mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00
Code Activity

chore: rename validationFailureAction to failureAction under the rule (#10893)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-08-27 23:07:57 +03:00 committed by GitHub
parent ee5fdcad47
commit 2140a0239b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
427 changed files with 3478 additions and 3478 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
api/kyverno/v1/common_types.go
View file

@ -451,18 +451,18 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in any) {
// Validation defines checks to be performed on matching resources. // Validation defines checks to be performed on matching resources.
type Validation struct { type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block // FailureAction defines if a validation policy rule violation should block
// the admission review request (Enforce), or allow (Audit) the admission review request // the admission review request (Enforce), or allow (Audit) the admission review request
// and report an error in a policy report. Optional. // and report an error in a policy report. Optional.
// Allowed values are Audit or Enforce. // Allowed values are Audit or Enforce.
// +optional // +optional
// +kubebuilder:validation:Enum=Audit;Enforce // +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction // FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces. // namespace-wise. It overrides FailureAction for the specified namespaces.
// +optional // +optional
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` FailureActionOverrides []ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure. // Message specifies a custom message to be displayed on failure.
// +optional // +optional

2
api/kyverno/v1/image_verification_types.go
View file

@ -44,7 +44,7 @@ type ImageVerification struct {
// Allowed values are Audit or Enforce. // Allowed values are Audit or Enforce.
// +optional // +optional
// +kubebuilder:validation:Enum=Audit;Enforce // +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// Type specifies the method of signature validation. The allowed options // Type specifies the method of signature validation. The allowed options
// are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified. // are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.

2
api/kyverno/v1/spec_types.go
View file

@ -175,7 +175,7 @@ func (s *Spec) HasValidate() bool {
func (s *Spec) HasValidateEnforce() bool { func (s *Spec) HasValidateEnforce() bool {
for _, rule := range s.Rules { for _, rule := range s.Rules {
if rule.HasValidate() { if rule.HasValidate() {
action := rule.Validation.ValidationFailureAction action := rule.Validation.FailureAction
if action != nil && action.Enforce() { if action != nil && action.Enforce() {
return true return true
} }

12
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -846,8 +846,8 @@ func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
*out = *in *out = *in
if in.ValidationFailureAction != nil { if in.FailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction in, out := &in.FailureAction, &out.FailureAction
*out = new(ValidationFailureAction) *out = new(ValidationFailureAction)
**out = **in **out = **in
} }
@ -1637,13 +1637,13 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Validation) DeepCopyInto(out *Validation) { func (in *Validation) DeepCopyInto(out *Validation) {
*out = *in *out = *in
if in.ValidationFailureAction != nil { if in.FailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction in, out := &in.FailureAction, &out.FailureAction
*out = new(ValidationFailureAction) *out = new(ValidationFailureAction)
**out = **in **out = **in
} }
if in.ValidationFailureActionOverrides != nil { if in.FailureActionOverrides != nil {
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides in, out := &in.FailureActionOverrides, &out.FailureActionOverrides
*out = make([]ValidationFailureActionOverride, len(*in)) *out = make([]ValidationFailureActionOverride, len(*in))
for i := range *in { for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i]) (*in)[i].DeepCopyInto(&(*out)[i])

10
api/kyverno/v2beta1/common_types.go
View file

@ -11,18 +11,18 @@ type AssertionTree = kjson.Any
// Validation defines checks to be performed on matching resources. // Validation defines checks to be performed on matching resources.
type Validation struct { type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block // FailureAction defines if a validation policy rule violation should block
// the admission review request (Enforce), or allow (Audit) the admission review request // the admission review request (Enforce), or allow (Audit) the admission review request
// and report an error in a policy report. Optional. // and report an error in a policy report. Optional.
// Allowed values are Audit or Enforce. // Allowed values are Audit or Enforce.
// +optional // +optional
// +kubebuilder:validation:Enum=Audit;Enforce // +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction // FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces. // namespace-wise. It overrides FailureAction for the specified namespaces.
// +optional // +optional
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` FailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure. // Message specifies a custom message to be displayed on failure.
// +optional // +optional

2
api/kyverno/v2beta1/image_verification_types.go
View file

@ -12,7 +12,7 @@ type ImageVerification struct {
// Allowed values are Audit or Enforce. // Allowed values are Audit or Enforce.
// +optional // +optional
// +kubebuilder:validation:Enum=Audit;Enforce // +kubebuilder:validation:Enum=Audit;Enforce
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
// Type specifies the method of signature validation. The allowed options // Type specifies the method of signature validation. The allowed options
// are Cosign and Notary. By default Cosign is used if a type is not specified. // are Cosign and Notary. By default Cosign is used if a type is not specified.

2
api/kyverno/v2beta1/spec_types.go
View file

@ -139,7 +139,7 @@ func (s *Spec) HasValidate() bool {
func (s *Spec) HasValidateEnforce() bool { func (s *Spec) HasValidateEnforce() bool {
for _, rule := range s.Rules { for _, rule := range s.Rules {
if rule.HasValidate() { if rule.HasValidate() {
action := rule.Validation.ValidationFailureAction action := rule.Validation.FailureAction
if action != nil && action.Enforce() { if action != nil && action.Enforce() {
return true return true
} }

12
api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

@ -368,8 +368,8 @@ func (in *Exception) DeepCopy() *Exception {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
*out = *in *out = *in
if in.ValidationFailureAction != nil { if in.FailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction in, out := &in.FailureAction, &out.FailureAction
*out = new(v1.ValidationFailureAction) *out = new(v1.ValidationFailureAction)
**out = **in **out = **in
} }
@ -833,13 +833,13 @@ func (in *Spec) DeepCopy() *Spec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Validation) DeepCopyInto(out *Validation) { func (in *Validation) DeepCopyInto(out *Validation) {
*out = *in *out = *in
if in.ValidationFailureAction != nil { if in.FailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction in, out := &in.FailureAction, &out.FailureAction
*out = new(v1.ValidationFailureAction) *out = new(v1.ValidationFailureAction)
**out = **in **out = **in
} }
if in.ValidationFailureActionOverrides != nil { if in.FailureActionOverrides != nil {
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides in, out := &in.FailureActionOverrides, &out.FailureActionOverrides
*out = make([]v1.ValidationFailureActionOverride, len(*in)) *out = make([]v1.ValidationFailureActionOverride, len(*in))
for i := range *in { for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i]) (*in)[i].DeepCopyInto(&(*out)[i])

696
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -3099,6 +3099,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -3842,87 +3923,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4611,6 +4611,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -4707,12 +4713,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -7902,6 +7902,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -8657,87 +8738,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9440,6 +9440,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -9537,12 +9543,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have
@ -12523,6 +12523,87 @@ spec:
type: array type: array
type: object type: object
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -13266,87 +13347,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -14019,6 +14019,12 @@ spec:
type: array type: array
type: object type: object
type: array type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences: imageReferences:
description: |- description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14100,12 +14106,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule responses for this rule
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -17295,6 +17295,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -18050,87 +18131,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -18833,6 +18833,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -18930,12 +18936,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have

696
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -3100,6 +3100,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -3843,87 +3924,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4612,6 +4612,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -4708,12 +4714,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -7904,6 +7904,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -8659,87 +8740,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9442,6 +9442,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -9539,12 +9545,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have
@ -12526,6 +12526,87 @@ spec:
type: array type: array
type: object type: object
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -13269,87 +13350,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -14022,6 +14022,12 @@ spec:
type: array type: array
type: object type: object
type: array type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences: imageReferences:
description: |- description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14103,12 +14109,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule responses for this rule
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -17298,6 +17298,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -18053,87 +18134,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -18836,6 +18836,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -18933,12 +18939,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have

2
cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml
View file

@ -34,7 +34,7 @@ spec:
kinds: kinds:
- Namespace - Namespace
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: "You must have label 'purpose' with value 'production' set on all new namespaces." message: "You must have label 'purpose' with value 'production' set on all new namespaces."
pattern: pattern:
metadata: metadata:

4
cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml
View file

@ -18,7 +18,7 @@ spec:
- Pod - Pod
name: pods-require-account name: pods-require-account
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: User pods must include an account for charging message: User pods must include an account for charging
pattern: pattern:
metadata: metadata:
@ -31,7 +31,7 @@ spec:
- Pod - Pod
name: pods-require-limits name: pods-require-limits
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: CPU and memory resource requests and limits are required for user pods message: CPU and memory resource requests and limits are required for user pods
pattern: pattern:
spec: spec:

4
cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml
View file

@ -18,7 +18,7 @@ spec:
- Pod - Pod
name: pods-require-account name: pods-require-account
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: User pods must include an account for charging message: User pods must include an account for charging
pattern: pattern:
metadata: metadata:
@ -31,7 +31,7 @@ spec:
- Pod - Pod
name: pods-require-limits name: pods-require-limits
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: CPU and memory resource requests and limits are required for user pods message: CPU and memory resource requests and limits are required for user pods
pattern: pattern:
spec: spec:

2
cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml
View file

@ -32,4 +32,4 @@ spec:
required: true required: true
useCache: true useCache: true
verifyDigest: true verifyDigest: true
validationFailureAction: Audit failureAction: Audit

2
cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml
View file

@ -56,4 +56,4 @@ spec:
- CREATE - CREATE
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
resource is protected. Admin or allowed users can change the resource' resource is protected. Admin or allowed users can change the resource'
validationFailureAction: Audit failureAction: Audit

4
cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml
View file

@ -18,7 +18,7 @@ spec:
- Pod - Pod
name: pods-require-account name: pods-require-account
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: User pods must include an account for charging message: User pods must include an account for charging
pattern: pattern:
metadata: metadata:
@ -42,4 +42,4 @@ spec:
requests: requests:
cpu: ?* cpu: ?*
memory: ?* memory: ?*
validationFailureAction: Audit failureAction: Audit

2
cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml
View file

@ -30,7 +30,7 @@ spec:
kinds: kinds:
- Pod - Pod
validate: validate:
validationFailureAction: audit failureAction: audit
message: CPU and memory resource requests and limits are required for user pods message: CPU and memory resource requests and limits are required for user pods
pattern: pattern:
spec: spec:

4
cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml
View file

@ -19,7 +19,7 @@ spec:
- Pod - Pod
name: pods-require-account name: pods-require-account
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: User pods must include an account for charging message: User pods must include an account for charging
pattern: pattern:
metadata: metadata:
@ -32,7 +32,7 @@ spec:
- Pod - Pod
name: pods-require-limits name: pods-require-limits
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: CPU and memory resource requests and limits are required for user pods message: CPU and memory resource requests and limits are required for user pods
pattern: pattern:
spec: spec:

2
cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
View file

@ -20,4 +20,4 @@ spec:
podSecurity: podSecurity:
level: restricted level: restricted
version: latest version: latest
validationFailureAction: Audit failureAction: Audit

696
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3093,6 +3093,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -3836,87 +3917,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4605,6 +4605,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -4701,12 +4707,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -7896,6 +7896,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -8651,87 +8732,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9434,6 +9434,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -9531,12 +9537,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have
@ -12517,6 +12517,87 @@ spec:
type: array type: array
type: object type: object
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -13260,87 +13341,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -14013,6 +14013,12 @@ spec:
type: array type: array
type: object type: object
type: array type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences: imageReferences:
description: |- description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14094,12 +14100,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule responses for this rule
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -17289,6 +17289,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -18044,87 +18125,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -18827,6 +18827,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -18924,12 +18930,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have

696
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -3094,6 +3094,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -3837,87 +3918,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4606,6 +4606,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -4702,12 +4708,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -7898,6 +7898,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -8653,87 +8734,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9436,6 +9436,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -9533,12 +9539,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have
@ -12520,6 +12520,87 @@ spec:
type: array type: array
type: object type: object
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -13263,87 +13344,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -14016,6 +14016,12 @@ spec:
type: array type: array
type: object type: object
type: array type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences: imageReferences:
description: |- description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14097,12 +14103,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule responses for this rule
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -17292,6 +17292,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -18047,87 +18128,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -18830,6 +18830,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -18927,12 +18933,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have

696
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -3093,6 +3093,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -3836,87 +3917,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4605,6 +4605,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -4701,12 +4707,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -7896,6 +7896,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -8651,87 +8732,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9434,6 +9434,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -9531,12 +9537,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have
@ -12517,6 +12517,87 @@ spec:
type: array type: array
type: object type: object
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -13260,87 +13341,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -14013,6 +14013,12 @@ spec:
type: array type: array
type: object type: object
type: array type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences: imageReferences:
description: |- description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14094,12 +14100,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule responses for this rule
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -17289,6 +17289,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -18044,87 +18125,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -18827,6 +18827,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -18924,12 +18930,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have

696
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -3094,6 +3094,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -3837,87 +3918,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4606,6 +4606,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -4702,12 +4708,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -7898,6 +7898,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -8653,87 +8734,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9436,6 +9436,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -9533,12 +9539,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have
@ -12520,6 +12520,87 @@ spec:
type: array type: array
type: object type: object
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list of description: ForEach applies validate rules to a list of
sub-elements by creating a context for each entry in the sub-elements by creating a context for each entry in the
@ -13263,87 +13344,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -14016,6 +14016,12 @@ spec:
type: array type: array
type: object type: object
type: array type: array
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
imageReferences: imageReferences:
description: |- description: |-
ImageReferences is a list of matching image reference patterns. At least one pattern in the ImageReferences is a list of matching image reference patterns. At least one pattern in the
@ -14097,12 +14103,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule responses for this rule
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have a description: VerifyDigest validates that images have a
@ -17292,6 +17292,87 @@ spec:
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
x-kubernetes-preserve-unknown-fields: true x-kubernetes-preserve-unknown-fields: true
type: object type: object
failureAction:
description: |-
FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
description: |-
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides FailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach: foreach:
description: ForEach applies validate rules to a list description: ForEach applies validate rules to a list
of sub-elements by creating a context for each entry of sub-elements by creating a context for each entry
@ -18047,87 +18128,6 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -18830,6 +18830,12 @@ spec:
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification. CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
Defaults to false. Defaults to false.
type: boolean type: boolean
failureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
image: image:
description: Deprecated. Use ImageReferences instead. description: Deprecated. Use ImageReferences instead.
type: string type: string
@ -18927,12 +18933,6 @@ spec:
description: UseCache enables caching of image verify description: UseCache enables caching of image verify
responses for this rule. responses for this rule.
type: boolean type: boolean
validationFailureAction:
description: Allowed values are Audit or Enforce.
enum:
- Audit
- Enforce
type: string
verifyDigest: verifyDigest:
default: true default: true
description: VerifyDigest validates that images have description: VerifyDigest validates that images have

1392
config/install-latest-testing.yaml
View file

File diff suppressed because it is too large Load diff

24
docs/user/crd/index.html
View file

@ -2509,7 +2509,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>validationFailureAction</code><br/> <code>failureAction</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ValidationFailureAction"> <a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction ValidationFailureAction
@ -4619,7 +4619,7 @@ It is an empty string when validating admission policy is successfully generated
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>validationFailureAction</code><br/> <code>failureAction</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ValidationFailureAction"> <a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction ValidationFailureAction
@ -4628,7 +4628,7 @@ ValidationFailureAction
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional. and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p> Allowed values are Audit or Enforce.</p>
@ -4636,7 +4636,7 @@ Allowed values are Audit or Enforce.</p>
</tr> </tr>
<tr> <tr>
<td> <td>
<code>validationFailureActionOverrides</code><br/> <code>failureActionOverrides</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ValidationFailureActionOverride"> <a href="#kyverno.io/v1.ValidationFailureActionOverride">
[]ValidationFailureActionOverride []ValidationFailureActionOverride
@ -4645,8 +4645,8 @@ Allowed values are Audit or Enforce.</p>
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p> namespace-wise. It overrides FailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -8640,7 +8640,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>validationFailureAction</code><br/> <code>failureAction</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ValidationFailureAction"> <a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction ValidationFailureAction
@ -9523,7 +9523,7 @@ WebhookConfiguration
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>validationFailureAction</code><br/> <code>failureAction</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ValidationFailureAction"> <a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction ValidationFailureAction
@ -9532,7 +9532,7 @@ ValidationFailureAction
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional. and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p> Allowed values are Audit or Enforce.</p>
@ -9540,7 +9540,7 @@ Allowed values are Audit or Enforce.</p>
</tr> </tr>
<tr> <tr>
<td> <td>
<code>validationFailureActionOverrides</code><br/> <code>failureActionOverrides</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ValidationFailureActionOverride"> <a href="#kyverno.io/v1.ValidationFailureActionOverride">
[]ValidationFailureActionOverride []ValidationFailureActionOverride
@ -9549,8 +9549,8 @@ Allowed values are Audit or Enforce.</p>
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p> namespace-wise. It overrides FailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>

12
docs/user/crd/kyverno.v1.html
View file

@ -4945,7 +4945,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>failureAction</code>
</br> </br>
@ -9285,7 +9285,7 @@ It is an empty string when validating admission policy is successfully generated
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>failureAction</code>
</br> </br>
@ -9301,7 +9301,7 @@ It is an empty string when validating admission policy is successfully generated
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional. and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p> Allowed values are Audit or Enforce.</p>
@ -9317,7 +9317,7 @@ Allowed values are Audit or Enforce.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>failureActionOverrides</code>
</br> </br>
@ -9333,8 +9333,8 @@ Allowed values are Audit or Enforce.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p> namespace-wise. It overrides FailureAction for the specified namespaces.</p>

12
docs/user/crd/kyverno.v2beta1.html
View file

@ -2774,7 +2774,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>failureAction</code>
</br> </br>
@ -4550,7 +4550,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>failureAction</code>
</br> </br>
@ -4566,7 +4566,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>FailureAction defines if a validation policy rule violation should block
the admission review request (Enforce), or allow (Audit) the admission review request the admission review request (Enforce), or allow (Audit) the admission review request
and report an error in a policy report. Optional. and report an error in a policy report. Optional.
Allowed values are Audit or Enforce.</p> Allowed values are Audit or Enforce.</p>
@ -4582,7 +4582,7 @@ Allowed values are Audit or Enforce.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>failureActionOverrides</code>
</br> </br>
@ -4598,8 +4598,8 @@ Allowed values are Audit or Enforce.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p> namespace-wise. It overrides FailureAction for the specified namespaces.</p>

6
pkg/autogen/autogen_test.go
View file

@ -242,7 +242,7 @@ func Test_GetSupportedControllers(t *testing.T) {
}, },
{ {
name: "rule-with-validate-podsecurity", name: "rule-with-validate-podsecurity",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
expectedControllers: PodControllers, expectedControllers: PodControllers,
}, },
} }
@ -539,7 +539,7 @@ kA==
} }
func Test_PodSecurityWithNoExceptions(t *testing.T) { func Test_PodSecurityWithNoExceptions(t *testing.T) {
policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
policies, _, _, err := yamlutils.GetPolicy([]byte(policy)) policies, _, _, err := yamlutils.GetPolicy([]byte(policy))
assert.NilError(t, err) assert.NilError(t, err)
assert.Equal(t, 1, len(policies)) assert.Equal(t, 1, len(policies))
@ -573,7 +573,7 @@ func Test_ValidateWithCELExpressions(t *testing.T) {
] ]
}, },
"validate": { "validate": {
"validationFailureAction": "Enforce", "failureAction": "Enforce",
"cel": { "cel": {
"expressions": [ "expressions": [
{ {

40
pkg/autogen/rule.go
View file

@ -129,9 +129,9 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
} }
if target := rule.Validation.GetPattern(); target != nil { if target := rule.Validation.GetPattern(); target != nil {
newValidate := kyvernov1.Validation{ newValidate := kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
ValidationFailureAction: rule.Validation.ValidationFailureAction, FailureAction: rule.Validation.FailureAction,
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, FailureActionOverrides: rule.Validation.FailureActionOverrides,
} }
newValidate.SetPattern( newValidate.SetPattern(
map[string]interface{}{ map[string]interface{}{
@ -145,10 +145,10 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
} }
if rule.Validation.Deny != nil { if rule.Validation.Deny != nil {
deny := kyvernov1.Validation{ deny := kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"),
Deny: rule.Validation.Deny, Deny: rule.Validation.Deny,
ValidationFailureAction: rule.Validation.ValidationFailureAction, FailureAction: rule.Validation.FailureAction,
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, FailureActionOverrides: rule.Validation.FailureActionOverrides,
} }
rule.Validation = deny rule.Validation = deny
return rule return rule
@ -163,8 +163,8 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
Version: rule.Validation.PodSecurity.Version, Version: rule.Validation.PodSecurity.Version,
Exclude: newExclude, Exclude: newExclude,
}, },
ValidationFailureAction: rule.Validation.ValidationFailureAction, FailureAction: rule.Validation.FailureAction,
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, FailureActionOverrides: rule.Validation.FailureActionOverrides,
} }
rule.Validation = podSecurity rule.Validation = podSecurity
return rule return rule
@ -183,12 +183,12 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
} }
patterns = append(patterns, newPattern) patterns = append(patterns, newPattern)
} }
validationFailureAction := rule.Validation.ValidationFailureAction failureAction := rule.Validation.FailureAction
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides failureActionOverrides := rule.Validation.FailureActionOverrides
rule.Validation = kyvernov1.Validation{ rule.Validation = kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"),
ValidationFailureAction: validationFailureAction, FailureAction: failureAction,
ValidationFailureActionOverrides: validationFailureActionOverrides, FailureActionOverrides: failureActionOverrides,
} }
rule.Validation.SetAnyPattern(patterns) rule.Validation.SetAnyPattern(patterns)
return rule return rule
@ -196,13 +196,13 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil { if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil {
newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation)) newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation))
copy(newForeachValidate, rule.Validation.ForEachValidation) copy(newForeachValidate, rule.Validation.ForEachValidation)
validationFailureAction := rule.Validation.ValidationFailureAction failureAction := rule.Validation.FailureAction
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides failureActionOverrides := rule.Validation.FailureActionOverrides
rule.Validation = kyvernov1.Validation{ rule.Validation = kyvernov1.Validation{
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
ForEachValidation: newForeachValidate, ForEachValidation: newForeachValidate,
ValidationFailureAction: validationFailureAction, FailureAction: failureAction,
ValidationFailureActionOverrides: validationFailureActionOverrides, FailureActionOverrides: failureActionOverrides,
} }
return rule return rule
} }

10
pkg/client/applyconfigurations/kyverno/v1/imageverification.go
View file

@ -25,7 +25,7 @@ import (
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
// with apply. // with apply.
type ImageVerificationApplyConfiguration struct { type ImageVerificationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
Type *v1.ImageVerificationType `json:"type,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"`
Image *string `json:"image,omitempty"` Image *string `json:"image,omitempty"`
ImageReferences []string `json:"imageReferences,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"`
@ -53,11 +53,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration {
return &ImageVerificationApplyConfiguration{} return &ImageVerificationApplyConfiguration{}
} }
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value // WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call. // If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
b.ValidationFailureAction = &value b.FailureAction = &value
return b return b
} }

40
pkg/client/applyconfigurations/kyverno/v1/validation.go
View file

@ -27,17 +27,17 @@ import (
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply. // with apply.
type ValidationApplyConfiguration struct { type ValidationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"` FailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"`
Message *string `json:"message,omitempty"` Message *string `json:"message,omitempty"`
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"` Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *CELApplyConfiguration `json:"cel,omitempty"` CEL *CELApplyConfiguration `json:"cel,omitempty"`
Assert *v1alpha1.Any `json:"assert,omitempty"` Assert *v1alpha1.Any `json:"assert,omitempty"`
} }
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@ -46,23 +46,23 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{} return &ValidationApplyConfiguration{}
} }
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value // WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call. // If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.ValidationFailureAction = &value b.FailureAction = &value
return b return b
} }
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration // WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations. // and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field. // If called multiple times, values provided by each call will be appended to the FailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
for i := range values { for i := range values {
if values[i] == nil { if values[i] == nil {
panic("nil value passed to WithValidationFailureActionOverrides") panic("nil value passed to WithFailureActionOverrides")
} }
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i]) b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i])
} }
return b return b
} }

10
pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go
View file

@ -26,7 +26,7 @@ import (
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
// with apply. // with apply.
type ImageVerificationApplyConfiguration struct { type ImageVerificationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
Type *v1.ImageVerificationType `json:"type,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"`
ImageReferences []string `json:"imageReferences,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"`
SkipImageReferences []string `json:"skipImageReferences,omitempty"` SkipImageReferences []string `json:"skipImageReferences,omitempty"`
@ -46,11 +46,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration {
return &ImageVerificationApplyConfiguration{} return &ImageVerificationApplyConfiguration{}
} }
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value // WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call. // If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
b.ValidationFailureAction = &value b.FailureAction = &value
return b return b
} }

40
pkg/client/applyconfigurations/kyverno/v2beta1/validation.go
View file

@ -28,17 +28,17 @@ import (
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply. // with apply.
type ValidationApplyConfiguration struct { type ValidationApplyConfiguration struct {
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"` FailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"`
Message *string `json:"message,omitempty"` Message *string `json:"message,omitempty"`
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"` Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"` ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
RawPattern *kyverno.Any `json:"pattern,omitempty"` RawPattern *kyverno.Any `json:"pattern,omitempty"`
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"` RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"` Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"` CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
Assert *v1alpha1.Any `json:"assert,omitempty"` Assert *v1alpha1.Any `json:"assert,omitempty"`
} }
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@ -47,23 +47,23 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{} return &ValidationApplyConfiguration{}
} }
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value // WithFailureAction sets the FailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call. // If called multiple times, the FailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.ValidationFailureAction = &value b.FailureAction = &value
return b return b
} }
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration // WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations. // and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field. // If called multiple times, values provided by each call will be appended to the FailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
for i := range values { for i := range values {
if values[i] == nil { if values[i] == nil {
panic("nil value passed to WithValidationFailureActionOverrides") panic("nil value passed to WithFailureActionOverrides")
} }
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i]) b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i])
} }
return b return b
} }

10
pkg/engine/api/engineresponse.go
View file

@ -201,7 +201,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
spec := pol.AsKyvernoPolicy().GetSpec() spec := pol.AsKyvernoPolicy().GetSpec()
for _, r := range spec.Rules { for _, r := range spec.Rules {
if r.HasValidate() { if r.HasValidate() {
for _, v := range r.Validation.ValidationFailureActionOverrides { for _, v := range r.Validation.FailureActionOverrides {
if !v.Action.IsValid() { if !v.Action.IsValid() {
continue continue
} }
@ -224,12 +224,12 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
} }
} }
if r.Validation.ValidationFailureAction != nil { if r.Validation.FailureAction != nil {
return *r.Validation.ValidationFailureAction return *r.Validation.FailureAction
} }
} else if r.HasVerifyImages() { } else if r.HasVerifyImages() {
if r.VerifyImages[0].ValidationFailureAction != nil { if r.VerifyImages[0].FailureAction != nil {
return *r.VerifyImages[0].ValidationFailureAction return *r.VerifyImages[0].FailureAction
} }
} }
} }

44
pkg/engine/api/engineresponse_test.go
View file

@ -717,7 +717,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &audit, FailureAction: &audit,
}, },
}, },
}, },
@ -732,7 +732,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
}, },
}, },
}, },
@ -773,8 +773,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"*"}, Namespaces: []string{"*"},
}}, }},
@ -792,8 +792,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: "invalid", Action: "invalid",
Namespaces: []string{"*"}, Namespaces: []string{"*"},
}}, }},
@ -970,8 +970,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"foo"}, Namespaces: []string{"foo"},
}}, }},
@ -990,8 +990,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"bar"}, Namespaces: []string{"bar"},
}}, }},
@ -1013,8 +1013,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{ MatchLabels: map[string]string{
@ -1040,8 +1040,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{ MatchLabels: map[string]string{
@ -1067,8 +1067,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"foo"}, Namespaces: []string{"foo"},
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{
@ -1095,8 +1095,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"bar"}, Namespaces: []string{"bar"},
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{
@ -1123,8 +1123,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"foo"}, Namespaces: []string{"foo"},
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{
@ -1151,8 +1151,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
Rules: []kyvernov1.Rule{ Rules: []kyvernov1.Rule{
{ {
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit, Action: kyvernov1.Audit,
Namespaces: []string{"*"}, Namespaces: []string{"*"},
NamespaceSelector: &metav1.LabelSelector{ NamespaceSelector: &metav1.LabelSelector{

4
pkg/engine/handlers/validation/validate_resource_test.go
View file

@ -60,7 +60,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext {
] ]
}, },
"validate": { "validate": {
"validationFailureAction": "Enforce", "failureAction": "Enforce",
"message": "The label size is required", "message": "The label size is required",
"pattern": { "pattern": {
"metadata": { "metadata": {
@ -88,7 +88,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext {
] ]
}, },
"validate": { "validate": {
"validationFailureAction": "Enforce", "failureAction": "Enforce",
"message": "The label size cannot be changed for a namespace", "message": "The label size cannot be changed for a namespace",
"deny": { "deny": {
"conditions": { "conditions": {

16
pkg/engine/utils/utils_test.go
View file

@ -846,7 +846,7 @@ func TestMatchesResourceDescription(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: false, areErrorsExpected: false,
}, },
{ {
@ -873,7 +873,7 @@ func TestMatchesResourceDescription(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
areErrorsExpected: true, areErrorsExpected: true,
}, },
{ {
@ -882,7 +882,7 @@ func TestMatchesResourceDescription(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: true, areErrorsExpected: true,
}, },
{ {
@ -1742,7 +1742,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
areErrorsExpected: false, areErrorsExpected: false,
}, },
{ {
@ -1751,7 +1751,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: false, areErrorsExpected: false,
}, },
{ {
@ -1769,7 +1769,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
areErrorsExpected: true, areErrorsExpected: true,
}, },
{ {
@ -1778,7 +1778,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
areErrorsExpected: true, areErrorsExpected: true,
}, },
{ {
@ -1787,7 +1787,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
ClusterRoles: []string{"admin"}, ClusterRoles: []string{"admin"},
}, },
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: true, areErrorsExpected: true,
}, },
{ {

18
pkg/engine/validation_test.go
View file

@ -689,7 +689,7 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "Enforce", "failureAction": "Enforce",
"foreach": [ "foreach": [
{ {
"list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds", "list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds",
@ -1960,7 +1960,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing.
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.", "message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.",
"deny": { "deny": {
"conditions": [ "conditions": [
@ -2151,7 +2151,7 @@ func Test_BlockLabelRemove(t *testing.T) {
] ]
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"message": "not allowed", "message": "not allowed",
"deny": { "deny": {
"conditions": { "conditions": {
@ -2269,7 +2269,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) {
} }
], ],
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"message": "restrict pod counts to be no more than 10 on node minikube", "message": "restrict pod counts to be no more than 10 on node minikube",
"deny": { "deny": {
"conditions": [ "conditions": [
@ -2372,7 +2372,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) {
} }
], ],
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"deny": { "deny": {
"conditions": [ "conditions": [
{ {
@ -2457,7 +2457,7 @@ func Test_StringInDenyCondition(t *testing.T) {
} }
], ],
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"deny": { "deny": {
"conditions": [ "conditions": [
{ {
@ -3006,7 +3006,7 @@ func Test_outof_foreach_element_validation(t *testing.T) {
"name": "test", "name": "test",
"match": {"resources": { "kinds": [ "Pod" ] } }, "match": {"resources": { "kinds": [ "Pod" ] } },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"message": "Invalid name", "message": "Invalid name",
"pattern": { "pattern": {
"name": "{{ element.name }}" "name": "{{ element.name }}"
@ -3045,7 +3045,7 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"message": "unknown registry", "message": "unknown registry",
"foreach": [ "foreach": [
{ {
@ -3216,7 +3216,7 @@ func Test_delete_ignore_pattern(t *testing.T) {
"name": "test", "name": "test",
"match": {"resources": { "kinds": [ "Pod" ] } }, "match": {"resources": { "kinds": [ "Pod" ] } },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"message": "Invalid label", "message": "Invalid label",
"pattern": { "pattern": {
"metadata" : { "metadata" : {

4
pkg/policycache/cache.go
View file

@ -87,12 +87,12 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
} }
// if the field isn't set, use the higher level policy setting // if the field isn't set, use the higher level policy setting
validationFailureAction := rule.Validation.ValidationFailureAction validationFailureAction := rule.Validation.FailureAction
if validationFailureAction == nil { if validationFailureAction == nil {
validationFailureAction = &policy.GetSpec().ValidationFailureAction validationFailureAction = &policy.GetSpec().ValidationFailureAction
} }
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides validationFailureActionOverrides := rule.Validation.FailureActionOverrides
if len(validationFailureActionOverrides) == 0 { if len(validationFailureActionOverrides) == 0 {
validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides
} }

4
pkg/policycache/store.go
View file

@ -109,11 +109,11 @@ func (m *policyMap) set(key string, policy kyvernov1.PolicyInterface, client Res
kindStates := map[policyKey]state{} kindStates := map[policyKey]state{}
for _, rule := range autogen.ComputeRules(policy, "") { for _, rule := range autogen.ComputeRules(policy, "") {
if rule.HasValidate() { if rule.HasValidate() {
action := rule.Validation.ValidationFailureAction action := rule.Validation.FailureAction
if action != nil && action.Enforce() { if action != nil && action.Enforce() {
enforcePolicy = true enforcePolicy = true
} }
for _, k := range rule.Validation.ValidationFailureActionOverrides { for _, k := range rule.Validation.FailureActionOverrides {
if k.Action.Enforce() { if k.Action.Enforce() {
enforcePolicy = true enforcePolicy = true
} }

2
pkg/validatingadmissionpolicy/builder.go
View file

@ -123,7 +123,7 @@ func BuildValidatingAdmissionPolicyBinding(
// set validation action for vap binding // set validation action for vap binding
var validationActions []admissionregistrationv1alpha1.ValidationAction var validationActions []admissionregistrationv1alpha1.ValidationAction
validateAction := cpol.GetSpec().Rules[0].Validation.ValidationFailureAction validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
if validateAction != nil { if validateAction != nil {
if validateAction.Enforce() { if validateAction.Enforce() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)

2
pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
View file

@ -67,7 +67,7 @@ func checkPolicy(spec *kyvernov1.Spec) (bool, string) {
return false, msg return false, msg
} }
if ok, msg := checkValidationFailureActionOverrides(rule.Validation.ValidationFailureActionOverrides); !ok { if ok, msg := checkValidationFailureActionOverrides(rule.Validation.FailureActionOverrides); !ok {
return false, msg return false, msg
} }

8
pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
View file

@ -649,8 +649,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
] ]
}, },
"validate": { "validate": {
"validationFailureAction": "Enforce", "failureAction": "Enforce",
"validationFailureActionOverrides": [ "failureActionOverrides": [
{ {
"action": "Enforce", "action": "Enforce",
"namespaces": [ "namespaces": [
@ -704,8 +704,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
] ]
}, },
"validate": { "validate": {
"validationFailureAction": "Enforce", "failureAction": "Enforce",
"validationFailureActionOverrides": [ "failureActionOverrides": [
{ {
"action": "Enforce", "action": "Enforce",
"namespaces": [ "namespaces": [

8
pkg/validation/policy/validate.go
View file

@ -140,8 +140,8 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...) warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...)
for _, rule := range spec.Rules { for _, rule := range spec.Rules {
if rule.HasValidate() { if rule.HasValidate() {
if rule.Validation.ValidationFailureAction != nil { if rule.Validation.FailureAction != nil {
warnings = append(warnings, checkValidationFailureAction(*rule.Validation.ValidationFailureAction, rule.Validation.ValidationFailureActionOverrides)...) warnings = append(warnings, checkValidationFailureAction(*rule.Validation.FailureAction, rule.Validation.FailureActionOverrides)...)
} }
} }
} }
@ -207,7 +207,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
if !policy.IsNamespaced() { if !policy.IsNamespaced() {
for i, r := range spec.Rules { for i, r := range spec.Rules {
if r.HasValidate() { if r.HasValidate() {
err := validateNamespaces(r.Validation.ValidationFailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides")) err := validateNamespaces(r.Validation.FailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides"))
if err != nil { if err != nil {
return warnings, err return warnings, err
} }
@ -337,7 +337,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
verifyImagePath := rulePath.Child("verifyImages") verifyImagePath := rulePath.Child("verifyImages")
for index, i := range rule.VerifyImages { for index, i := range rule.VerifyImages {
action := i.ValidationFailureAction action := i.FailureAction
if action != nil { if action != nil {
if action.Audit() { if action.Audit() {
isAuditFailureAction = true isAuditFailureAction = true

56
pkg/webhooks/resource/validation_test.go
View file

@ -1071,8 +1071,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "audit", "failureAction": "audit",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1141,8 +1141,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "audit", "failureAction": "audit",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1213,8 +1213,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "audit", "failureAction": "audit",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1283,8 +1283,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1353,8 +1353,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1425,8 +1425,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1495,8 +1495,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -1568,8 +1568,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "audit", "action": "audit",
@ -1644,8 +1644,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "audit", "action": "audit",
@ -1717,8 +1717,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "audit", "action": "audit",
@ -1790,8 +1790,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "audit", "action": "audit",
@ -1866,8 +1866,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "enforce", "failureAction": "enforce",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "audit", "action": "audit",
@ -1942,8 +1942,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "audit", "failureAction": "audit",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",
@ -2017,8 +2017,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
} }
}, },
"validate": { "validate": {
"validationFailureAction": "audit", "failureAction": "audit",
"validationFailureActionOverrides": "failureActionOverrides":
[ [
{ {
"action": "enforce", "action": "enforce",

4
pkg/webhooks/utils/block_test.go
View file

@ -72,7 +72,7 @@ func TestBlockRequest(t *testing.T) {
{ {
Name: "rule-audit", Name: "rule-audit",
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &audit, FailureAction: &audit,
}, },
}, },
}, },
@ -88,7 +88,7 @@ func TestBlockRequest(t *testing.T) {
{ {
Name: "rule-enforce", Name: "rule-enforce",
Validation: kyvernov1.Validation{ Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce, FailureAction: &enforce,
}, },
}, },
}, },

2
test/cli/apply/policies-set/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds: kinds:
- Pod - Pod
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: "The foo label must be set." message: "The foo label must be set."
pattern: pattern:
metadata: metadata:

4
test/cli/apply/policies/policy.yaml
View file

@ -19,7 +19,7 @@ spec:
- Pod - Pod
name: validate-image-tag name: validate-image-tag
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: Using a mutable image tag e.g. 'latest' is not allowed. message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern: pattern:
spec: spec:
@ -48,7 +48,7 @@ spec:
operator: NotEquals operator: NotEquals
value: DELETE value: DELETE
validate: validate:
validationFailureAction: Audit failureAction: Audit
foreach: foreach:
- deny: - deny:
conditions: conditions:

4
test/cli/registry/image-example.yaml
View file

@ -19,7 +19,7 @@ spec:
operator: NotEquals operator: NotEquals
value: DELETE value: DELETE
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
foreach: foreach:
- context: - context:
- imageRegistry: - imageRegistry:
@ -57,7 +57,7 @@ spec:
operator: NotEquals operator: NotEquals
value: DELETE value: DELETE
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
foreach: foreach:
- context: - context:
- imageRegistry: - imageRegistry:

2
test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod - Pod
name: validate-default-proc-mount name: validate-default-proc-mount
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: Default proc mount should set to Unmasked message: Default proc mount should set to Unmasked
pattern: pattern:
spec: spec:

2
test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod - Pod
name: validate-selinux-options name: validate-selinux-options
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: SELinux level is required message: SELinux level is required
pattern: pattern:
spec: spec:

2
test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod - Pod
name: validate-volumes-whitelist name: validate-volumes-whitelist
validate: validate:
validationFailureAction: Audit failureAction: Audit
anyPattern: anyPattern:
- spec: - spec:
volumes: volumes:

2
test/cli/test-exceptions/exceptions-1/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds: kinds:
- Pod - Pod
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: >- message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork, Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be unset or set to `false`. spec.hostIPC, and spec.hostPID must be unset or set to `false`.

2
test/cli/test-exceptions/exceptions-2/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds: kinds:
- Pod - Pod
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: "A maximum of 2 containers are allowed inside a Pod." message: "A maximum of 2 containers are allowed inside a Pod."
deny: deny:
conditions: conditions:

2
test/cli/test-exceptions/exceptions-3/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds: kinds:
- Pod - Pod
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
podSecurity: podSecurity:
level: baseline level: baseline
version: latest version: latest

2
test/cli/test-fail/invalid-ns/policy.yaml
View file

@ -36,4 +36,4 @@ spec:
labels: labels:
=(schiff.telekom.de/owner): '!schiff' =(schiff.telekom.de/owner): '!schiff'
platform.das-schiff.telekom.de/owner: '!das-schiff' platform.das-schiff.telekom.de/owner: '!das-schiff'
validationFailureAction: Enforce failureAction: Enforce

4
test/cli/test-fail/missing-policy/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- test - test
name: require-image-tag name: require-image-tag
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: An image tag is required. message: An image tag is required.
pattern: pattern:
spec: spec:
@ -41,4 +41,4 @@ spec:
spec: spec:
containers: containers:
- image: '!*:latest' - image: '!*:latest'
validationFailureAction: Audit failureAction: Audit

4
test/cli/test-fail/missing-resource/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- test - test
name: require-image-tag name: require-image-tag
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: An image tag is required. message: An image tag is required.
pattern: pattern:
spec: spec:
@ -41,4 +41,4 @@ spec:
spec: spec:
containers: containers:
- image: '!*:latest' - image: '!*:latest'
validationFailureAction: Audit failureAction: Audit

4
test/cli/test-fail/missing-rule/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- test - test
name: require-image-tag name: require-image-tag
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: An image tag is required. message: An image tag is required.
pattern: pattern:
spec: spec:
@ -41,4 +41,4 @@ spec:
spec: spec:
containers: containers:
- image: '!*:latest' - image: '!*:latest'
validationFailureAction: Audit failureAction: Audit

4
test/cli/test/admission_user_info/disallow_latest_tag.yaml
View file

@ -21,7 +21,7 @@ spec:
- Pod - Pod
name: require-image-tag name: require-image-tag
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: An image tag is required. message: An image tag is required.
pattern: pattern:
spec: spec:
@ -34,7 +34,7 @@ spec:
- Pod - Pod
name: validate-image-tag name: validate-image-tag
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: Using a mutable image tag e.g. 'latest' is not allowed. message: Using a mutable image tag e.g. 'latest' is not allowed.
pattern: pattern:
spec: spec:

2
test/cli/test/any-all-wildcard/policy.yaml
View file

@ -17,6 +17,6 @@ spec:
- namespace2 - namespace2
name: disallow name: disallow
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
deny: {} deny: {}
message: This resource is protected and changes are not allowed. message: This resource is protected and changes are not allowed.

2
test/cli/test/any-namespaceSelector/policy.yaml
View file

@ -20,7 +20,7 @@ spec:
- managed - managed
name: validate-name name: validate-name
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: The Pod must end with -nginx message: The Pod must end with -nginx
pattern: pattern:
metadata: metadata:

2
test/cli/test/anypattern_skip_error/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Service - Service
name: check-loadbalancer-public name: check-loadbalancer-public
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
anyPattern: anyPattern:
- metadata: - metadata:
annotations: annotations:

2
test/cli/test/autogen-values/policy.yaml
View file

@ -28,4 +28,4 @@ spec:
validate: validate:
message: Do nothing! message: Do nothing!
pattern: {} pattern: {}
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/autogen/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod - Pod
name: check-for-labels name: check-for-labels
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: Both `app` and `owner` labels must be set on all workloads message: Both `app` and `owner` labels must be set on all workloads
pattern: pattern:
metadata: metadata:

2
test/cli/test/cel-preconditions/disallow-host-path.yaml
View file

@ -15,7 +15,7 @@ spec:
- expression: "object.metadata.labels['color'] == 'red'" - expression: "object.metadata.labels['color'] == 'red'"
name: "Label should be red" name: "Label should be red"
validate: validate:
validationFailureAction: Audit failureAction: Audit
cel: cel:
expressions: expressions:
- expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"

2
test/cli/test/check-deployment-namespace-cel/policy.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds: kinds:
- Deployment - Deployment
validate: validate:
validationFailureAction: Audit failureAction: Audit
cel: cel:
expressions: expressions:
- expression: "namespaceObject.metadata.name != 'default'" - expression: "namespaceObject.metadata.name != 'default'"

2
test/cli/test/container_reorder/policy.yml
View file

@ -32,4 +32,4 @@ spec:
required: true required: true
useCache: true useCache: true
verifyDigest: true verifyDigest: true
validationFailureAction: Enforce failureAction: Enforce

22
test/cli/test/context-entries/policies.yaml
View file

@ -21,7 +21,7 @@ spec:
- Pod - Pod
name: defined-value name: defined-value
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ example.test.nested.value }}' - key: '{{ example.test.nested.value }}'
@ -38,7 +38,7 @@ spec:
- Pod - Pod
name: defined-jmespath name: defined-jmespath
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ objName }}' - key: '{{ objName }}'
@ -56,7 +56,7 @@ spec:
- Pod - Pod
name: defined-jmespath-with-default name: defined-jmespath-with-default
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ objName }}' - key: '{{ objName }}'
@ -74,7 +74,7 @@ spec:
- Pod - Pod
name: defined-value-with-variable name: defined-value-with-variable
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ obj.name }}' - key: '{{ obj.name }}'
@ -92,7 +92,7 @@ spec:
- Pod - Pod
name: defined-jmespath-with-default-variable name: defined-jmespath-with-default-variable
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ objName }}' - key: '{{ objName }}'
@ -111,7 +111,7 @@ spec:
- Pod - Pod
name: defined-value-jmespath name: defined-value-jmespath
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ objName }}' - key: '{{ objName }}'
@ -133,7 +133,7 @@ spec:
- Pod - Pod
name: defined-value-jmespath-variable name: defined-value-jmespath-variable
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ objName }}' - key: '{{ objName }}'
@ -155,7 +155,7 @@ spec:
- Pod - Pod
name: value-override name: value-override
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
any: any:
@ -178,7 +178,7 @@ spec:
- Pod - Pod
name: wildcard-match name: wildcard-match
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: A=* - key: A=*
@ -205,7 +205,7 @@ spec:
- Pod - Pod
name: items name: items
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ obj }}' - key: '{{ obj }}'
@ -234,7 +234,7 @@ spec:
- Pod - Pod
name: unused-var name: unused-var
validate: validate:
validationFailureAction: Audit failureAction: Audit
deny: deny:
conditions: conditions:
- key: '{{ modifiedObj }}' - key: '{{ modifiedObj }}'

2
test/cli/test/context-foreach/policy.yaml
View file

@ -14,7 +14,7 @@ spec:
- Pod - Pod
name: block-images name: block-images
validate: validate:
validationFailureAction: Audit failureAction: Audit
foreach: foreach:
- context: - context:
- imageRegistry: - imageRegistry:

14
test/cli/test/custom-functions/policy.yaml
View file

@ -19,7 +19,7 @@ spec:
- key: '{{base64_decode(request.object.data.value)}}' - key: '{{base64_decode(request.object.data.value)}}'
operator: NotEquals operator: NotEquals
value: '{{request.object.metadata.labels.value}}' value: '{{request.object.metadata.labels.value}}'
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -42,7 +42,7 @@ spec:
- key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}' - key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}'
operator: Equals operator: Equals
value: false value: false
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -78,7 +78,7 @@ spec:
- key: '{{ element.hostPath.path }}' - key: '{{ element.hostPath.path }}'
operator: NotEquals operator: NotEquals
value: "" value: ""
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -101,7 +101,7 @@ spec:
operator: NotEquals operator: NotEquals
value: b value: b
message: Test JMESPath message: Test JMESPath
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -124,7 +124,7 @@ spec:
operator: NotEquals operator: NotEquals
value: a value: a
message: Test JMESPath message: Test JMESPath
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -148,7 +148,7 @@ spec:
value: '{{request.object.metadata.annotations.test | parse_yaml(@).array value: '{{request.object.metadata.annotations.test | parse_yaml(@).array
}}' }}'
message: Test JMESPath message: Test JMESPath
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -175,4 +175,4 @@ spec:
message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N
}}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N }}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N
}}"' }}"'
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/default_value_to_create/check-supplemental-groups.yaml
View file

@ -39,4 +39,4 @@ spec:
spec: spec:
=(securityContext): =(securityContext):
=(supplementalGroups): 100-200 | 500-600 =(supplementalGroups): 100-200 | 500-600
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml
View file

@ -30,4 +30,4 @@ spec:
deny: {} deny: {}
message: Roles owned by platform team (ones with label hpedevops.net/platform=true) message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
should not be modified by non-admin users. should not be modified by non-admin users.
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml
View file

@ -26,4 +26,4 @@ spec:
deny: {} deny: {}
message: Roles owned by platform team (ones with label hpedevops.net/platform=true) message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
should not be modified by non-admin users. should not be modified by non-admin users.
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml
View file

@ -35,4 +35,4 @@ spec:
deny: {} deny: {}
message: Roles owned by platform team (ones with label hpedevops.net/platform=true) message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
should not be modified by non-admin users. should not be modified by non-admin users.
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml
View file

@ -14,7 +14,7 @@ spec:
operations: operations:
- DELETE - DELETE
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: Pod cannot be deleted message: Pod cannot be deleted
deny: {} deny: {}

2
test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml
View file

@ -12,7 +12,7 @@ spec:
kinds: kinds:
- Pod - Pod
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: Pod cannot be deleted message: Pod cannot be deleted
deny: deny:
conditions: conditions:

2
test/cli/test/depecated_apis/policy.yaml
View file

@ -33,4 +33,4 @@ spec:
deny: {} deny: {}
message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated
and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/disallow-service/policy.yaml
View file

@ -28,4 +28,4 @@ spec:
anyPattern: anyPattern:
- kind: '!Service' - kind: '!Service'
message: Can't create a service. Sorry... message: Can't create a service. Sorry...
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/exclude/policy.yaml
View file

@ -36,7 +36,7 @@ spec:
matchLabels: matchLabels:
require-requests-limits.kyverno.io/exclude: "true" require-requests-limits.kyverno.io/exclude: "true"
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: "CPU and memory resource requests and limits are required." message: "CPU and memory resource requests and limits are required."
pattern: pattern:
spec: spec:

2
test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml
View file

@ -41,4 +41,4 @@ spec:
operator: Equals operator: Equals
value: "false" value: "false"
message: Exec'ing into Pods protected with the label `exec=false` is forbidden. message: Exec'ing into Pods protected with the label `exec=false` is forbidden.
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/foreach-preconditions/policies.yaml
View file

@ -32,4 +32,4 @@ spec:
operator: NotEquals operator: NotEquals
value: "" value: ""
message: Limits may not exceed 2.5x the requests. message: Limits may not exceed 2.5x the requests.
validationFailureAction: Enforce failureAction: Enforce

8
test/cli/test/foreach/policies.yaml
View file

@ -25,7 +25,7 @@ spec:
- (name): '{{element.name}}' - (name): '{{element.name}}'
mountPath: /tmp/* mountPath: /tmp/*
message: emptyDir volumes must be mounted under /tmp message: emptyDir volumes must be mounted under /tmp
validationFailureAction: Audit failureAction: Audit
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -56,7 +56,7 @@ spec:
volumeMounts: volumeMounts:
- <(name): '{{element.name}}' - <(name): '{{element.name}}'
message: ephemeral-storage requests and limits are required for emptyDir volumes message: ephemeral-storage requests and limits are required for emptyDir volumes
validationFailureAction: Audit failureAction: Audit
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -82,7 +82,7 @@ spec:
value: ghcr.io value: ghcr.io
list: request.object.spec.containers[].image list: request.object.spec.containers[].image
message: images must begin with ghcr.io message: images must begin with ghcr.io
validationFailureAction: Audit failureAction: Audit
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -109,4 +109,4 @@ spec:
elementScope: true elementScope: true
list: request.object.spec.containers[].image list: request.object.spec.containers[].image
message: images must begin with ghcr.io message: images must begin with ghcr.io
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/globalcontext/policy.yaml
View file

@ -24,7 +24,7 @@ spec:
- CREATE - CREATE
- UPDATE - UPDATE
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
deny: deny:
conditions: conditions:
any: any:

2
test/cli/test/images/digest/policies.yaml
View file

@ -22,4 +22,4 @@ spec:
required: false required: false
useCache: true useCache: true
verifyDigest: true verifyDigest: true
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/images/secure-images/policies.yaml
View file

@ -23,5 +23,5 @@ spec:
required: true required: true
useCache: true useCache: true
verifyDigest: false verifyDigest: false
validationFailureAction: Enforce failureAction: Enforce
webhookTimeoutSeconds: 30 webhookTimeoutSeconds: 30

2
test/cli/test/images/signatures/policies.yaml
View file

@ -36,4 +36,4 @@ spec:
required: true required: true
useCache: true useCache: true
verifyDigest: true verifyDigest: true
validationFailureAction: Enforce failureAction: Enforce

4
test/cli/test/images/verify-signature/policies.yaml
View file

@ -37,7 +37,7 @@ spec:
required: true required: true
useCache: true useCache: true
verifyDigest: true verifyDigest: true
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -81,4 +81,4 @@ spec:
required: true required: true
useCache: true useCache: true
verifyDigest: false verifyDigest: false
validationFailureAction: Enforce failureAction: Enforce

4
test/cli/test/jmespath-brackets/policy.yaml
View file

@ -26,7 +26,7 @@ spec:
a: "1" a: "1"
test: "" test: ""
message: All pod labels must match except test message: All pod labels must match except test
validationFailureAction: Enforce failureAction: Enforce
--- ---
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -51,4 +51,4 @@ spec:
value: false value: false
message: For creating a namespace you need to set the objectid of the Azure message: For creating a namespace you need to set the objectid of the Azure
AD Group that needs access to this namespace as the aadobjectid label AD Group that needs access to this namespace as the aadobjectid label
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml
View file

@ -56,4 +56,4 @@ spec:
- CREATE - CREATE
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
resource is protected. Admin or allowed users can change the resource' resource is protected. Admin or allowed users can change the resource'
validationFailureAction: Audit failureAction: Audit

4
test/cli/test/manifests/verify-signature/policies.yaml
View file

@ -16,7 +16,7 @@ spec:
name: test* name: test*
name: validate-yaml name: validate-yaml
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
manifests: manifests:
attestors: attestors:
- count: 1 - count: 1
@ -43,7 +43,7 @@ spec:
name: test* name: test*
name: validate-yaml-multi-sig name: validate-yaml-multi-sig
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
manifests: manifests:
attestors: attestors:
- entries: - entries:

2
test/cli/test/mixed/policy.yaml
View file

@ -21,7 +21,7 @@ spec:
- user-?* - user-?*
name: ondemand-managed_by name: ondemand-managed_by
validate: validate:
validationFailureAction: Audit failureAction: Audit
message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand' message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand'
pattern: pattern:
metadata: metadata:

4
test/cli/test/multiple-validate-rules/policy.yaml
View file

@ -17,7 +17,7 @@ spec:
operator: Equals operator: Equals
value: 'LoadBalancer' value: 'LoadBalancer'
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: >- message: >-
Only approved ports may be used for LoadBalancer services. Only approved ports may be used for LoadBalancer services.
foreach: foreach:
@ -38,7 +38,7 @@ spec:
kinds: kinds:
- Service - Service
validate: validate:
validationFailureAction: Enforce failureAction: Enforce
message: "NodePort services are not allowed. This is {{ request.object.spec.type }}" message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
pattern: pattern:
spec: spec:

2
test/cli/test/multiple_condition_keys/policy.yaml
View file

@ -23,4 +23,4 @@ spec:
value: value:
- busybox - busybox
- busybox1 - busybox1
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml
View file

@ -44,4 +44,4 @@ spec:
metadata: metadata:
labels: labels:
foo: '*' foo: '*'
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml
View file

@ -37,4 +37,4 @@ spec:
operator: NotEquals operator: NotEquals
value: 2400 value: 2400
message: certificate duration must be < than 2400h (100 days) message: certificate duration must be < than 2400h (100 days)
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/node-status/check_node_for_cve_2022_0185.yaml
View file

@ -32,4 +32,4 @@ spec:
status: status:
nodeInfo: nodeInfo:
kernelVersion: '!5.10.84-1 & !5.15.5-2' kernelVersion: '!5.10.84-1 & !5.15.5-2'
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/owner_references/policy.yaml
View file

@ -28,4 +28,4 @@ spec:
periodSeconds: '>0' periodSeconds: '>0'
readinessProbe: readinessProbe:
periodSeconds: '>0' periodSeconds: '>0'
validationFailureAction: Enforce failureAction: Enforce

2
test/cli/test/policy-reports-skip-validation/policy.yaml
View file

@ -33,4 +33,4 @@ spec:
operator: AnyNotIn operator: AnyNotIn
value: '{{request.object.metadata.keys(@)}}' value: '{{request.object.metadata.keys(@)}}'
message: naked pods are not allowed message: naked pods are not allowed
validationFailureAction: Audit failureAction: Audit

2
test/cli/test/preconditions/policy.yaml
View file

@ -24,4 +24,4 @@ spec:
spec: spec:
containers: containers:
- name: '*busybox*' - name: '*busybox*'
validationFailureAction: Enforce failureAction: Enforce

Some files were not shown because too many files have changed in this diff Show more