diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 9f8c0ea60c..c5a69d12d1 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -592,6 +592,12 @@ func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList // CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). type CEL struct { + // Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + // Optional. Defaults to "false" if not specified. + // +optional + // +kubebuilder:default=false + Generate *bool `json:"generate,omitempty"` + // Expressions is a list of CELExpression types. Expressions []admissionregistrationv1.Validation `json:"expressions,omitempty"` @@ -614,6 +620,10 @@ type CEL struct { Variables []admissionregistrationv1.Variable `json:"variables,omitempty"` } +func (c *CEL) GenerateVAP() bool { + return c.Generate != nil && *c.Generate +} + func (c *CEL) HasParam() bool { return c.ParamKind != nil && c.ParamRef != nil } diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 7530bd5ec4..4be20706a7 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -215,6 +215,11 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CEL) DeepCopyInto(out *CEL) { *out = *in + if in.Generate != nil { + in, out := &in.Generate, &out.Generate + *out = new(bool) + **out = **in + } if in.Expressions != nil { in, out := &in.Expressions, &out.Expressions *out = make([]admissionregistrationv1.Validation, len(*in)) diff --git a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go index d59eb082ac..5d0e30612c 100644 --- a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go +++ b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go @@ -80,6 +80,12 @@ type ValidatingPolicySpec struct { // +optional Variables []admissionregistrationv1.Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name"` + // Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + // Optional. Defaults to "false" if not specified. + // +optional + // +kubebuilder:default=false + Generate *bool `json:"generate,omitempty"` + // ValidationAction specifies the action to be taken when the matched resource violates the policy. // Required. // +listType=set diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go index 33a5ddf930..4a03e90891 100644 --- a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go +++ b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go @@ -989,6 +989,11 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) { *out = make([]v1.Variable, len(*in)) copy(*out, *in) } + if in.Generate != nil { + in, out := &in.Generate, &out.Generate + *out = new(bool) + **out = **in + } if in.ValidationAction != nil { in, out := &in.ValidationAction, &out.ValidationAction *out = make([]v1.ValidationAction, len(*in)) diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index b3f3851451..07573a9f2a 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -3183,6 +3183,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -8299,6 +8305,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13119,6 +13131,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18293,6 +18311,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 7aee6c48b3..503be3299e 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -3184,6 +3184,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -8301,6 +8307,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13122,6 +13134,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18296,6 +18314,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index c09be166b8..1003bf4784 100644 --- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -157,6 +157,12 @@ spec: Allowed values are Ignore or Fail. Defaults to Fail. type: string + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean matchConditions: description: |- MatchConditions is a list of conditions that must be met for a request to be validated. diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 23919965c5..495bb32712 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3177,6 +3177,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -8293,6 +8299,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13113,6 +13125,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18287,6 +18305,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 6dfd7f9bc7..ee1076124e 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3178,6 +3178,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -8295,6 +8301,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13116,6 +13128,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18290,6 +18308,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml index 2a796e0c3a..b6c8b198cc 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml @@ -151,6 +151,12 @@ spec: Allowed values are Ignore or Fail. Defaults to Fail. type: string + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean matchConditions: description: |- MatchConditions is a list of conditions that must be met for a request to be validated. diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 23919965c5..495bb32712 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -3177,6 +3177,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -8293,6 +8299,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13113,6 +13125,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18287,6 +18305,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 6dfd7f9bc7..ee1076124e 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -3178,6 +3178,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -8295,6 +8301,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13116,6 +13128,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18290,6 +18308,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index 2a796e0c3a..b6c8b198cc 100644 --- a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -151,6 +151,12 @@ spec: Allowed values are Ignore or Fail. Defaults to Fail. type: string + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean matchConditions: description: |- MatchConditions is a list of conditions that must be met for a request to be validated. diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index e3244c6700..fcc37caf5f 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -8602,6 +8602,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -13718,6 +13724,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -18538,6 +18550,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -23712,6 +23730,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -29176,6 +29200,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -34293,6 +34323,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -39114,6 +39150,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -44288,6 +44330,12 @@ spec: - expression type: object type: array + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. + Optional. Defaults to "false" if not specified. + type: boolean paramKind: description: ParamKind is a tuple of Group Kind and Version. @@ -48699,6 +48747,12 @@ spec: Allowed values are Ignore or Fail. Defaults to Fail. type: string + generate: + default: false + description: |- + Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. + Optional. Defaults to "false" if not specified. + type: boolean matchConditions: description: |- MatchConditions is a list of conditions that must be met for a request to be validated. diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 5218ac53e8..d29c2ef61e 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1050,6 +1050,19 @@ attributes for keyless verification, or a nested attestor declaration.

+generate
+ +bool + + + +(Optional) +

Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. +Optional. Defaults to “false” if not specified.

+ + + + expressions
@@ -10813,6 +10826,19 @@ Thus, Variables must be sorted by the order of first appearance and acyclic.

+generate
+ +bool + + + +(Optional) +

Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. +Optional. Defaults to “false” if not specified.

+ + + + validationActions
 @@ -12705,6 +12731,19 @@ Thus, Variables must be sorted by the order of first appearance and acyclic.

+generate
+ +bool + + + +(Optional) +

Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. +Optional. Defaults to “false” if not specified.

+ + + + validationActions
 diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 05196dc9ed..61c91367b7 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -2151,6 +2151,34 @@ attributes for keyless verification, or a nested attestor declaration.

+ + generate + +
+ + + + + bool + + + + + + +

Generate specifies whether to generate a Kubernetes ValidatingAdmissionPolicy from the rule. +Optional. Defaults to "false" if not specified.

+ + + + + + + + + + + expressions diff --git a/pkg/admissionpolicy/kyvernopolicy_checker.go b/pkg/admissionpolicy/kyvernopolicy_checker.go index 9f7e42ca6c..b4dfe82001 100644 --- a/pkg/admissionpolicy/kyvernopolicy_checker.go +++ b/pkg/admissionpolicy/kyvernopolicy_checker.go @@ -7,9 +7,9 @@ import ( ) // CanGenerateVAP check if Kyverno policy and a PolicyException can be translated to a Kubernetes ValidatingAdmissionPolicy -func CanGenerateVAP(spec *kyvernov1.Spec, exceptions []kyvernov2.PolicyException) (bool, string) { +func CanGenerateVAP(spec *kyvernov1.Spec, exceptions []kyvernov2.PolicyException, validate bool) (bool, string) { var msg string - if ok, msg := checkPolicy(spec); !ok { + if ok, msg := checkPolicy(spec, validate); !ok { return false, msg } @@ -52,14 +52,14 @@ func checkExceptions(exceptions []kyvernov2.PolicyException) (bool, string) { return true, msg } -func checkPolicy(spec *kyvernov1.Spec) (bool, string) { +func checkPolicy(spec *kyvernov1.Spec, validate bool) (bool, string) { var msg string if ok, msg := checkRuleCount(spec); !ok { return false, msg } rule := spec.Rules[0] - if ok, msg := checkRuleType(rule); !ok { + if ok, msg := checkRuleType(rule, validate); !ok { return false, msg } @@ -125,11 +125,16 @@ func checkRuleCount(spec *kyvernov1.Spec) (bool, string) { return true, msg } -func checkRuleType(rule kyvernov1.Rule) (bool, string) { +func checkRuleType(rule kyvernov1.Rule, validate bool) (bool, string) { var msg string if !rule.HasValidateCEL() { msg = "skip generating ValidatingAdmissionPolicy for non CEL rules." return false, msg + } else if !validate { + if !rule.Validation.CEL.GenerateVAP() { + msg = "skip generating ValidatingAdmissionPolicy: validate.cel.generate is not set to true." + return false, msg + } } return true, msg } diff --git a/pkg/admissionpolicy/kyvernopolicy_checker_test.go b/pkg/admissionpolicy/kyvernopolicy_checker_test.go index 161de8d2f2..f510fca9dd 100644 --- a/pkg/admissionpolicy/kyvernopolicy_checker_test.go +++ b/pkg/admissionpolicy/kyvernopolicy_checker_test.go @@ -827,6 +827,7 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) { }, "validate": { "cel": { + "generate": true, "expressions": [ { "expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" @@ -841,6 +842,66 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) { `), expected: true, }, + { + name: "policy-with-generate-set-to-false", + policy: []byte(` +{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "disallow-host-path" + }, + "spec": { + "validationFailureAction": "Enforce", + "rules": [ + { + "name": "host-path", + "match": { + "any": [ + { + "resources": { + "kinds": [ + "Deployment" + ], + "operations": [ + "CREATE", + "UPDATE" + ], + "selector": { + "matchLabels": { + "app": "mongodb" + }, + "matchExpressions": [ + { + "key": "tier", + "operator": "In", + "values": [ + "database" + ] + } + ] + } + } + } + ] + }, + "validate": { + "cel": { + "generate": false, + "expressions": [ + { + "expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + } + ] + } + } + } + ] + } +} +`), + expected: false, + }, { name: "policy-with-no-rules", policy: []byte(` @@ -863,7 +924,7 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) { policies, _, _, _, err := yamlutils.GetPolicy([]byte(test.policy)) assert.NilError(t, err) assert.Equal(t, 1, len(policies)) - out, _ := CanGenerateVAP(policies[0].GetSpec(), nil) + out, _ := CanGenerateVAP(policies[0].GetSpec(), nil, false) assert.Equal(t, out, test.expected) }) } diff --git a/pkg/controllers/validatingadmissionpolicy-generate/controller.go b/pkg/controllers/validatingadmissionpolicy-generate/controller.go index 49d907f069..50ee1781ac 100644 --- a/pkg/controllers/validatingadmissionpolicy-generate/controller.go +++ b/pkg/controllers/validatingadmissionpolicy-generate/controller.go @@ -397,7 +397,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam return err } - if ok, msg := admissionpolicy.CanGenerateVAP(spec, exceptions); !ok { + if ok, msg := admissionpolicy.CanGenerateVAP(spec, exceptions, false); !ok { // delete the ValidatingAdmissionPolicy if exist if vapErr == nil { err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{}) diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index a3a26d6891..b9e3103daa 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -454,7 +454,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } // check for CEL expression warnings in case of CEL subrules - if ok, _ := admissionpolicy.CanGenerateVAP(spec, nil); ok && client != nil { + if ok, _ := admissionpolicy.CanGenerateVAP(spec, nil, true); ok && client != nil { resolver := &resolver.ClientDiscoveryResolver{ Discovery: client.GetKubeClient().Discovery(), } diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml index a21460ad13..2d2859d66c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml @@ -17,6 +17,7 @@ spec: validate: failureAction: Enforce cel: + generate: true expressions: - expression: "!has(object.spec.ephemeralContainers)" message: "Ephemeral (debug) containers are not permitted." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml index d0360162b3..538fd4a17e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml @@ -17,6 +17,7 @@ spec: expression: "request.operation == 'CONNECT'" validate: cel: + generate: true expressions: - expression: "request.namespace != 'pci'" message: Pods in this namespace may not be exec'd into. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml index 0ddcddd282..12ce37b4fb 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml @@ -21,6 +21,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml index 8cfb945c2f..806bbb4824 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml @@ -26,6 +26,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml index 4ba5265bbf..fa3e166344 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml @@ -30,6 +30,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml index e7b7ff0f72..6458cba940 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml @@ -30,6 +30,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml index 220c2e6d6c..eb9fdf7e07 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml @@ -30,6 +30,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml index cbd2233c48..37ecd341d6 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml @@ -35,6 +35,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml index f2a69970ce..a249aee0ff 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml @@ -26,6 +26,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml index 749abc0b11..86498b5bb9 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml @@ -19,5 +19,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml index de25903016..634e7526a2 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml @@ -26,5 +26,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml index 8a44e17e3a..c2e1e1e401 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml @@ -17,5 +17,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml index b65e481708..5e7573fb2e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml @@ -19,6 +19,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml index 4a73b94281..05cbba00c2 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/policy.yaml @@ -17,6 +17,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/policy.yaml index 44bea23ca7..bbc714e2d8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/policy.yaml @@ -26,6 +26,7 @@ spec: - connector validate: cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/policy.yaml index 44bea23ca7..bbc714e2d8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/policy.yaml @@ -26,6 +26,7 @@ spec: - connector validate: cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml index 8013cdb108..1f9a6391b8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml @@ -28,6 +28,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml index 388e493d83..b4f396e316 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml @@ -25,6 +25,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml index d0f50b6dae..0f1436ea4c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml @@ -16,5 +16,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml index be0c9e652b..cc37ae8668 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml @@ -16,5 +16,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml index 83d8c97052..7ccc17433d 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml @@ -34,6 +34,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml index 6e3c916a8c..87481711e9 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml @@ -28,6 +28,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml index d297f8c332..9d958c6ebb 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml @@ -28,6 +28,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml index 4f0da2684c..9da15ed95a 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml @@ -31,6 +31,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml index 0c00e80f3a..95ba59bf31 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml @@ -21,5 +21,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml index 42ed1d63b3..d06a7a6266 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml @@ -21,5 +21,6 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml index 7af6214662..5aca1c1980 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml @@ -22,6 +22,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml index f623024384..7114efd124 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml @@ -18,6 +18,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml index f265645d4b..2948e55f39 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml @@ -27,6 +27,7 @@ spec: validate: failureAction: Audit cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml index f0bcea5790..9736115780 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml @@ -12,6 +12,7 @@ spec: - Pod validate: cel: + generate: true expressions: - expression: "object.spec.containers.all(container, !container.image.matches('^[a-zA-Z]+:[0-9]*$'))" message: "An image tag is required." @@ -23,6 +24,7 @@ spec: - Pod validate: cel: + generate: true expressions: - expression: "object.spec.containers.all(container, !container.image.contains('latest'))" message: "Using a mutable image tag e.g. 'latest' is not allowed." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml index 16890da523..a4aef1981a 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml @@ -20,5 +20,6 @@ spec: namespaces: - test cel: + generate: true expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml index 029c79d15f..7b2c29bf83 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml @@ -16,8 +16,7 @@ spec: - action: Enforce namespaces: - default - message: "The label `app` is required." - pattern: - metadata: - labels: - app: "?*" + cel: + generate: true + expressions: + - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/policy.yaml index 44bea23ca7..bbc714e2d8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/policy.yaml @@ -26,6 +26,7 @@ spec: - connector validate: cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/policy.yaml index a8f5aa4bf2..06efb20ea8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/policy.yaml @@ -17,6 +17,7 @@ spec: - UPDATE validate: cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/policy.yaml index a8f5aa4bf2..06efb20ea8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/policy.yaml @@ -17,6 +17,7 @@ spec: - UPDATE validate: cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/policy.yaml index a8f5aa4bf2..06efb20ea8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/policy.yaml @@ -17,6 +17,7 @@ spec: - UPDATE validate: cel: + generate: true expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/chainsaw-test.yaml new file mode 100755 index 0000000000..160e116de6 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/chainsaw-test.yaml @@ -0,0 +1,26 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disable-generate +spec: + steps: + - name: create policy + use: + template: ../../../../../_step-templates/create-policy.yaml + with: + bindings: + - name: file + value: policy.yaml + - name: wait policy ready + use: + template: ../../../../../_step-templates/cluster-policy-ready.yaml + with: + bindings: + - name: name + value: disable-generate + - name: step-02 + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/policy.yaml new file mode 100644 index 0000000000..682b709356 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disable-generate +spec: + background: false + rules: + - name: host-path + match: + all: + - resources: + kinds: + - Deployment + - StatefulSet + operations: + - CREATE + - UPDATE + selector: + matchLabels: + app: critical + validate: + failureAction: Audit + cel: + generate: false + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..39e387b5fa --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: cpol-disable-generate +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..a0d2c74f5f --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/disable-generate/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: cpol-disable-generate-binding +spec: {}