mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-15 00:36:28 +00:00
Code Activity

feat: add global context entry openapi validation (#10998)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-09-04 21:43:12 +02:00 committed by GitHub
parent 8a0795fa8f
commit 31dcff1b1c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 19 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
api/kyverno/v2alpha1/global_context_entry_types.go
View file

@ -47,23 +47,15 @@ type GlobalContextEntry struct {
Status GlobalContextEntryStatus `json:"status,omitempty"`
}
// GetStatus returns the globalcontextentry status
func (p *GlobalContextEntry) GetStatus() *GlobalContextEntryStatus {
return &p.Status
}
// Validate implements programmatic validation
func (c *GlobalContextEntry) Validate() (errs field.ErrorList) {
errs = append(errs, c.Spec.Validate(field.NewPath("spec"))...)
return errs
}
// IsNamespaced indicates if the policy is namespace scoped
func (c *GlobalContextEntry) IsNamespaced() bool {
return false
}
// GlobalContextEntrySpec stores policy exception spec
// +kubebuilder:oneOf:={required:{kubernetesResource}}
// +kubebuilder:oneOf:={required:{apiCall}}
type GlobalContextEntrySpec struct {
// Stores a list of Kubernetes resources which will be cached.
// Mutually exclusive with APICall.
@ -170,14 +162,11 @@ func (e *ExternalAPICall) Validate(path *field.Path) (errs field.ErrorList) {
if e.RefreshInterval.Duration == 0*time.Second {
errs = append(errs, field.Required(path.Child("refreshIntervalSeconds"), "A Resource entry requires a refresh interval greater than 0 seconds"))
}
if (e.Service == nil && e.URLPath == "") || (e.Service != nil && e.URLPath != "") {
errs = append(errs, field.Forbidden(path.Child("service"), "An External API call should either have Service or URLPath"))
}
if e.Data != nil && e.Method != "POST" {
errs = append(errs, field.Forbidden(path.Child("method"), "An External API call with data should have method as POST"))
}
return errs
}

5
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
View file

@ -61,6 +61,11 @@ spec:
type: object
spec:
description: Spec declares policy exception behaviors.
oneOf:
- required:
- kubernetesResource
- required:
- apiCall
properties:
apiCall:
description: |-

5
config/crds/kyverno/kyverno.io_globalcontextentries.yaml
View file

@ -55,6 +55,11 @@ spec:
type: object
spec:
description: Spec declares policy exception behaviors.
oneOf:
- required:
- kubernetesResource
- required:
- apiCall
properties:
apiCall:
description: |-

5
config/install-latest-testing.yaml
View file

@ -24802,6 +24802,11 @@ spec:
type: object
spec:
description: Spec declares policy exception behaviors.
oneOf:
- required:
- kubernetesResource
- required:
- apiCall
properties:
apiCall:
description: |-

4
test/conformance/chainsaw/globalcontext/validate-crd/chainsaw-test.yaml
View file

@ -19,7 +19,7 @@ spec:
expect:
- check:
($error): |-
admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.kubernetesResource: Forbidden: A global context entry should either have KubernetesResource or APICall
GlobalContextEntry.kyverno.io "ingress-2" is invalid: <nil>: Invalid value: "": "spec" must validate one and only one schema (oneOf). Found 2 valid alternatives
- name: step-03
try:
- apply:
@ -27,4 +27,4 @@ spec:
expect:
- check:
($error): |-
admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.kubernetesResource: Forbidden: A global context entry should either have KubernetesResource or APICall
GlobalContextEntry.kyverno.io "ingress-3" is invalid: [<nil>: Invalid value: "": "spec" must validate one and only one schema (oneOf). Found none valid, spec.kubernetesResource: Required value]