - b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i]) + b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i]) } return b } diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go index 4a51d6db70..dc2a7e8186 100644 --- a/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go +++ b/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go @@ -26,7 +26,7 @@ import ( // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // with apply. type ImageVerificationApplyConfiguration struct { - ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` + FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"` SkipImageReferences []string `json:"skipImageReferences,omitempty"` @@ -46,11 +46,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration { return &ImageVerificationApplyConfiguration{} } -// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// WithFailureAction sets the FailureAction field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the ValidationFailureAction field is set to the value of the last call. -func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { - b.ValidationFailureAction = &value +// If called multiple times, the FailureAction field is set to the value of the last call. +func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { + b.FailureAction = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go b/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go index 24856d8df1..53743d63a3 100644 --- a/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go +++ b/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go @@ -28,17 +28,17 @@ import ( // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // with apply. type ValidationApplyConfiguration struct { - ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` - ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"` - Message *string `json:"message,omitempty"` - Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"` - ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"` - RawPattern *kyverno.Any `json:"pattern,omitempty"` - RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"` - Deny *DenyApplyConfiguration `json:"deny,omitempty"` - PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` - CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"` - Assert *v1alpha1.Any `json:"assert,omitempty"` + FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"` + FailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"` + Message *string `json:"message,omitempty"` + Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"` + ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"` + RawPattern *kyverno.Any `json:"pattern,omitempty"` + RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"` + Deny *DenyApplyConfiguration `json:"deny,omitempty"` + PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` + CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"` + Assert *v1alpha1.Any `json:"assert,omitempty"` } // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with @@ -47,23 +47,23 @@ func Validation() *ValidationApplyConfiguration { return &ValidationApplyConfiguration{} } -// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// WithFailureAction sets the FailureAction field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the ValidationFailureAction field is set to the value of the last call. -func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { - b.ValidationFailureAction = &value +// If called multiple times, the FailureAction field is set to the value of the last call. +func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { + b.FailureAction = &value return b } -// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration +// WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field. -func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { +// If called multiple times, values provided by each call will be appended to the FailureActionOverrides field. +func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { for i := range values { if values[i] == nil { - panic("nil value passed to WithValidationFailureActionOverrides") + panic("nil value passed to WithFailureActionOverrides") } - b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i]) + b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i]) } return b } diff --git a/pkg/engine/api/engineresponse.go b/pkg/engine/api/engineresponse.go index 0c903c1aa9..3e04a49e6e 100644 --- a/pkg/engine/api/engineresponse.go +++ b/pkg/engine/api/engineresponse.go @@ -201,7 +201,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur spec := pol.AsKyvernoPolicy().GetSpec() for _, r := range spec.Rules { if r.HasValidate() { - for _, v := range r.Validation.ValidationFailureActionOverrides { + for _, v := range r.Validation.FailureActionOverrides { if !v.Action.IsValid() { continue } @@ -224,12 +224,12 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur } } - if r.Validation.ValidationFailureAction != nil { - return *r.Validation.ValidationFailureAction + if r.Validation.FailureAction != nil { + return *r.Validation.FailureAction } } else if r.HasVerifyImages() { - if r.VerifyImages[0].ValidationFailureAction != nil { - return *r.VerifyImages[0].ValidationFailureAction + if r.VerifyImages[0].FailureAction != nil { + return *r.VerifyImages[0].FailureAction } } } diff --git a/pkg/engine/api/engineresponse_test.go b/pkg/engine/api/engineresponse_test.go index 83da05ef4f..999224892c 100644 --- a/pkg/engine/api/engineresponse_test.go +++ b/pkg/engine/api/engineresponse_test.go @@ -717,7 +717,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &audit, + FailureAction: &audit, }, }, }, @@ -732,7 +732,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, + FailureAction: &enforce, }, }, }, @@ -773,8 +773,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"*"}, }}, @@ -792,8 +792,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: "invalid", Namespaces: []string{"*"}, }}, @@ -970,8 +970,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"foo"}, }}, @@ -990,8 +990,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"bar"}, }}, @@ -1013,8 +1013,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1040,8 +1040,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, NamespaceSelector: &metav1.LabelSelector{ MatchLabels: map[string]string{ @@ -1067,8 +1067,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"foo"}, NamespaceSelector: &metav1.LabelSelector{ @@ -1095,8 +1095,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"bar"}, NamespaceSelector: &metav1.LabelSelector{ @@ -1123,8 +1123,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"foo"}, NamespaceSelector: &metav1.LabelSelector{ @@ -1151,8 +1151,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { Rules: []kyvernov1.Rule{ { Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, - ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + FailureAction: &enforce, + FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ Action: kyvernov1.Audit, Namespaces: []string{"*"}, NamespaceSelector: &metav1.LabelSelector{ diff --git a/pkg/engine/handlers/validation/validate_resource_test.go b/pkg/engine/handlers/validation/validate_resource_test.go index 8e057816f6..9f93264a0e 100644 --- a/pkg/engine/handlers/validation/validate_resource_test.go +++ b/pkg/engine/handlers/validation/validate_resource_test.go @@ -60,7 +60,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { ] }, "validate": { - "validationFailureAction": "Enforce", + "failureAction": "Enforce", "message": "The label size is required", "pattern": { "metadata": { @@ -88,7 +88,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { ] }, "validate": { - "validationFailureAction": "Enforce", + "failureAction": "Enforce", "message": "The label size cannot be changed for a namespace", "deny": { "conditions": { diff --git a/pkg/engine/utils/utils_test.go b/pkg/engine/utils/utils_test.go index 98047363d3..cec5c59ddc 100644 --- a/pkg/engine/utils/utils_test.go +++ b/pkg/engine/utils/utils_test.go @@ -846,7 +846,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: false, }, { @@ -873,7 +873,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -882,7 +882,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -1742,7 +1742,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: false, }, { @@ -1751,7 +1751,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: false, }, { @@ -1769,7 +1769,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, { @@ -1778,7 +1778,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -1787,7 +1787,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: true, }, { diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index a6bcd7b735..de2ec61c49 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -689,7 +689,7 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) { } }, "validate": { - "validationFailureAction": "Enforce", + "failureAction": "Enforce", "foreach": [ { "list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds", @@ -1960,7 +1960,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. } }, "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.", "deny": { "conditions": [ @@ -2151,7 +2151,7 @@ func Test_BlockLabelRemove(t *testing.T) { ] }, "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "message": "not allowed", "deny": { "conditions": { @@ -2269,7 +2269,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) { } ], "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "message": "restrict pod counts to be no more than 10 on node minikube", "deny": { "conditions": [ @@ -2372,7 +2372,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) { } ], "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "deny": { "conditions": [ { @@ -2457,7 +2457,7 @@ func Test_StringInDenyCondition(t *testing.T) { } ], "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "deny": { "conditions": [ { @@ -3006,7 +3006,7 @@ func Test_outof_foreach_element_validation(t *testing.T) { "name": "test", "match": {"resources": { "kinds": [ "Pod" ] } }, "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "message": "Invalid name", "pattern": { "name": "{{ element.name }}" @@ -3045,7 +3045,7 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "message": "unknown registry", "foreach": [ { @@ -3216,7 +3216,7 @@ func Test_delete_ignore_pattern(t *testing.T) { "name": "test", "match": {"resources": { "kinds": [ "Pod" ] } }, "validate": { - "validationFailureAction": "enforce", + "failureAction": "enforce", "message": "Invalid label", "pattern": { "metadata" : { diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index bbe1e6de13..b9f4508739 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -87,12 +87,12 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver } // if the field isn't set, use the higher level policy setting - validationFailureAction := rule.Validation.ValidationFailureAction + validationFailureAction := rule.Validation.FailureAction if validationFailureAction == nil { validationFailureAction = &policy.GetSpec().ValidationFailureAction } - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + validationFailureActionOverrides := rule.Validation.FailureActionOverrides if len(validationFailureActionOverrides) == 0 { validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides } diff --git a/pkg/policycache/store.go b/pkg/policycache/store.go index 761857662e..77473b0765 100644 --- a/pkg/policycache/store.go +++ b/pkg/policycache/store.go @@ -109,11 +109,11 @@ func (m *policyMap) set(key string, policy kyvernov1.PolicyInterface, client Res kindStates := map[policyKey]state{} for _, rule := range autogen.ComputeRules(policy, "") { if rule.HasValidate() { - action := rule.Validation.ValidationFailureAction + action := rule.Validation.FailureAction if action != nil && action.Enforce() { enforcePolicy = true } - for _, k := range rule.Validation.ValidationFailureActionOverrides { + for _, k := range rule.Validation.FailureActionOverrides { if k.Action.Enforce() { enforcePolicy = true } diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go index be2e9d79df..63623e2d4a 100644 --- a/pkg/validatingadmissionpolicy/builder.go +++ b/pkg/validatingadmissionpolicy/builder.go @@ -123,7 +123,7 @@ func BuildValidatingAdmissionPolicyBinding( // set validation action for vap binding var validationActions []admissionregistrationv1alpha1.ValidationAction - validateAction := cpol.GetSpec().Rules[0].Validation.ValidationFailureAction + validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction if validateAction != nil { if validateAction.Enforce() { validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go index 3646cf8895..9e02e77bdc 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go @@ -67,7 +67,7 @@ func checkPolicy(spec *kyvernov1.Spec) (bool, string) { return false, msg } - if ok, msg := checkValidationFailureActionOverrides(rule.Validation.ValidationFailureActionOverrides); !ok { + if ok, msg := checkValidationFailureActionOverrides(rule.Validation.FailureActionOverrides); !ok { return false, msg } diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go index 8a457d0328..07670636b2 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go @@ -649,8 +649,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) { ] }, "validate": { - "validationFailureAction": "Enforce", - "validationFailureActionOverrides": [ + "failureAction": "Enforce", + "failureActionOverrides": [ { "action": "Enforce", "namespaces": [ @@ -704,8 +704,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) { ] }, "validate": { - "validationFailureAction": "Enforce", - "validationFailureActionOverrides": [ + "failureAction": "Enforce", + "failureActionOverrides": [ { "action": "Enforce", "namespaces": [ diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 2a6d977484..2a3f337698 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -140,8 +140,8 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...) for _, rule := range spec.Rules { if rule.HasValidate() { - if rule.Validation.ValidationFailureAction != nil { - warnings = append(warnings, checkValidationFailureAction(*rule.Validation.ValidationFailureAction, rule.Validation.ValidationFailureActionOverrides)...) + if rule.Validation.FailureAction != nil { + warnings = append(warnings, checkValidationFailureAction(*rule.Validation.FailureAction, rule.Validation.FailureActionOverrides)...) } } } @@ -207,7 +207,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf if !policy.IsNamespaced() { for i, r := range spec.Rules { if r.HasValidate() { - err := validateNamespaces(r.Validation.ValidationFailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides")) + err := validateNamespaces(r.Validation.FailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides")) if err != nil { return warnings, err } @@ -337,7 +337,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf verifyImagePath := rulePath.Child("verifyImages") for index, i := range rule.VerifyImages { - action := i.ValidationFailureAction + action := i.FailureAction if action != nil { if action.Audit() { isAuditFailureAction = true diff --git a/pkg/webhooks/resource/validation_test.go b/pkg/webhooks/resource/validation_test.go index 8752d9e667..f13c84abac 100644 --- a/pkg/webhooks/resource/validation_test.go +++ b/pkg/webhooks/resource/validation_test.go @@ -1071,8 +1071,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "audit", - "validationFailureActionOverrides": + "failureAction": "audit", + "failureActionOverrides": [ { "action": "enforce", @@ -1141,8 +1141,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "audit", - "validationFailureActionOverrides": + "failureAction": "audit", + "failureActionOverrides": [ { "action": "enforce", @@ -1213,8 +1213,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "audit", - "validationFailureActionOverrides": + "failureAction": "audit", + "failureActionOverrides": [ { "action": "enforce", @@ -1283,8 +1283,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "enforce", @@ -1353,8 +1353,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "enforce", @@ -1425,8 +1425,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "enforce", @@ -1495,8 +1495,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "enforce", @@ -1568,8 +1568,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "audit", @@ -1644,8 +1644,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "audit", @@ -1717,8 +1717,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "audit", @@ -1790,8 +1790,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "audit", @@ -1866,8 +1866,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "enforce", - "validationFailureActionOverrides": + "failureAction": "enforce", + "failureActionOverrides": [ { "action": "audit", @@ -1942,8 +1942,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "audit", - "validationFailureActionOverrides": + "failureAction": "audit", + "failureActionOverrides": [ { "action": "enforce", @@ -2017,8 +2017,8 @@ func TestValidate_failure_action_overrides(t *testing.T) { } }, "validate": { - "validationFailureAction": "audit", - "validationFailureActionOverrides": + "failureAction": "audit", + "failureActionOverrides": [ { "action": "enforce", diff --git a/pkg/webhooks/utils/block_test.go b/pkg/webhooks/utils/block_test.go index 2375344e7d..a39967904a 100644 --- a/pkg/webhooks/utils/block_test.go +++ b/pkg/webhooks/utils/block_test.go @@ -72,7 +72,7 @@ func TestBlockRequest(t *testing.T) { { Name: "rule-audit", Validation: kyvernov1.Validation{ - ValidationFailureAction: &audit, + FailureAction: &audit, }, }, }, @@ -88,7 +88,7 @@ func TestBlockRequest(t *testing.T) { { Name: "rule-enforce", Validation: kyvernov1.Validation{ - ValidationFailureAction: &enforce, + FailureAction: &enforce, }, }, }, diff --git a/test/cli/apply/policies-set/policy.yaml b/test/cli/apply/policies-set/policy.yaml index 540c3ee5b3..499fca3c9c 100644 --- a/test/cli/apply/policies-set/policy.yaml +++ b/test/cli/apply/policies-set/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit message: "The foo label must be set." pattern: metadata: diff --git a/test/cli/apply/policies/policy.yaml b/test/cli/apply/policies/policy.yaml index b463427a85..93d7d8b206 100644 --- a/test/cli/apply/policies/policy.yaml +++ b/test/cli/apply/policies/policy.yaml @@ -19,7 +19,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -48,7 +48,7 @@ spec: operator: NotEquals value: DELETE validate: - validationFailureAction: Audit + failureAction: Audit foreach: - deny: conditions: diff --git a/test/cli/registry/image-example.yaml b/test/cli/registry/image-example.yaml index f4c0945c10..1cb3a04a5b 100644 --- a/test/cli/registry/image-example.yaml +++ b/test/cli/registry/image-example.yaml @@ -19,7 +19,7 @@ spec: operator: NotEquals value: DELETE validate: - validationFailureAction: Enforce + failureAction: Enforce foreach: - context: - imageRegistry: @@ -57,7 +57,7 @@ spec: operator: NotEquals value: DELETE validate: - validationFailureAction: Enforce + failureAction: Enforce foreach: - context: - imageRegistry: diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml index 3d77f9a5bb..b8aeacca8f 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml @@ -14,7 +14,7 @@ spec: - Pod name: validate-default-proc-mount validate: - validationFailureAction: Audit + failureAction: Audit message: Default proc mount should set to Unmasked pattern: spec: diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml index 485622f617..b68eeebcae 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml @@ -14,7 +14,7 @@ spec: - Pod name: validate-selinux-options validate: - validationFailureAction: Audit + failureAction: Audit message: SELinux level is required pattern: spec: diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml index 79f7a08fb0..e6ff60b580 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml @@ -14,7 +14,7 @@ spec: - Pod name: validate-volumes-whitelist validate: - validationFailureAction: Audit + failureAction: Audit anyPattern: - spec: volumes: diff --git a/test/cli/test-exceptions/exceptions-1/policy.yaml b/test/cli/test-exceptions/exceptions-1/policy.yaml index e205e46575..e6df15a887 100644 --- a/test/cli/test-exceptions/exceptions-1/policy.yaml +++ b/test/cli/test-exceptions/exceptions-1/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/test/cli/test-exceptions/exceptions-2/policy.yaml b/test/cli/test-exceptions/exceptions-2/policy.yaml index e80f7806ce..ae74c78d6a 100644 --- a/test/cli/test-exceptions/exceptions-2/policy.yaml +++ b/test/cli/test-exceptions/exceptions-2/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/cli/test-exceptions/exceptions-3/policy.yaml b/test/cli/test-exceptions/exceptions-3/policy.yaml index 17ddd65449..cb180288f6 100644 --- a/test/cli/test-exceptions/exceptions-3/policy.yaml +++ b/test/cli/test-exceptions/exceptions-3/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/cli/test-fail/invalid-ns/policy.yaml b/test/cli/test-fail/invalid-ns/policy.yaml index f7c36cc57c..4a936314cb 100644 --- a/test/cli/test-fail/invalid-ns/policy.yaml +++ b/test/cli/test-fail/invalid-ns/policy.yaml @@ -36,4 +36,4 @@ spec: labels: =(schiff.telekom.de/owner): '!schiff' platform.das-schiff.telekom.de/owner: '!das-schiff' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test-fail/missing-policy/policy.yaml b/test/cli/test-fail/missing-policy/policy.yaml index 1d23fdcbc1..c3ab786280 100644 --- a/test/cli/test-fail/missing-policy/policy.yaml +++ b/test/cli/test-fail/missing-policy/policy.yaml @@ -21,7 +21,7 @@ spec: - test name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -41,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test-fail/missing-resource/policy.yaml b/test/cli/test-fail/missing-resource/policy.yaml index 1d23fdcbc1..c3ab786280 100644 --- a/test/cli/test-fail/missing-resource/policy.yaml +++ b/test/cli/test-fail/missing-resource/policy.yaml @@ -21,7 +21,7 @@ spec: - test name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -41,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test-fail/missing-rule/policy.yaml b/test/cli/test-fail/missing-rule/policy.yaml index 1d23fdcbc1..c3ab786280 100644 --- a/test/cli/test-fail/missing-rule/policy.yaml +++ b/test/cli/test-fail/missing-rule/policy.yaml @@ -21,7 +21,7 @@ spec: - test name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -41,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/admission_user_info/disallow_latest_tag.yaml b/test/cli/test/admission_user_info/disallow_latest_tag.yaml index c5e12d0936..69a5506ef1 100644 --- a/test/cli/test/admission_user_info/disallow_latest_tag.yaml +++ b/test/cli/test/admission_user_info/disallow_latest_tag.yaml @@ -21,7 +21,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -34,7 +34,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/cli/test/any-all-wildcard/policy.yaml b/test/cli/test/any-all-wildcard/policy.yaml index aa3e6737f2..eee23f2334 100644 --- a/test/cli/test/any-all-wildcard/policy.yaml +++ b/test/cli/test/any-all-wildcard/policy.yaml @@ -17,6 +17,6 @@ spec: - namespace2 name: disallow validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} message: This resource is protected and changes are not allowed. diff --git a/test/cli/test/any-namespaceSelector/policy.yaml b/test/cli/test/any-namespaceSelector/policy.yaml index e94ac81003..27992e65a1 100644 --- a/test/cli/test/any-namespaceSelector/policy.yaml +++ b/test/cli/test/any-namespaceSelector/policy.yaml @@ -20,7 +20,7 @@ spec: - managed name: validate-name validate: - validationFailureAction: Audit + failureAction: Audit message: The Pod must end with -nginx pattern: metadata: diff --git a/test/cli/test/anypattern_skip_error/policy.yaml b/test/cli/test/anypattern_skip_error/policy.yaml index 429682d339..6318acbeb7 100644 --- a/test/cli/test/anypattern_skip_error/policy.yaml +++ b/test/cli/test/anypattern_skip_error/policy.yaml @@ -14,7 +14,7 @@ spec: - Service name: check-loadbalancer-public validate: - validationFailureAction: Enforce + failureAction: Enforce anyPattern: - metadata: annotations: diff --git a/test/cli/test/autogen-values/policy.yaml b/test/cli/test/autogen-values/policy.yaml index a676919ef4..cef6efe347 100644 --- a/test/cli/test/autogen-values/policy.yaml +++ b/test/cli/test/autogen-values/policy.yaml @@ -28,4 +28,4 @@ spec: validate: message: Do nothing! pattern: {} - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/autogen/policy.yaml b/test/cli/test/autogen/policy.yaml index 654bd3a764..c7844e9271 100644 --- a/test/cli/test/autogen/policy.yaml +++ b/test/cli/test/autogen/policy.yaml @@ -14,7 +14,7 @@ spec: - Pod name: check-for-labels validate: - validationFailureAction: Enforce + failureAction: Enforce message: Both `app` and `owner` labels must be set on all workloads pattern: metadata: diff --git a/test/cli/test/cel-preconditions/disallow-host-path.yaml b/test/cli/test/cel-preconditions/disallow-host-path.yaml index 0fd6663ff4..24e2a99d2e 100644 --- a/test/cli/test/cel-preconditions/disallow-host-path.yaml +++ b/test/cli/test/cel-preconditions/disallow-host-path.yaml @@ -15,7 +15,7 @@ spec: - expression: "object.metadata.labels['color'] == 'red'" name: "Label should be red" validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/cli/test/check-deployment-namespace-cel/policy.yaml b/test/cli/test/check-deployment-namespace-cel/policy.yaml index d54a0fc2e0..d275725785 100644 --- a/test/cli/test/check-deployment-namespace-cel/policy.yaml +++ b/test/cli/test/check-deployment-namespace-cel/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Deployment validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "namespaceObject.metadata.name != 'default'" diff --git a/test/cli/test/container_reorder/policy.yml b/test/cli/test/container_reorder/policy.yml index 879965e282..599381c385 100644 --- a/test/cli/test/container_reorder/policy.yml +++ b/test/cli/test/container_reorder/policy.yml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/context-entries/policies.yaml b/test/cli/test/context-entries/policies.yaml index 7d393b574f..ad6dc4d711 100644 --- a/test/cli/test/context-entries/policies.yaml +++ b/test/cli/test/context-entries/policies.yaml @@ -21,7 +21,7 @@ spec: - Pod name: defined-value validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ example.test.nested.value }}' @@ -38,7 +38,7 @@ spec: - Pod name: defined-jmespath validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -56,7 +56,7 @@ spec: - Pod name: defined-jmespath-with-default validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -74,7 +74,7 @@ spec: - Pod name: defined-value-with-variable validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ obj.name }}' @@ -92,7 +92,7 @@ spec: - Pod name: defined-jmespath-with-default-variable validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -111,7 +111,7 @@ spec: - Pod name: defined-value-jmespath validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -133,7 +133,7 @@ spec: - Pod name: defined-value-jmespath-variable validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -155,7 +155,7 @@ spec: - Pod name: value-override validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: any: @@ -178,7 +178,7 @@ spec: - Pod name: wildcard-match validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: A=* @@ -205,7 +205,7 @@ spec: - Pod name: items validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ obj }}' @@ -234,7 +234,7 @@ spec: - Pod name: unused-var validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ modifiedObj }}' diff --git a/test/cli/test/context-foreach/policy.yaml b/test/cli/test/context-foreach/policy.yaml index c2cf2e89f6..084b6a188c 100644 --- a/test/cli/test/context-foreach/policy.yaml +++ b/test/cli/test/context-foreach/policy.yaml @@ -14,7 +14,7 @@ spec: - Pod name: block-images validate: - validationFailureAction: Audit + failureAction: Audit foreach: - context: - imageRegistry: diff --git a/test/cli/test/custom-functions/policy.yaml b/test/cli/test/custom-functions/policy.yaml index 39daa7f61a..2e52d7833d 100644 --- a/test/cli/test/custom-functions/policy.yaml +++ b/test/cli/test/custom-functions/policy.yaml @@ -19,7 +19,7 @@ spec: - key: '{{base64_decode(request.object.data.value)}}' operator: NotEquals value: '{{request.object.metadata.labels.value}}' - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -42,7 +42,7 @@ spec: - key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}' operator: Equals value: false - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -78,7 +78,7 @@ spec: - key: '{{ element.hostPath.path }}' operator: NotEquals value: "" - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -101,7 +101,7 @@ spec: operator: NotEquals value: b message: Test JMESPath - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -124,7 +124,7 @@ spec: operator: NotEquals value: a message: Test JMESPath - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -148,7 +148,7 @@ spec: value: '{{request.object.metadata.annotations.test | parse_yaml(@).array }}' message: Test JMESPath - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -175,4 +175,4 @@ spec: message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N }}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N }}"' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/default_value_to_create/check-supplemental-groups.yaml b/test/cli/test/default_value_to_create/check-supplemental-groups.yaml index aa903ce9ab..11d087ab00 100644 --- a/test/cli/test/default_value_to_create/check-supplemental-groups.yaml +++ b/test/cli/test/default_value_to_create/check-supplemental-groups.yaml @@ -39,4 +39,4 @@ spec: spec: =(securityContext): =(supplementalGroups): 100-200 | 500-600 - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml index d15bf4fceb..4f19e438e0 100644 --- a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml @@ -30,4 +30,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml index 3b53ed4c84..9e2021fe28 100644 --- a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml @@ -26,4 +26,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml index 758a42a548..b333b82686 100644 --- a/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml @@ -35,4 +35,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml b/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml index 13b68836e8..79e6af1a23 100644 --- a/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml +++ b/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml @@ -14,7 +14,7 @@ spec: operations: - DELETE validate: - validationFailureAction: Enforce + failureAction: Enforce message: Pod cannot be deleted deny: {} diff --git a/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml b/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml index f0c0f18262..e6a47c5175 100644 --- a/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml +++ b/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: Pod cannot be deleted deny: conditions: diff --git a/test/cli/test/depecated_apis/policy.yaml b/test/cli/test/depecated_apis/policy.yaml index 8a1e153a12..b2a1a45dbd 100644 --- a/test/cli/test/depecated_apis/policy.yaml +++ b/test/cli/test/depecated_apis/policy.yaml @@ -33,4 +33,4 @@ spec: deny: {} message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/disallow-service/policy.yaml b/test/cli/test/disallow-service/policy.yaml index e48411f6ba..6d18694e3d 100644 --- a/test/cli/test/disallow-service/policy.yaml +++ b/test/cli/test/disallow-service/policy.yaml @@ -28,4 +28,4 @@ spec: anyPattern: - kind: '!Service' message: Can't create a service. Sorry... - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/exclude/policy.yaml b/test/cli/test/exclude/policy.yaml index 30a0d704ff..6f970d4e98 100644 --- a/test/cli/test/exclude/policy.yaml +++ b/test/cli/test/exclude/policy.yaml @@ -36,7 +36,7 @@ spec: matchLabels: require-requests-limits.kyverno.io/exclude: "true" validate: - validationFailureAction: Enforce + failureAction: Enforce message: "CPU and memory resource requests and limits are required." pattern: spec: diff --git a/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml b/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml index e8c9c08473..6235949760 100644 --- a/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml +++ b/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml @@ -41,4 +41,4 @@ spec: operator: Equals value: "false" message: Exec'ing into Pods protected with the label `exec=false` is forbidden. - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/foreach-preconditions/policies.yaml b/test/cli/test/foreach-preconditions/policies.yaml index 679f1a0a45..00320671d3 100644 --- a/test/cli/test/foreach-preconditions/policies.yaml +++ b/test/cli/test/foreach-preconditions/policies.yaml @@ -32,4 +32,4 @@ spec: operator: NotEquals value: "" message: Limits may not exceed 2.5x the requests. - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/foreach/policies.yaml b/test/cli/test/foreach/policies.yaml index 8a985d60f9..e1e6cb035a 100644 --- a/test/cli/test/foreach/policies.yaml +++ b/test/cli/test/foreach/policies.yaml @@ -25,7 +25,7 @@ spec: - (name): '{{element.name}}' mountPath: /tmp/* message: emptyDir volumes must be mounted under /tmp - validationFailureAction: Audit + failureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -56,7 +56,7 @@ spec: volumeMounts: - <(name): '{{element.name}}' message: ephemeral-storage requests and limits are required for emptyDir volumes - validationFailureAction: Audit + failureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -82,7 +82,7 @@ spec: value: ghcr.io list: request.object.spec.containers[].image message: images must begin with ghcr.io - validationFailureAction: Audit + failureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -109,4 +109,4 @@ spec: elementScope: true list: request.object.spec.containers[].image message: images must begin with ghcr.io - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/globalcontext/policy.yaml b/test/cli/test/globalcontext/policy.yaml index 5869993205..22b7ef673b 100644 --- a/test/cli/test/globalcontext/policy.yaml +++ b/test/cli/test/globalcontext/policy.yaml @@ -24,7 +24,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/cli/test/images/digest/policies.yaml b/test/cli/test/images/digest/policies.yaml index 395942f833..7a50703fee 100644 --- a/test/cli/test/images/digest/policies.yaml +++ b/test/cli/test/images/digest/policies.yaml @@ -22,4 +22,4 @@ spec: required: false useCache: true verifyDigest: true - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/images/secure-images/policies.yaml b/test/cli/test/images/secure-images/policies.yaml index 909335ccef..7051459f00 100644 --- a/test/cli/test/images/secure-images/policies.yaml +++ b/test/cli/test/images/secure-images/policies.yaml @@ -23,5 +23,5 @@ spec: required: true useCache: true verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/cli/test/images/signatures/policies.yaml b/test/cli/test/images/signatures/policies.yaml index b2d8e649d6..db9f9fa162 100644 --- a/test/cli/test/images/signatures/policies.yaml +++ b/test/cli/test/images/signatures/policies.yaml @@ -36,4 +36,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/images/verify-signature/policies.yaml b/test/cli/test/images/verify-signature/policies.yaml index 23c307aa7a..730a875fd7 100644 --- a/test/cli/test/images/verify-signature/policies.yaml +++ b/test/cli/test/images/verify-signature/policies.yaml @@ -37,7 +37,7 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -81,4 +81,4 @@ spec: required: true useCache: true verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/jmespath-brackets/policy.yaml b/test/cli/test/jmespath-brackets/policy.yaml index df68bd08fb..a9a679f058 100644 --- a/test/cli/test/jmespath-brackets/policy.yaml +++ b/test/cli/test/jmespath-brackets/policy.yaml @@ -26,7 +26,7 @@ spec: a: "1" test: "" message: All pod labels must match except test - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -51,4 +51,4 @@ spec: value: false message: For creating a namespace you need to set the objectid of the Azure AD Group that needs access to this namespace as the aadobjectid label - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml b/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml index c6bc85b85f..7cf71bc478 100644 --- a/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml +++ b/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml @@ -56,4 +56,4 @@ spec: - CREATE message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/manifests/verify-signature/policies.yaml b/test/cli/test/manifests/verify-signature/policies.yaml index 24fa3fc4c2..999d8a36b7 100644 --- a/test/cli/test/manifests/verify-signature/policies.yaml +++ b/test/cli/test/manifests/verify-signature/policies.yaml @@ -16,7 +16,7 @@ spec: name: test* name: validate-yaml validate: - validationFailureAction: Enforce + failureAction: Enforce manifests: attestors: - count: 1 @@ -43,7 +43,7 @@ spec: name: test* name: validate-yaml-multi-sig validate: - validationFailureAction: Enforce + failureAction: Enforce manifests: attestors: - entries: diff --git a/test/cli/test/mixed/policy.yaml b/test/cli/test/mixed/policy.yaml index 4acf77bd86..a33b23aac2 100644 --- a/test/cli/test/mixed/policy.yaml +++ b/test/cli/test/mixed/policy.yaml @@ -21,7 +21,7 @@ spec: - user-?* name: ondemand-managed_by validate: - validationFailureAction: Audit + failureAction: Audit message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand' pattern: metadata: diff --git a/test/cli/test/multiple-validate-rules/policy.yaml b/test/cli/test/multiple-validate-rules/policy.yaml index 96c941f6db..39d9b4a4d5 100644 --- a/test/cli/test/multiple-validate-rules/policy.yaml +++ b/test/cli/test/multiple-validate-rules/policy.yaml @@ -17,7 +17,7 @@ spec: operator: Equals value: 'LoadBalancer' validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Only approved ports may be used for LoadBalancer services. foreach: @@ -38,7 +38,7 @@ spec: kinds: - Service validate: - validationFailureAction: Enforce + failureAction: Enforce message: "NodePort services are not allowed. This is {{ request.object.spec.type }}" pattern: spec: diff --git a/test/cli/test/multiple_condition_keys/policy.yaml b/test/cli/test/multiple_condition_keys/policy.yaml index 170ad7ea3f..e6eb416de7 100644 --- a/test/cli/test/multiple_condition_keys/policy.yaml +++ b/test/cli/test/multiple_condition_keys/policy.yaml @@ -23,4 +23,4 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml index ec962a49bb..a6c0f82950 100644 --- a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml +++ b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml @@ -44,4 +44,4 @@ spec: metadata: labels: foo: '*' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml b/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml index 157e35f404..09bed1f87a 100644 --- a/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml +++ b/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml @@ -37,4 +37,4 @@ spec: operator: NotEquals value: 2400 message: certificate duration must be < than 2400h (100 days) - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml index c1b649e41f..2411991ba9 100644 --- a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml +++ b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml @@ -32,4 +32,4 @@ spec: status: nodeInfo: kernelVersion: '!5.10.84-1 & !5.15.5-2' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/owner_references/policy.yaml b/test/cli/test/owner_references/policy.yaml index 2e6e80763a..85c7ace23a 100644 --- a/test/cli/test/owner_references/policy.yaml +++ b/test/cli/test/owner_references/policy.yaml @@ -28,4 +28,4 @@ spec: periodSeconds: '>0' readinessProbe: periodSeconds: '>0' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/policy-reports-skip-validation/policy.yaml b/test/cli/test/policy-reports-skip-validation/policy.yaml index 3bdbfcc86f..a9b28c5579 100644 --- a/test/cli/test/policy-reports-skip-validation/policy.yaml +++ b/test/cli/test/policy-reports-skip-validation/policy.yaml @@ -33,4 +33,4 @@ spec: operator: AnyNotIn value: '{{request.object.metadata.keys(@)}}' message: naked pods are not allowed - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/preconditions/policy.yaml b/test/cli/test/preconditions/policy.yaml index b2550396ab..38a9dab19e 100644 --- a/test/cli/test/preconditions/policy.yaml +++ b/test/cli/test/preconditions/policy.yaml @@ -24,4 +24,4 @@ spec: spec: containers: - name: '*busybox*' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/rangeoperators/policy.yaml b/test/cli/test/rangeoperators/policy.yaml index 45954368e5..c4220a838c 100644 --- a/test/cli/test/rangeoperators/policy.yaml +++ b/test/cli/test/rangeoperators/policy.yaml @@ -22,4 +22,4 @@ spec: fourth_value: 2.5-3.5 second_value: -2-5 third_value: 100Mi!-1024Mi - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/resource_lists/policy.yaml b/test/cli/test/resource_lists/policy.yaml index fe3259fc1b..63cc44134c 100644 --- a/test/cli/test/resource_lists/policy.yaml +++ b/test/cli/test/resource_lists/policy.yaml @@ -19,7 +19,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -32,7 +32,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/cli/test/restrict-something/policy.yaml b/test/cli/test/restrict-something/policy.yaml index fe75ee740b..17910b3079 100644 --- a/test/cli/test/restrict-something/policy.yaml +++ b/test/cli/test/restrict-something/policy.yaml @@ -16,7 +16,7 @@ spec: - foo name: validate-some-foo validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ images.containers.*.registry }}' @@ -36,7 +36,7 @@ spec: - Pod name: validate-some-non-foo validate: - validationFailureAction: Audit + failureAction: Audit deny: conditions: - key: '{{ images.containers.*.registry }}' diff --git a/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml b/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml index 9ca6c6123d..c57ab07b81 100644 --- a/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml +++ b/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml @@ -39,7 +39,7 @@ spec: operator: AllIn value: '{{ hosts }}' validate: - validationFailureAction: Audit + failureAction: Audit deny: {} message: The Ingress host name must be unique. - match: @@ -57,6 +57,6 @@ spec: operator: GreaterThan value: 1 validate: - validationFailureAction: Audit + failureAction: Audit deny: {} message: An Ingress resource may only contain a single host entry. diff --git a/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml b/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml index 51a82f64f2..9fa67c1675 100644 --- a/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml +++ b/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml @@ -23,4 +23,4 @@ spec: pattern: spec: replicas: 2 - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/simple/policy.yaml b/test/cli/test/simple/policy.yaml index de1ccf5506..04d2bcac3f 100644 --- a/test/cli/test/simple/policy.yaml +++ b/test/cli/test/simple/policy.yaml @@ -19,7 +19,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -34,7 +34,7 @@ spec: - test name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -63,7 +63,7 @@ spec: operator: GreaterThan value: 8h message: Pod lifetime exceeds limit of 8h - validationFailureAction: Enforce + failureAction: Enforce - match: any: - resources: @@ -78,7 +78,7 @@ spec: operator: LessThan value: 8h message: Pod lifetime under limit of 8h - validationFailureAction: Enforce + failureAction: Enforce - match: any: - resources: @@ -93,7 +93,7 @@ spec: operator: GreaterThanOrEquals value: 8h message: Pod lifetime exceeds limit of 8h - validationFailureAction: Enforce + failureAction: Enforce - match: any: - resources: @@ -108,7 +108,7 @@ spec: operator: LessThanOrEquals value: 8h message: Pod lifetime under limit of 8h - validationFailureAction: Enforce + failureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -152,4 +152,4 @@ spec: operator: GreaterThan value: 10 message: A maximum of 10 Pods are allowed on the Node `minikube` - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/unordered-context-variables/policy.yaml b/test/cli/test/unordered-context-variables/policy.yaml index 9420798a34..c2e4ee5d68 100644 --- a/test/cli/test/unordered-context-variables/policy.yaml +++ b/test/cli/test/unordered-context-variables/policy.yaml @@ -28,4 +28,4 @@ spec: spec: =(hostIPC): false =(hostPID): false - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/update/policy.yaml b/test/cli/test/update/policy.yaml index a91696297d..15fd17b8cb 100644 --- a/test/cli/test/update/policy.yaml +++ b/test/cli/test/update/policy.yaml @@ -17,7 +17,7 @@ spec: operator: Equals value: UPDATE validate: - validationFailureAction: Audit + failureAction: Audit message: Pass only if labels are different deny: conditions: diff --git a/test/cli/test/variables-deprecated/cm-array-example.yaml b/test/cli/test/variables-deprecated/cm-array-example.yaml index b724cec277..eeefcbef41 100644 --- a/test/cli/test/variables-deprecated/cm-array-example.yaml +++ b/test/cli/test/variables-deprecated/cm-array-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml b/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml index ea727b52c1..d1ba312a3d 100644 --- a/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml +++ b/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-globalval-example.yaml b/test/cli/test/variables-deprecated/cm-globalval-example.yaml index 0b36123763..33af9892d8 100644 --- a/test/cli/test/variables-deprecated/cm-globalval-example.yaml +++ b/test/cli/test/variables-deprecated/cm-globalval-example.yaml @@ -20,4 +20,4 @@ spec: operator: NotEquals value: dev message: The value {{ request.mode }} for val1 is not equal to 'dev'. - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-multiple-example.yaml b/test/cli/test/variables-deprecated/cm-multiple-example.yaml index 6f6bca9537..108d09f3f0 100644 --- a/test/cli/test/variables-deprecated/cm-multiple-example.yaml +++ b/test/cli/test/variables-deprecated/cm-multiple-example.yaml @@ -28,4 +28,4 @@ spec: labels: my-environment-name: '{{dictionary.data.env || anotherdictionary.data.env }}' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/variables-deprecated/cm-variable-example.yaml b/test/cli/test/variables-deprecated/cm-variable-example.yaml index e25c2c7014..be85ab8258 100644 --- a/test/cli/test/variables-deprecated/cm-variable-example.yaml +++ b/test/cli/test/variables-deprecated/cm-variable-example.yaml @@ -23,4 +23,4 @@ spec: metadata: labels: my-environment-name: '{{dictionary.data.env}}' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/variables/cm-array-example.yaml b/test/cli/test/variables/cm-array-example.yaml index b724cec277..eeefcbef41 100644 --- a/test/cli/test/variables/cm-array-example.yaml +++ b/test/cli/test/variables/cm-array-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/variables/cm-blk-scalar-example.yaml b/test/cli/test/variables/cm-blk-scalar-example.yaml index ea727b52c1..d1ba312a3d 100644 --- a/test/cli/test/variables/cm-blk-scalar-example.yaml +++ b/test/cli/test/variables/cm-blk-scalar-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/variables/cm-globalval-example.yaml b/test/cli/test/variables/cm-globalval-example.yaml index 0b36123763..33af9892d8 100644 --- a/test/cli/test/variables/cm-globalval-example.yaml +++ b/test/cli/test/variables/cm-globalval-example.yaml @@ -20,4 +20,4 @@ spec: operator: NotEquals value: dev message: The value {{ request.mode }} for val1 is not equal to 'dev'. - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/variables/cm-multiple-example.yaml b/test/cli/test/variables/cm-multiple-example.yaml index 6f6bca9537..108d09f3f0 100644 --- a/test/cli/test/variables/cm-multiple-example.yaml +++ b/test/cli/test/variables/cm-multiple-example.yaml @@ -28,4 +28,4 @@ spec: labels: my-environment-name: '{{dictionary.data.env || anotherdictionary.data.env }}' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/variables/cm-variable-example.yaml b/test/cli/test/variables/cm-variable-example.yaml index e25c2c7014..be85ab8258 100644 --- a/test/cli/test/variables/cm-variable-example.yaml +++ b/test/cli/test/variables/cm-variable-example.yaml @@ -23,4 +23,4 @@ spec: metadata: labels: my-environment-name: '{{dictionary.data.env}}' - validationFailureAction: Audit + failureAction: Audit diff --git a/test/cli/test/variables/image-example.yaml b/test/cli/test/variables/image-example.yaml index 7ce05f3201..0dd322eace 100644 --- a/test/cli/test/variables/image-example.yaml +++ b/test/cli/test/variables/image-example.yaml @@ -35,4 +35,4 @@ spec: value: ghcr.io list: request.object.spec.containers message: images with root user are not allowed - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/cli/test/wildcard_match_label_selector/policy.yaml b/test/cli/test/wildcard_match_label_selector/policy.yaml index 6cb200033a..e303737111 100644 --- a/test/cli/test/wildcard_match_label_selector/policy.yaml +++ b/test/cli/test/wildcard_match_label_selector/policy.yaml @@ -17,7 +17,7 @@ spec: protected: '*' name: wildcard-label validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -33,7 +33,7 @@ spec: protected: '*-test' name: label-end-with-test validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -54,4 +54,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/assert/old-object-exists/policy.yaml b/test/conformance/chainsaw/assert/old-object-exists/policy.yaml index 096364a550..0b6081cc05 100644 --- a/test/conformance/chainsaw/assert/old-object-exists/policy.yaml +++ b/test/conformance/chainsaw/assert/old-object-exists/policy.yaml @@ -25,7 +25,7 @@ spec: variable: value: large validate: - validationFailureAction: Enforce + failureAction: Enforce message: "The label `size` is required" assert: object: @@ -42,7 +42,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "request.oldObject cannot be null for update requests" assert: oldObject: {} diff --git a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml index 1a19e25a56..cba1dfd366 100644 --- a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml @@ -27,7 +27,7 @@ status: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. - validationFailureAction: Enforce + failureAction: Enforce - match: any: - resources: @@ -44,7 +44,7 @@ status: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. - validationFailureAction: Enforce + failureAction: Enforce conditions: - reason: Succeeded status: "True" diff --git a/test/conformance/chainsaw/autogen/conditions/policy.yaml b/test/conformance/chainsaw/autogen/conditions/policy.yaml index 580fc91ca7..6e08ffae4f 100644 --- a/test/conformance/chainsaw/autogen/conditions/policy.yaml +++ b/test/conformance/chainsaw/autogen/conditions/policy.yaml @@ -12,7 +12,7 @@ spec: - Pod name: allowed-fluxcd-annotations validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: all: diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml index 1b67b0ff8a..52d5d5ec7e 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -44,7 +44,7 @@ status: - Deployment name: autogen-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -59,7 +59,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -76,7 +76,7 @@ status: - Deployment name: autogen-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -91,7 +91,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml index 90a9cf0664..442a13b889 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -26,7 +26,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml index 3a94b5bf78..6ff36aac83 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -46,7 +46,7 @@ status: - StatefulSet name: autogen-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -63,7 +63,7 @@ status: - StatefulSet name: autogen-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml index ffa40232a3..714669dace 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -26,7 +26,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/none/policy-assert.yaml b/test/conformance/chainsaw/autogen/none/policy-assert.yaml index e0fe17bbb4..d74e1c535b 100644 --- a/test/conformance/chainsaw/autogen/none/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/none/policy-assert.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/none/policy.yaml b/test/conformance/chainsaw/autogen/none/policy.yaml index 3c26e24d3e..a1faf921d2 100644 --- a/test/conformance/chainsaw/autogen/none/policy.yaml +++ b/test/conformance/chainsaw/autogen/none/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -26,7 +26,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml index e599ce36c9..c153a3a36e 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -44,7 +44,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -61,7 +61,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml index 41767bd475..5079c9c7df 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -26,7 +26,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml index 351fa60188..9d0bd9e014 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -44,7 +44,7 @@ status: - Deployment name: autogen-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -59,7 +59,7 @@ status: - Deployment name: autogen-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml index 54c416fbf9..1398d2745c 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -26,7 +26,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml index 63fafdfe8f..26b2fdc9c1 100644 --- a/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml @@ -19,7 +19,7 @@ spec: spec: containers: - image: registry.domain.com/* - validationFailureAction: Enforce + failureAction: Enforce status: autogen: rules: @@ -43,7 +43,7 @@ status: spec: containers: - image: registry.domain.com/* - validationFailureAction: Enforce + failureAction: Enforce - match: any: - resources: @@ -61,7 +61,7 @@ status: spec: containers: - image: registry.domain.com/* - validationFailureAction: Enforce + failureAction: Enforce conditions: - message: Ready reason: Succeeded diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml index 5ee3ad7cf6..3b41d18221 100644 --- a/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "Images may only come from our internal enterprise registry." pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml index 952e639d43..8a62e64ab0 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -49,7 +49,7 @@ status: - StatefulSet name: autogen-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -64,7 +64,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -86,7 +86,7 @@ status: - StatefulSet name: autogen-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -101,7 +101,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml index 3fbaa4c1d2..f9fcf5425a 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml @@ -11,7 +11,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -24,7 +24,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml index b93773c82d..dfde4f431f 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml @@ -12,7 +12,7 @@ spec: - Deployment name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -25,7 +25,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml index f1a824139f..44f40571dd 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml @@ -12,7 +12,7 @@ spec: - Deployment name: require-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: An image tag is required. pattern: spec: @@ -25,7 +25,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Audit + failureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml index 6431b95be2..289bd1c324 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml index 6431b95be2..289bd1c324 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml index 6431b95be2..289bd1c324 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml index 91a845df05..1c5e0fb508 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml index 91a845df05..1c5e0fb508 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml index 91a845df05..1c5e0fb508 100644 --- a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml index e2c116d3dd..801ba5db14 100644 --- a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml +++ b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Running the container as root user is not allowed. pattern: diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml index 08ad133aab..29771e659a 100644 --- a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml @@ -31,4 +31,4 @@ spec: rekor: url: "{{ tufvalues.data.REKOR_URL }}" required: true - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml index 88fdb61da5..cda1903206 100644 --- a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml +++ b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml @@ -62,7 +62,7 @@ spec: variable: jmesPath: subtract(`{{budget.spendLimit}}`,`{{budget.currentSpend}}`) validate: - validationFailureAction: Enforce + failureAction: Enforce # Need to improve this by rounding. message: "This Deployment, which costs ${{ predictedcost }} to run for a month, will overrun the remaining budget of ${{ remainingbudget }}. Please seek approval." deny: diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml index f1fb10a77a..5ccbc36be7 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml index ecc56be5c5..572439a8a5 100644 --- a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml index ecc56be5c5..572439a8a5 100644 --- a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml index fbd58e6205..83bdacc215 100644 --- a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml index f11840f37b..b7e0d2bdb6 100644 --- a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: v1.25 diff --git a/test/conformance/chainsaw/exceptions/conditions/policy.yaml b/test/conformance/chainsaw/exceptions/conditions/policy.yaml index e80f7806ce..ae74c78d6a 100644 --- a/test/conformance/chainsaw/exceptions/conditions/policy.yaml +++ b/test/conformance/chainsaw/exceptions/conditions/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml index ffc0f0b639..0fb44ed3be 100644 --- a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml @@ -23,7 +23,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: An image tag is required (:latest is not allowed) pattern: spec: diff --git a/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml index 3e53fb4a66..aaa6d79568 100644 --- a/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml index d30e5216d5..6893e66610 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml index 8480491699..941d00a1a3 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml index 17ddd65449..cb180288f6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml index d7381d289a..e9c399d831 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml index 17ddd65449..cb180288f6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml index d7381d289a..e9c399d831 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml index d7381d289a..e9c399d831 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml index d7381d289a..e9c399d831 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml index d7381d289a..e9c399d831 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml index 17ddd65449..cb180288f6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml index 17ddd65449..cb180288f6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml index 17ddd65449..cb180288f6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml index d7381d289a..e9c399d831 100644 --- a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml index e80f7806ce..ae74c78d6a 100644 --- a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml index fbd58e6205..83bdacc215 100644 --- a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml index 7fb8105163..69171ef43e 100644 --- a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml @@ -16,7 +16,7 @@ spec: namespaces: - default validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: v1.29 diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml index fbd58e6205..83bdacc215 100644 --- a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml index 23661cb3a5..f293aa071b 100644 --- a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml @@ -18,5 +18,5 @@ spec: name: kyverno namespace: kyverno validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml index 70c4330bcd..8831cf83dc 100644 --- a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml @@ -18,5 +18,5 @@ spec: name: '?*' namespace: '?*' validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml index 6086efceb8..f1f370e645 100644 --- a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml @@ -17,5 +17,5 @@ spec: - kind: User name: not-kubernetes-admin validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml index 050284adcc..4468b4e5ff 100644 --- a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml @@ -17,5 +17,5 @@ spec: - kind: User name: kubernetes-admin validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml index a4aec00711..0940dbca77 100644 --- a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml @@ -17,5 +17,5 @@ spec: - kind: User name: not-?* validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml index 940a88e7a5..5cd8bb61c3 100644 --- a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml @@ -17,5 +17,5 @@ spec: - kind: User name: '?*' validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml index 77f4c46db1..ab5551cc0b 100644 --- a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml @@ -16,5 +16,5 @@ spec: name: kyverno namespace: kyverno validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml index aacfdfcc62..b5ea75961d 100644 --- a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml @@ -16,5 +16,5 @@ spec: name: '?*' namespace: '?*' validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml index 7f8fa49c81..da33d61b1f 100644 --- a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml @@ -15,5 +15,5 @@ spec: - kind: User name: kubernetes-admin validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml index 58e85612a9..11a994510d 100644 --- a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml @@ -15,5 +15,5 @@ spec: - kind: User name: not-kubernetes-admin validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml index 8cf931a8f8..e88fc6ca71 100644 --- a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml @@ -15,5 +15,5 @@ spec: - kind: User name: '?*' validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml index 55652de5aa..59e5abdfcb 100644 --- a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml @@ -15,5 +15,5 @@ spec: - kind: User name: not-?* validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml index ecc56be5c5..572439a8a5 100644 --- a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml +++ b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml index 1f71eb0fb5..615a44db76 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml @@ -15,7 +15,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml index 5406032e7d..90e63c5d84 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml index 34e2259a6f..a21460ad13 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "!has(object.spec.ephemeralContainers)" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml index 4f22c42d51..0ddcddd282 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml @@ -19,7 +19,7 @@ spec: matchLabels: app: critical validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml index 8de553d9dc..8cfb945c2f 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml @@ -24,7 +24,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml index a356e7fcaa..4ba5265bbf 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml @@ -28,7 +28,7 @@ spec: names: - "testing" validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml index 7e2a13086b..e7b7ff0f72 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml @@ -28,7 +28,7 @@ spec: names: - "testing" validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml index c5bddb037d..220c2e6d6c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml @@ -28,7 +28,7 @@ spec: names: - "testing" validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml index 739e55ca82..cbd2233c48 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml @@ -33,7 +33,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml index 46ba297cbd..f2a69970ce 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml @@ -24,7 +24,7 @@ spec: values: - connector validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml index 6045d43043..749abc0b11 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml @@ -17,7 +17,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml index 77febe5d78..de25903016 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml @@ -24,7 +24,7 @@ spec: operations: - CREATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml index cc4e8b5474..8a44e17e3a 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml @@ -15,7 +15,7 @@ spec: - production - staging validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml index 193c0e113c..b65e481708 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml @@ -17,7 +17,7 @@ spec: - production - staging validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml index 83f9851f87..4a73b94281 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml index 8ff720b0cc..8013cdb108 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml @@ -26,7 +26,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml index 74287f4cf4..388e493d83 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml @@ -23,7 +23,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml index f0f505019e..d0f50b6dae 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml @@ -14,7 +14,7 @@ spec: - "prod-*" - "staging" validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml index fc6629d9d2..be0c9e652b 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml @@ -14,7 +14,7 @@ spec: - "prod-*" - "staging" validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml index 217bacbf46..83d8c97052 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml @@ -32,7 +32,7 @@ spec: values: - compute validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml index 918c37a204..6e3c916a8c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml @@ -26,7 +26,7 @@ spec: matchLabels: app: normal validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml index aa18a92659..d297f8c332 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml @@ -26,7 +26,7 @@ spec: - testing-ns - staging-ns validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml index c4e00860cd..4f0da2684c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml @@ -29,7 +29,7 @@ spec: values: - connector validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml index 3f08041457..0c00e80f3a 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml @@ -19,7 +19,7 @@ spec: matchLabels: app: critical validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml index 990d96339b..42ed1d63b3 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml @@ -19,7 +19,7 @@ spec: - kind: User name: John validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml index 98b387d8aa..7af6214662 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml @@ -20,7 +20,7 @@ spec: clusterRoles: - cluster-admin validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml index 9c6f3fe791..f623024384 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml @@ -16,7 +16,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml index d27c9ee0ed..f265645d4b 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml @@ -25,7 +25,7 @@ spec: names: - app validate: - validationFailureAction: Audit + failureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml index f567d67347..16890da523 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml @@ -11,8 +11,8 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit - validationFailureActionOverrides: + failureAction: Audit + failureActionOverrides: - action: Enforce namespaces: - default diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml index 727e20dc17..3b86686f2e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml index 28b993b06d..029c79d15f 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml @@ -11,8 +11,8 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit - validationFailureActionOverrides: + failureAction: Audit + failureActionOverrides: - action: Enforce namespaces: - default diff --git a/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml index 4b9f45cdeb..e6421026d9 100755 --- a/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml @@ -24,7 +24,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml index 8d892bda14..1041fa2169 100755 --- a/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml @@ -24,7 +24,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml index 68354b6357..80599605f9 100755 --- a/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml @@ -24,7 +24,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml index bc0011f2c0..a9ed4528c6 100755 --- a/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml @@ -24,7 +24,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml index 09d25573ee..e3ed7708f4 100755 --- a/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml @@ -23,7 +23,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml index 5a5b1b122b..5d70eb8d69 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml index d797d5bc11..3f239102a7 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml @@ -13,7 +13,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Audit + - failureAction: Audit imageReferences: - "ghcr.io/kyverno/test-verify-image:*" attestors: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml index 26703a717f..1643ef9981 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/assert/bad-context-name.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/assert/bad-context-name.yaml index f97e31bae5..6c47e8e867 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/assert/bad-context-name.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/assert/bad-context-name.yaml @@ -15,7 +15,7 @@ spec: variable: value: dummy validate: - validationFailureAction: Enforce + failureAction: Enforce message: "namespace must have an env label" assert: object: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/assert/no-foreach.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/assert/no-foreach.yaml index ab6df0c808..33c4358a87 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/assert/no-foreach.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/assert/no-foreach.yaml @@ -11,7 +11,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "namespace must have an env label" foreach: - list: "['dummy']" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/assert/ok.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/assert/ok.yaml index d335d7ebbd..6288463041 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/assert/ok.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/assert/ok.yaml @@ -11,7 +11,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "namespace must have an env label" assert: object: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml index a06e1790a9..4393851e46 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml @@ -12,5 +12,5 @@ spec: kinds: - Scale validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml index 45434a4b2d..2720a1f585 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod/scale validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml index 8ecde3c0e2..0424b540a5 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod/* validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml index dda595fcb0..74b16e7cb7 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml @@ -12,5 +12,5 @@ spec: kinds: - '*/*' validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml index 832a0f11a3..4e2c68f5a7 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml @@ -12,5 +12,5 @@ spec: kinds: - '*/status' validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml index 8ab96974fc..59f7d16ced 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml index 995abd40eb..89c987c9cd 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml index e11c052e64..552ada6063 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml @@ -12,7 +12,7 @@ spec: kinds: - Secret validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - message: "long lived API tokens are not allowed" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml index 92fd8bd417..c2b965a6f2 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml @@ -12,7 +12,7 @@ spec: kinds: - Deployment validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "object.replicas > 1" # should be "object.spec.replicas > 1" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml index 2c0a59573f..38020fb104 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml @@ -14,7 +14,7 @@ spec: - Pod name: test-not-in validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml index 2ab30eaee7..05878cd7c1 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml @@ -14,7 +14,7 @@ spec: - Pod name: test-invalid validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml index 8648e1c0e0..b7519a0341 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml index 0976458856..79428246fb 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml index 0235e29ebe..da65c2a93b 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml index 69eba343d7..9f6025db98 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml index 7061887c51..c5fc426d15 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml @@ -11,7 +11,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} webhookConfiguration: timeoutSeconds: -1 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml index d320e00d98..e9ef39c3c1 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml @@ -11,7 +11,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} webhookConfiguration: timeoutSeconds: 31 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml index b14f32e885..33d8428897 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod - Deployment validate: - validationFailureAction: Enforce + failureAction: Enforce message: Pod must include the 'app=my-app' label pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml index b8a4fc6c5f..1b872e8bb9 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml index 532c65b17e..efa58ddce4 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml @@ -13,7 +13,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Audit + - failureAction: Audit imageReferences: - "ghcr.io/kyverno/test-verify-image:*" attestors: diff --git a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml index 5d975e9e32..99728bc4d1 100644 --- a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml @@ -13,5 +13,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/assert/bad-context-name.yaml b/test/conformance/chainsaw/policy-validation/policy/assert/bad-context-name.yaml index f1dea96e89..a02fc8cad2 100644 --- a/test/conformance/chainsaw/policy-validation/policy/assert/bad-context-name.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/assert/bad-context-name.yaml @@ -15,7 +15,7 @@ spec: variable: value: dummy validate: - validationFailureAction: Enforce + failureAction: Enforce message: "pod must have an env label" assert: object: diff --git a/test/conformance/chainsaw/policy-validation/policy/assert/no-foreach.yaml b/test/conformance/chainsaw/policy-validation/policy/assert/no-foreach.yaml index 627c337951..09bf639c94 100644 --- a/test/conformance/chainsaw/policy-validation/policy/assert/no-foreach.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/assert/no-foreach.yaml @@ -11,7 +11,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "pod must have an env label" foreach: - list: "['dummy']" diff --git a/test/conformance/chainsaw/policy-validation/policy/assert/ok.yaml b/test/conformance/chainsaw/policy-validation/policy/assert/ok.yaml index eb1232f4be..44e4a9aa9c 100644 --- a/test/conformance/chainsaw/policy-validation/policy/assert/ok.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/assert/ok.yaml @@ -11,7 +11,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "pod must have an env label" assert: object: diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml index 4691296bf6..34a1e2d14c 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml @@ -12,5 +12,5 @@ spec: kinds: - Scale validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml index 541eb45edf..348b6e7aa3 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod/scale validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml index 9d027cbc45..e16fc9f267 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod/* validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml index e311f15fb8..168ec0007e 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml @@ -12,5 +12,5 @@ spec: kinds: - '*/*' validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml index 333c711ffa..c880a2d2e4 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml @@ -12,5 +12,5 @@ spec: kinds: - '*/status' validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml index bddc817a9d..c73fb44965 100644 --- a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml index ddd8d604c8..8c278075a5 100644 --- a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml @@ -12,5 +12,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/rangeoperators/standard/policy.yaml b/test/conformance/chainsaw/rangeoperators/standard/policy.yaml index c7d0abd79d..25f9ed27ec 100644 --- a/test/conformance/chainsaw/rangeoperators/standard/policy.yaml +++ b/test/conformance/chainsaw/rangeoperators/standard/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: "All data values must be in the specified range." pattern: data: diff --git a/test/conformance/chainsaw/reports/admission/exception/policy.yaml b/test/conformance/chainsaw/reports/admission/exception/policy.yaml index fb7a312720..c7797d077f 100644 --- a/test/conformance/chainsaw/reports/admission/exception/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/exception/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml index e842dd0fb7..c1eb9f171b 100644 --- a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml @@ -19,7 +19,7 @@ spec: - key: org operator: Exists validate: - validationFailureAction: Audit + failureAction: Audit pattern: metadata: annotations: diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml index f31c092067..34e916620f 100755 --- a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml @@ -12,7 +12,7 @@ spec: - Namespace name: check-owner validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml index 0706a5b3dd..8ff3c2ea99 100644 --- a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: @@ -24,7 +24,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Audit + failureAction: Audit message: "You must have label `environment` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/reports/admission/update/policy.yaml b/test/conformance/chainsaw/reports/admission/update/policy.yaml index 7045fdb916..4047a9daea 100644 --- a/test/conformance/chainsaw/reports/admission/update/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/update/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit message: "Using a mutable image tag e.g. 'latest' is not allowed." pattern: spec: diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml index cf0ea015f0..cf21e633f3 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Deployment validate: - validationFailureAction: Enforce + failureAction: Enforce message: "Deployment should have at most 1 replica" deny: conditions: diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml index 9042705636..a72c10f809 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/reports/background/exception/policy.yaml b/test/conformance/chainsaw/reports/background/exception/policy.yaml index f7602782bb..d300d2f51f 100644 --- a/test/conformance/chainsaw/reports/background/exception/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception/policy.yaml @@ -13,7 +13,7 @@ spec: kinds: - ConfigMap validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml index 4cede2a123..1a63f801a4 100644 --- a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml +++ b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: restricted validate: - validationFailureAction: Audit + failureAction: Audit podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml index 58d9e83ff0..22ee875dec 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml @@ -12,7 +12,7 @@ spec: - Pod name: restricted validate: - validationFailureAction: Audit + failureAction: Audit podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml index 67776cbd45..2861f4854d 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml @@ -26,7 +26,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit podSecurity: level: restricted version: latest \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml index 0706a5b3dd..8ff3c2ea99 100644 --- a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: @@ -24,7 +24,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Audit + failureAction: Audit message: "You must have label `environment` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml index ba04cc6f5c..763ec7451a 100644 --- a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml @@ -13,7 +13,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Audit + - failureAction: Audit imageReferences: - ghcr.io/kyverno/test-verify-image:* verifyDigest: false diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml index 0c15e58bde..f2d47410bb 100644 --- a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml @@ -13,7 +13,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Audit + - failureAction: Audit imageReferences: - ghcr.io/kyverno/test-verify-image:* verifyDigest: false diff --git a/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml b/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml index 27d50937e6..e5b24b3023 100644 --- a/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml +++ b/test/conformance/chainsaw/validate/anchors/conditional/policy.yaml @@ -29,7 +29,7 @@ spec: kinds: - Deployment/scale validate: - validationFailureAction: Enforce + failureAction: Enforce message: The replica count for this Deployment may not exceed 8. pattern: (status): diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml index ca8d190fe5..8be13d0f37 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Service validate: - validationFailureAction: Enforce + failureAction: Enforce message: "Services of type NodePort are not allowed." pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml index 8c71277459..a78a83ff44 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml @@ -17,7 +17,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce message: "hostPort must either be unset or set to 0" cel: expressions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml index ac198d4243..e38fbc309c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-1.yaml @@ -12,7 +12,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- The label `uw.systems/owner` is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml index 0caea63b93..1ea6f2b184 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/policy-2.yaml @@ -17,7 +17,7 @@ spec: operator: Equals value: foo validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- The label `uw.systems/owner` is required. Check policy at https://github.com/utilitywarehouse/system-manifests/tree/master/kyverno/policies/namespaces/require-ns-owner-label.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml index bebcb945a3..460bc296b8 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml index 2f2baff0e2..015d02ee84 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: "Unknown image registry." pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml index f795b627c9..962fd74f73 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - Secret validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' deny: conditions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml index e90823cda2..5b54ad615e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml @@ -15,7 +15,7 @@ spec: kinds: - Secret validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' deny: conditions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml index 65ebbdf52e..e3b84fa9ef 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/policy.yaml @@ -16,7 +16,7 @@ spec: variable: jmesPath: '{{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] }}' validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: all: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml index 7fb8105163..69171ef43e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml @@ -16,7 +16,7 @@ spec: namespaces: - default validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: v1.29 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml index 0706a5b3dd..8ff3c2ea99 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: @@ -24,7 +24,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Audit + failureAction: Audit message: "You must have label `environment` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml index 8e251e8b1e..b135b60936 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Lorem ipse pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml index 8e251e8b1e..b135b60936 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Lorem ipse pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml index a6fbacb925..cb4dc37b6d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Lorem ipse pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml index 2bc8060f91..ddbdbe4a7b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml @@ -16,7 +16,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- Running with specific user IDs {{ allowedUIDs }}. The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml index dbc3cf10f5..956fe6bcf9 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/chainsaw-step-01-apply-1-1.yaml @@ -26,7 +26,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml index 941d71f8cd..cac7dff917 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml @@ -30,7 +30,7 @@ spec: - ConfigMap name: check-sar validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml index 48c47b75a2..46aece8bd0 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml @@ -14,7 +14,7 @@ spec: - Pod name: ns-clusterroles validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml index f1bb53d50e..157d6ad2fc 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/chainsaw-step-02-error-1-1.yaml @@ -14,7 +14,7 @@ spec: - foo-role name: ns-roles validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml index 8b9208df53..a5e13c556c 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/chainsaw-step-02-error-1-1.yaml @@ -12,7 +12,7 @@ spec: - Pod name: ns-vars-roles validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml index b68a6e09e9..b2195bed8e 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml @@ -12,7 +12,7 @@ spec: - Pod name: ns-vars-serviceaccountname validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml index 4c2c35272f..59a014f424 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml @@ -12,7 +12,7 @@ spec: - Pod name: ns-vars-userinfo validate: - validationFailureAction: Audit + failureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml index 5c03d581ec..e27c401a91 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml @@ -17,7 +17,7 @@ spec: - Pod name: validate-labels validate: - validationFailureAction: Audit + failureAction: Audit pattern: metadata: labels: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml index 63d5eaee6a..8af17f3ec0 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "authorizer.serviceAccount('default', 'test-account').group('').resource('pods').namespace('default').check('delete').allowed()" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml index 63bd49605d..cb278250f9 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "authorizer.serviceAccount('default', 'test-account-1').group('apps').resource('deployments').namespace('default').check('delete').allowed()" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml index 988e9ff54c..006f20da0d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml @@ -18,7 +18,7 @@ spec: - name: "first match condition in CEL" expression: "object.metadata.name.matches('nginx-pod')" validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml index 3948acf86c..a13973c25b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: variables: - name: environment diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml index 953ace56a6..9ccf6951e7 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "namespaceObject.metadata.name == 'production'" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml index 027cd88fd7..f49b471855 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "false" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml index 3478a63887..ba3e94350f 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml @@ -17,7 +17,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: expressions: - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml index 9e0cf79fde..107cde875d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml index f75bde91a3..84e2afb5ae 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml index 995e40fcc9..d830c35163 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml index 471044a1ae..2cb324ed9a 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml @@ -15,7 +15,7 @@ spec: - CREATE - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce cel: paramKind: apiVersion: rules.example.com/v1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml index b4fef7946e..c3cdc6f9dd 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml @@ -14,5 +14,5 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml index a713028658..22c854449e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml @@ -14,5 +14,5 @@ spec: kinds: - Pod/ephemeralcontainers validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml index bc486918ad..61173ff15f 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml @@ -14,5 +14,5 @@ spec: kinds: - '*/ephemeralcontainers' validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml index 1e92b6ebd3..bcbe64db9e 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml @@ -16,7 +16,7 @@ spec: - Pod/eviction name: deny-evict-by-label validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: all: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml index 6f56d15d0e..b2e014459d 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml @@ -30,7 +30,7 @@ spec: operator: Equals value: CONNECT validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: all: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml index a958381812..0d5fdf3ef7 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml @@ -15,7 +15,7 @@ spec: - test-validate name: validate-nginx-test validate: - validationFailureAction: Enforce + failureAction: Enforce message: nginx-test needs to have 2 replicas pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml index fd57acd08c..0006193306 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - CertificateSigningRequest validate: - validationFailureAction: Enforce + failureAction: Enforce message: >- CSR created by {{ request.userInfo | to_string(@) }} with ClusterRoles {{ request.clusterRoles | to_string(@) }} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml index ba10af7439..0f95300c01 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce pattern: metadata: labels: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml index 0c796b6511..d25a1529fc 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml @@ -12,7 +12,7 @@ spec: - Pod name: disallow-annotations validate: - validationFailureAction: Enforce + failureAction: Enforce message: One or more annotations is not allowed per the policies disallowed values list. pattern: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml index 0741de543c..5d544b187b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml @@ -18,6 +18,6 @@ spec: values: - "true" validate: - validationFailureAction: Enforce + failureAction: Enforce message: "Namespace is frozen." deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml index 76bf9e39b7..dc4df342c3 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml @@ -19,7 +19,7 @@ spec: - kyverno - def* validate: - validationFailureAction: Enforce + failureAction: Enforce message: label 'app.kubernetes.io/name' is required pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml index a4ce233ddd..d32bc245ea 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml @@ -21,7 +21,7 @@ spec: operator: NotEquals value: DELETE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml index 584c269dcc..68bea1a75d 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/chainsaw-step-01-apply-1-1.yaml @@ -12,7 +12,7 @@ spec: - Namespace name: check-owner validate: - validationFailureAction: Enforce + failureAction: Enforce message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml index a958381812..0d5fdf3ef7 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml @@ -15,7 +15,7 @@ spec: - test-validate name: validate-nginx-test validate: - validationFailureAction: Enforce + failureAction: Enforce message: nginx-test needs to have 2 replicas pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml index 13d24ec21b..947cb4a5d6 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml @@ -22,7 +22,7 @@ spec: operator: NotEquals value: DELETE validate: - validationFailureAction: Enforce + failureAction: Enforce message: 'Test' pattern: metadata: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml index 1e00345fbc..e752a133fc 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - rds.aws.crossplane.io/v1alpha1/DBCluster validate: - validationFailureAction: Enforce + failureAction: Enforce message: "Final snapshot must not be skipped" pattern: spec: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml index e9f365b4eb..a8be9c1464 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml @@ -14,5 +14,5 @@ spec: operations: - UPDATE validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml index ade62b7cc1..4c5126b0e7 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml index 2243afbf4a..87813cc3ea 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml index 58b503f29f..fa02318406 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-capabilities/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml index d62e1d169b..332b6aa2e8 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-namespaces/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml index a1c34996f3..6e53797fae 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-host-ports/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml index 8d2fea91b7..de7f9567e9 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostpath-volume/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml index a8996c6152..1ae476d0c6 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-hostprocesses/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml index f041e3720d..b86a8e1768 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privilege-escalation/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml index c7f41bd47c..fa5770de92 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-privileged-containers/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml index db63852721..ec8425cf3f 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml index b67fbe2d5f..1e9338f310 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml index dc49315c5d..52dd126bac 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml index de03074476..aa12e7570b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml index adb0bc488b..1536e08112 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-seccomp/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml index d37dd88b68..5d43e6584c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-selinux/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml index c7736e9f9e..9ca738c0a8 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-sysctls/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml index a39422d4af..769327d2b8 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-exclusion-volume-types/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml index 66b778304e..bc8ba37024 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml @@ -14,7 +14,7 @@ spec: kinds: - Deployment/scale validate: - validationFailureAction: Audit + failureAction: Audit deny: {} --- apiVersion: kyverno.io/v1 @@ -33,5 +33,5 @@ spec: kinds: - StatefulSet/scale validate: - validationFailureAction: Enforce + failureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml index 3c71b12ddc..2bc1a6652c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/policy.yaml @@ -28,7 +28,7 @@ spec: operator: Equals value: hello validate: - validationFailureAction: Enforce + failureAction: Enforce pattern: metadata: name: '*' diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml index cba9280e02..a3f1601301 100755 --- a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/chainsaw-step-01-apply-1-2.yaml @@ -18,7 +18,7 @@ spec: operator: Equals value: '{{ request.object.data.lock || '''' }}' validate: - validationFailureAction: Enforce + failureAction: Enforce anyPattern: - data: key: abc diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml index fc228e7f02..d47de9c6fd 100644 --- a/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml @@ -11,7 +11,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Enforce + failureAction: Enforce pattern: spec: containers: diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml index 4d2560164e..1b4aa9f24d 100755 --- a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/chainsaw-step-01-apply-1-2.yaml @@ -11,7 +11,7 @@ spec: - acid.zalan.do/v1/postgresql name: test-rule validate: - validationFailureAction: Enforce + failureAction: Enforce message: The label app=foo is required pattern: metadata: diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml index e4681293c5..638cd7695f 100644 --- a/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/old-object-exists/policy.yaml @@ -15,7 +15,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "The label `size` is required" pattern: metadata: @@ -30,7 +30,7 @@ spec: kinds: - Namespace validate: - validationFailureAction: Enforce + failureAction: Enforce message: "request.oldObject cannot be null for update requests" deny: conditions: diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml index c5c18f265c..1154a83228 100644 --- a/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml @@ -19,7 +19,7 @@ spec: operator: NotEquals value: DELETE validate: - validationFailureAction: Enforce + failureAction: Enforce foreach: - context: - imageRegistry: diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml index edd6cd828b..90c84b2984 100644 --- a/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml @@ -13,7 +13,7 @@ spec: names: - test-* validate: - validationFailureAction: Enforce + failureAction: Enforce message: "public key modulus mismatch: \"{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}\" != \"{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}\"" deny: conditions: diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml index 05347b3d26..173ee3715f 100644 --- a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml @@ -30,7 +30,7 @@ spec: namespace: kube-system name: deployment-controller validate: - validationFailureAction: Enforce + failureAction: Enforce manifests: attestors: - entries: diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml index 1123785487..ef1e211492 100644 --- a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Service validate: - validationFailureAction: Enforce + failureAction: Enforce manifests: attestors: - entries: diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml index f670b248ee..c50bc76fa5 100644 --- a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml @@ -12,7 +12,7 @@ spec: kinds: - Service validate: - validationFailureAction: Enforce + failureAction: Enforce manifests: attestors: - count: 1 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml index f710f0d678..ef1068b9d4 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml @@ -33,7 +33,7 @@ spec: mutateDigest: true required: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce - match: any: - resources: @@ -60,5 +60,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml index d25a23bafb..f09c80ae20 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml @@ -32,4 +32,4 @@ spec: verifyImages: - image: '*' key: '{{ keys.data.org }}' - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml index 290d302bf0..cb050cba98 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -35,5 +35,5 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml index 09c10a0cf0..9d2fb860c3 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml @@ -33,5 +33,5 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true - validationFailureAction: Audit + failureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml index 1fd9619da0..111c4acd28 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -32,7 +32,7 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true - validationFailureAction: Audit + failureAction: Audit webhookConfiguration: timeoutSeconds: 30 failurePolicy: Ignore diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml index 297f6abd04..de624cc546 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml @@ -38,5 +38,5 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml index 32e4143504..0555497273 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml index ade1c0c0fa..db61d60d4d 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml @@ -29,4 +29,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml index a8d05d48cc..19d62cd691 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml @@ -29,4 +29,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml index c6c8040c5a..a68b4d8c9a 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml @@ -32,5 +32,5 @@ spec: url: https://rekor.sigstore.dev imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml index a4fefc67bd..025f5e42c6 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml @@ -26,5 +26,5 @@ spec: url: https://rekor.sigstore.dev imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml index 5f39ff9cc5..24b10a3e5c 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml @@ -27,5 +27,5 @@ spec: imageReferences: - ghcr.io/kyverno/test-verify-image:* cosignOCI11: true - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml index 093e05501e..8333954640 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml @@ -24,5 +24,5 @@ spec: namespace: test-verify-images imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml index 7e6de3d289..878848d800 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml @@ -70,5 +70,5 @@ spec: -----END CERTIFICATE----- imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml index 5f1a1f046c..910c6af38f 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml @@ -16,7 +16,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Enforce + - failureAction: Enforce imageReferences: - "ghcr.io/chipzoller/zulu*" attestations: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml index 93e3c7b912..9bf1070886 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-regexp/policy.yaml @@ -16,7 +16,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Enforce + - failureAction: Enforce imageReferences: - "ghcr.io/chipzoller/zulu*" attestations: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml index 556dd79837..8be01b40eb 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml index 84fbaaa191..abe8eaa712 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: cosign.sigstore.dev/attestation/vuln/v1 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml index 24507344a3..441b74c0b0 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: cosign.sigstore.dev/attestation/vuln/v1 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml index 4b3ebbe47b..cac0a0b313 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml @@ -24,4 +24,4 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml index a938c04972..7e31accf99 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml @@ -41,5 +41,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml index e74fc35f06..7d220c8316 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml @@ -41,5 +41,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml index e8e6896d04..afcf814d34 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml @@ -40,5 +40,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml index 87ea8d8d6a..9c0b4cbdd9 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml @@ -16,7 +16,7 @@ spec: kinds: - Pod verifyImages: - - validationFailureAction: Enforce + - failureAction: Enforce imageReferences: - "ghcr.io/chipzoller/zulu:*" attestors: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml index 2e8ecfa4f0..946b2d591e 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: true required: true verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml index 11666a4f0b..256dadedb9 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: false required: false verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml index ceae286036..3fa0cf3fe3 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml index 70e90579c7..a8dd96a811 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -16,5 +16,5 @@ spec: mutateDigest: true required: false verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml index 07c493fee3..2264560338 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml @@ -28,5 +28,5 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap.data.configmapkey}}' - validationFailureAction: Audit + failureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml index 20e86fc643..bbc49104af 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml @@ -28,5 +28,5 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap1.data.configmapkey}}' - validationFailureAction: Audit + failureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml index fefc197b9c..e24d1bc389 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -16,5 +16,5 @@ spec: mutateDigest: false required: false verifyDigest: true - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml index a704bde92c..7223d20c2e 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml @@ -51,7 +51,7 @@ spec: name: keys namespace: notary-verify-attestation verifyImages: - - validationFailureAction: Enforce + - failureAction: Enforce type: Notary imageReferences: - "ghcr.io/kyverno/test-verify-image*" diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml index 0fd56037c6..c74e726750 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml @@ -28,5 +28,5 @@ spec: secrets: - regcred type: Notary - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml index 2bd389216e..02197822c7 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml @@ -54,7 +54,7 @@ spec: - type: Notary imageReferences: - "ghcr.io/kyverno/test-verify-image*" - validationFailureAction: Enforce + failureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml index 9de539b70f..e3838be429 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml @@ -21,7 +21,7 @@ spec: verifyImages: - imageReferences: - "ghcr.io/kyverno*" - validationFailureAction: Enforce + failureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml index cf20a2047d..b5a32564cd 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml @@ -56,7 +56,7 @@ spec: - "ghcr.io/*" skipImageReferences: - "ghcr.io/chipzoller*" - validationFailureAction: Enforce + failureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml index e86b47e359..33607b2ba7 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml @@ -27,5 +27,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + failureAction: Enforce webhookTimeoutSeconds: 30 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml index 7bb7cd78d3..36cec944aa 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml @@ -29,7 +29,7 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false - validationFailureAction: Audit + failureAction: Audit - name: require-ns-purpose-label match: any: @@ -37,7 +37,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml index e4b58c1710..8b7f5833bf 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml @@ -29,5 +29,5 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false - validationFailureAction: Audit + failureAction: Audit diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml index e4b58c1710..8b7f5833bf 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml @@ -29,5 +29,5 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false - validationFailureAction: Audit + failureAction: Audit diff --git a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml index a839c04935..2575ab10d8 100644 --- a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml @@ -22,7 +22,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: An image tag is required pattern: spec: @@ -35,7 +35,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: diff --git a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml index 77ae41595e..31fa9793a8 100644 --- a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml @@ -22,7 +22,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: An image tag is required pattern: spec: @@ -35,7 +35,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: diff --git a/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml b/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml index ddf7ecebcd..ae877d1430 100644 --- a/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml @@ -19,7 +19,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: An image tag is required pattern: spec: @@ -32,7 +32,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: diff --git a/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml b/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml index 6fd58805c9..ba6674178b 100644 --- a/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml @@ -21,7 +21,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: An image tag is required pattern: spec: @@ -34,7 +34,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: diff --git a/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml b/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml index aa3fa09772..39fabb4765 100644 --- a/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml @@ -20,7 +20,7 @@ spec: - Pod name: require-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: An image tag is required pattern: spec: @@ -33,7 +33,7 @@ spec: - Pod name: validate-image-tag validate: - validationFailureAction: Enforce + failureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: diff --git a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml index a749f0c98b..5a0d3a7bfa 100644 --- a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml +++ b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*/scale' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml index 7c61ceb47e..8f97fc1ba2 100644 --- a/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml +++ b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml index 9519318229..bbd1c64812 100644 --- a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml +++ b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*/*' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml index 7f5f8b8fc8..9d911cd4e6 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml @@ -16,7 +16,7 @@ spec: operations: - CREATE validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml index 7f5f8b8fc8..9d911cd4e6 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml @@ -16,7 +16,7 @@ spec: operations: - CREATE validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml index c442cf70c3..00da47731b 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml @@ -19,7 +19,7 @@ spec: operations: - DELETE validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: @@ -44,7 +44,7 @@ spec: operations: - CREATE validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `match` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml index 7f5f8b8fc8..9d911cd4e6 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml @@ -16,7 +16,7 @@ spec: operations: - CREATE validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml index 6ff29ed068..ab06266dc7 100644 --- a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml +++ b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - Pod validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml index 5fc38af611..0c6435ca4c 100644 --- a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - Pod/* validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml index 635d737a10..437b85f889 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'CustomResourceDefinition' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml index 1100d8fc21..c2450df56a 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'ConfigMap' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml index 42efff1770..7a05a7fae0 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml @@ -15,7 +15,7 @@ spec: - 'ConfigMap' - 'CustomResourceDefinition' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml index 6cb24c7968..6692140693 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'ConfigMap' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml index 9fcbad1a0d..c690299f98 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'Secret' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml index 6cb24c7968..6692140693 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'ConfigMap' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml index 3a8073437f..ae0020aad5 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'ConfigMap' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml index 7c61ceb47e..8f97fc1ba2 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml index 2d58a03902..9c51e01f64 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml index 150b643e56..6121a7094e 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'CustomResourceDefinition' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml index d4cd9e81b1..3345cc4636 100644 --- a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'Deployment' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml index 1100d8fc21..c2450df56a 100644 --- a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml @@ -14,7 +14,7 @@ spec: kinds: - 'ConfigMap' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml index 7c61ceb47e..8f97fc1ba2 100644 --- a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy/policy.yaml b/test/conformance/chainsaw/webhooks/policy/policy.yaml index 2d58a03902..9c51e01f64 100644 --- a/test/conformance/chainsaw/webhooks/policy/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - '*' validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/scale/policy.yaml b/test/conformance/chainsaw/webhooks/scale/policy.yaml index 8ea3b6dd9a..ffda5f4274 100644 --- a/test/conformance/chainsaw/webhooks/scale/policy.yaml +++ b/test/conformance/chainsaw/webhooks/scale/policy.yaml @@ -14,7 +14,7 @@ spec: kinds: - Scale validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml index 05f5aecfa4..4a95000660 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml @@ -12,7 +12,7 @@ spec: kinds: - Foo validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml index e658e6658a..33bdef562e 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml @@ -12,7 +12,7 @@ spec: kinds: - Foo/* validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml index f3fa8dde6e..35c8939426 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml @@ -12,7 +12,7 @@ spec: kinds: - v2/Pod validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml index 28d8aa6dc2..cd82fe9af8 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml @@ -12,7 +12,7 @@ spec: kinds: - Pod/foo validate: - validationFailureAction: Audit + failureAction: Audit message: 'The label `team` is required.' pattern: metadata: