mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: Introduce PolicyException CRD (#5662)

Browse source 
* feat: Introduce PolicyException CRD

Signed-off-by: Eileen Yu <eileenylj@gmail.com>

* Apply suggestions from code review

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Eileen Yu <eileenylj@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Eileen 2022-12-13 14:02:54 -05:00 committed by GitHub
parent 807b16b87c
commit 3eede76fc4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
23 changed files with 3023 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
api/kyverno/v2alpha1/exception_type.go Normal file
View file

@ -0,0 +1,63 @@
/*
Copyright 2022 The Kubernetes authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v2alpha1
import (
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +genclient
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:storageversion
// +kubebuilder:resource:shortName=polex,categories=kyverno
// PolicyException declares resources to be excluded from specified policies.
type PolicyException struct {
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec PolicyExceptionSpec `json:"spec"`
}
// PolicyExceptionSpec stores policy exception spec
type PolicyExceptionSpec struct {
Exclude kyvernov2beta1.MatchResources `json:"exclude"`
// Exceptions is a list policy/rules to be excluded
Exceptions []Exception `json:"exceptions"`
}
type Exception struct {
// PolicyName identifies the policy to which the exception is applied.
PolicyName string `json:"policyName"`
// RuleNames identifies the rules to which the exception is applied.
RuleNames []string `json:"ruleNames"`
}
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PolicyExceptionList is a list of Policy Exceptions
type PolicyExceptionList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []PolicyException `json:"items"`
}

2
api/kyverno/v2alpha1/register.go
View file

@ -53,6 +53,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&CleanupPolicyList{},
&ClusterCleanupPolicy{},
&ClusterCleanupPolicyList{},
&PolicyException{},
&PolicyExceptionList{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

101
api/kyverno/v2alpha1/zz_generated.deepcopy.go
View file

@ -192,3 +192,104 @@ func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Exception) DeepCopyInto(out *Exception) {
*out = *in
if in.RuleNames != nil {
in, out := &in.RuleNames, &out.RuleNames
*out = make([]string, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
func (in *Exception) DeepCopy() *Exception {
if in == nil {
return nil
}
out := new(Exception)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyException) DeepCopyInto(out *PolicyException) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
func (in *PolicyException) DeepCopy() *PolicyException {
if in == nil {
return nil
}
out := new(PolicyException)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PolicyException) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]PolicyException, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList {
if in == nil {
return nil
}
out := new(PolicyExceptionList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PolicyExceptionList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec) {
*out = *in
in.Exclude.DeepCopyInto(&out.Exclude)
if in.Exceptions != nil {
in, out := &in.Exceptions, &out.Exceptions
*out = make([]Exception, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec {
if in == nil {
return nil
}
out := new(PolicyExceptionSpec)
in.DeepCopyInto(out)
return out
}

338
charts/kyverno/templates/crds.yaml
View file

@ -18214,6 +18214,340 @@ metadata:
internal.config.kubernetes.io/index: '11'
{{- with .Values.crds.annotations }}{{ toYaml . | nindent 4 }}{{ end }}
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: '{{ .Release.Name }}'
app.kubernetes.io/name: '{{ template "kyverno.name" . }}'
app.kubernetes.io/part-of: '{{ template "kyverno.name" . }}'
app.kubernetes.io/version: '{{.Chart.AppVersion}}'
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: PolicyException
listKind: PolicyExceptionList
plural: policyexceptions
shortNames:
- polex
singular: policyexception
scope: Namespaced
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
properties:
policyName:
description: PolicyName identifies the policy to which the exception is applied.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
exclude:
description: MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like users, user groups, and service accounts.
items:
description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like users, user groups, and service accounts.
items:
description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- exclude
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
config.kubernetes.io/index: '12'
internal.config.kubernetes.io/index: '12'
{{- with .Values.crds.annotations }}{{ toYaml . | nindent 4 }}{{ end }}
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: '{{ .Release.Name }}'
@ -18483,8 +18817,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
config.kubernetes.io/index: '12'
internal.config.kubernetes.io/index: '12'
config.kubernetes.io/index: '13'
internal.config.kubernetes.io/index: '13'
{{- with .Values.crds.annotations }}{{ toYaml . | nindent 4 }}{{ end }}
creationTimestamp: null
labels:

3
config/crds/kustomization.yaml
View file

@ -11,6 +11,7 @@ resources:
- ./kyverno.io_clusterpolicies.yaml
- ./kyverno.io_generaterequests.yaml
- ./kyverno.io_policies.yaml
- ./kyverno.io_policyexceptions.yaml
- ./kyverno.io_updaterequests.yaml
- ./wgpolicyk8s.io_clusterpolicyreports.yaml
- ./wgpolicyk8s.io_policyreports.yaml
- ./wgpolicyk8s.io_policyreports.yaml

481
config/crds/kyverno.io_policyexceptions.yaml Normal file
View file

@ -0,0 +1,481 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: PolicyException
listKind: PolicyExceptionList
plural: policyexceptions
shortNames:
- polex
singular: policyexception
scope: Namespaced
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
exclude:
description: MatchResources is used to specify resource and admission
review request data for which a policy rule is applicable.
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- exclude
type: object
required:
- spec
type: object
served: true
storage: true

487
config/install.yaml
View file

@ -28752,6 +28752,493 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: PolicyException
listKind: PolicyExceptionList
plural: policyexceptions
shortNames:
- polex
singular: policyexception
scope: Namespaced
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
exclude:
description: MatchResources is used to specify resource and admission
review request data for which a policy rule is applicable.
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- exclude
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0

486
config/install_debug.yaml
View file

@ -28741,6 +28741,492 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
name: policyexceptions.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: PolicyException
listKind: PolicyExceptionList
plural: policyexceptions
shortNames:
- polex
singular: policyexception
scope: Namespaced
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
exclude:
description: MatchResources is used to specify resource and admission
review request data for which a policy rule is applicable.
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- exclude
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0

178
docs/user/crd/index.html
View file

@ -4978,6 +4978,8 @@ Resource Types:
<a href="#kyverno.io/v2alpha1.CleanupPolicy">CleanupPolicy</a>
</li><li>
<a href="#kyverno.io/v2alpha1.ClusterCleanupPolicy">ClusterCleanupPolicy</a>
</li><li>
<a href="#kyverno.io/v2alpha1.PolicyException">PolicyException</a>
</li></ul>
<hr />
<h3 id="kyverno.io/v2alpha1.CleanupPolicy">CleanupPolicy
@ -5250,6 +5252,95 @@ CleanupPolicyStatus
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2alpha1.PolicyException">PolicyException
</h3>
<p>
<p>PolicyException declares resources to be excluded from specified policies.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>apiVersion</code><br/>
string</td>
<td>
<code>
kyverno.io/v2alpha1
</code>
</td>
</tr>
<tr>
<td>
<code>kind</code><br/>
string
</td>
<td><code>PolicyException</code></td>
</tr>
<tr>
<td>
<code>metadata</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
Kubernetes meta/v1.ObjectMeta
</a>
</em>
</td>
<td>
Refer to the Kubernetes API documentation for the fields of the
<code>metadata</code> field.
</td>
</tr>
<tr>
<td>
<code>spec</code><br/>
<em>
<a href="#kyverno.io/v2alpha1.PolicyExceptionSpec">
PolicyExceptionSpec
</a>
</em>
</td>
<td>
<p>Spec declares policy exception behaviors.</p>
<br/>
<br/>
<table class="table table-striped">
<tr>
<td>
<code>exclude</code><br/>
<em>
<a href="#kyverno.io/v2beta1.MatchResources">
MatchResources
</a>
</em>
</td>
<td>
</td>
</tr>
<tr>
<td>
<code>exceptions</code><br/>
<em>
<a href="#kyverno.io/v2alpha1.Exception">
[]Exception
</a>
</em>
</td>
<td>
<p>Exceptions is a list policy/rules to be excluded</p>
</td>
</tr>
</table>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2alpha1.CleanupPolicyInterface">CleanupPolicyInterface
</h3>
<p>
@ -5367,6 +5458,92 @@ AnyAllConditions
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2alpha1.Exception">Exception
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.PolicyExceptionSpec">PolicyExceptionSpec</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>policyName</code><br/>
<em>
string
</em>
</td>
<td>
<p>PolicyName identifies the policy to which the exception is applied.</p>
</td>
</tr>
<tr>
<td>
<code>ruleNames</code><br/>
<em>
[]string
</em>
</td>
<td>
<p>RuleNames identifies the rules to which the exception is applied.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2alpha1.PolicyExceptionSpec">PolicyExceptionSpec
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.PolicyException">PolicyException</a>)
</p>
<p>
<p>PolicyExceptionSpec stores policy exception spec</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>exclude</code><br/>
<em>
<a href="#kyverno.io/v2beta1.MatchResources">
MatchResources
</a>
</em>
</td>
<td>
</td>
</tr>
<tr>
<td>
<code>exceptions</code><br/>
<em>
<a href="#kyverno.io/v2alpha1.Exception">
[]Exception
</a>
</em>
</td>
<td>
<p>Exceptions is a list policy/rules to be excluded</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h2 id="kyverno.io/v2beta1">kyverno.io/v2beta1</h2>
Resource Types:
<ul><li>
@ -6102,6 +6279,7 @@ bool
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.CleanupPolicySpec">CleanupPolicySpec</a>,
<a href="#kyverno.io/v2alpha1.PolicyExceptionSpec">PolicyExceptionSpec</a>,
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)
</p>
<p>

14
pkg/client/clientset/versioned/fake/register.go
View file

@ -45,14 +45,14 @@ var localSchemeBuilder = runtime.SchemeBuilder{
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
//
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.

14
pkg/client/clientset/versioned/scheme/register.go
View file

@ -45,14 +45,14 @@ var localSchemeBuilder = runtime.SchemeBuilder{
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
// import (
// "k8s.io/client-go/kubernetes"
// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
// )
//
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
// kclientset, _ := kubernetes.NewForConfig(c)
// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.

4
pkg/client/clientset/versioned/typed/kyverno/v2alpha1/fake/fake_kyverno_client.go
View file

@ -36,6 +36,10 @@ func (c *FakeKyvernoV2alpha1) ClusterCleanupPolicies() v2alpha1.ClusterCleanupPo
return &FakeClusterCleanupPolicies{c}
}
func (c *FakeKyvernoV2alpha1) PolicyExceptions(namespace string) v2alpha1.PolicyExceptionInterface {
return &FakePolicyExceptions{c, namespace}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeKyvernoV2alpha1) RESTClient() rest.Interface {

130
pkg/client/clientset/versioned/typed/kyverno/v2alpha1/fake/fake_policyexception.go Normal file
View file

@ -0,0 +1,130 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
schema "k8s.io/apimachinery/pkg/runtime/schema"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakePolicyExceptions implements PolicyExceptionInterface
type FakePolicyExceptions struct {
Fake *FakeKyvernoV2alpha1
ns string
}
var policyexceptionsResource = schema.GroupVersionResource{Group: "kyverno.io", Version: "v2alpha1", Resource: "policyexceptions"}
var policyexceptionsKind = schema.GroupVersionKind{Group: "kyverno.io", Version: "v2alpha1", Kind: "PolicyException"}
// Get takes name of the policyException, and returns the corresponding policyException object, and an error if there is any.
func (c *FakePolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2alpha1.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(policyexceptionsResource, c.ns, name), &v2alpha1.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2alpha1.PolicyException), err
}
// List takes label and field selectors, and returns the list of PolicyExceptions that match those selectors.
func (c *FakePolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v2alpha1.PolicyExceptionList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(policyexceptionsResource, policyexceptionsKind, c.ns, opts), &v2alpha1.PolicyExceptionList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v2alpha1.PolicyExceptionList{ListMeta: obj.(*v2alpha1.PolicyExceptionList).ListMeta}
for _, item := range obj.(*v2alpha1.PolicyExceptionList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested policyExceptions.
func (c *FakePolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(policyexceptionsResource, c.ns, opts))
}
// Create takes the representation of a policyException and creates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *FakePolicyExceptions) Create(ctx context.Context, policyException *v2alpha1.PolicyException, opts v1.CreateOptions) (result *v2alpha1.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(policyexceptionsResource, c.ns, policyException), &v2alpha1.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2alpha1.PolicyException), err
}
// Update takes the representation of a policyException and updates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *FakePolicyExceptions) Update(ctx context.Context, policyException *v2alpha1.PolicyException, opts v1.UpdateOptions) (result *v2alpha1.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(policyexceptionsResource, c.ns, policyException), &v2alpha1.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2alpha1.PolicyException), err
}
// Delete takes name of the policyException and deletes it. Returns an error if one occurs.
func (c *FakePolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(policyexceptionsResource, c.ns, name, opts), &v2alpha1.PolicyException{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakePolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(policyexceptionsResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v2alpha1.PolicyExceptionList{})
return err
}
// Patch applies the patch and returns the patched policyException.
func (c *FakePolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2alpha1.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(policyexceptionsResource, c.ns, name, pt, data, subresources...), &v2alpha1.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2alpha1.PolicyException), err
}

2
pkg/client/clientset/versioned/typed/kyverno/v2alpha1/generated_expansion.go
View file

@ -21,3 +21,5 @@ package v2alpha1
type CleanupPolicyExpansion interface{}
type ClusterCleanupPolicyExpansion interface{}
type PolicyExceptionExpansion interface{}

5
pkg/client/clientset/versioned/typed/kyverno/v2alpha1/kyverno_client.go
View file

@ -30,6 +30,7 @@ type KyvernoV2alpha1Interface interface {
RESTClient() rest.Interface
CleanupPoliciesGetter
ClusterCleanupPoliciesGetter
PolicyExceptionsGetter
}
// KyvernoV2alpha1Client is used to interact with features provided by the kyverno.io group.
@ -45,6 +46,10 @@ func (c *KyvernoV2alpha1Client) ClusterCleanupPolicies() ClusterCleanupPolicyInt
return newClusterCleanupPolicies(c)
}
func (c *KyvernoV2alpha1Client) PolicyExceptions(namespace string) PolicyExceptionInterface {
return newPolicyExceptions(c, namespace)
}
// NewForConfig creates a new KyvernoV2alpha1Client for the given config.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).

178
pkg/client/clientset/versioned/typed/kyverno/v2alpha1/policyexception.go Normal file
View file

@ -0,0 +1,178 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v2alpha1
import (
"context"
"time"
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// PolicyExceptionsGetter has a method to return a PolicyExceptionInterface.
// A group's client should implement this interface.
type PolicyExceptionsGetter interface {
PolicyExceptions(namespace string) PolicyExceptionInterface
}
// PolicyExceptionInterface has methods to work with PolicyException resources.
type PolicyExceptionInterface interface {
Create(ctx context.Context, policyException *v2alpha1.PolicyException, opts v1.CreateOptions) (*v2alpha1.PolicyException, error)
Update(ctx context.Context, policyException *v2alpha1.PolicyException, opts v1.UpdateOptions) (*v2alpha1.PolicyException, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v2alpha1.PolicyException, error)
List(ctx context.Context, opts v1.ListOptions) (*v2alpha1.PolicyExceptionList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2alpha1.PolicyException, err error)
PolicyExceptionExpansion
}
// policyExceptions implements PolicyExceptionInterface
type policyExceptions struct {
client rest.Interface
ns string
}
// newPolicyExceptions returns a PolicyExceptions
func newPolicyExceptions(c *KyvernoV2alpha1Client, namespace string) *policyExceptions {
return &policyExceptions{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the policyException, and returns the corresponding policyException object, and an error if there is any.
func (c *policyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2alpha1.PolicyException, err error) {
result = &v2alpha1.PolicyException{}
err = c.client.Get().
Namespace(c.ns).
Resource("policyexceptions").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of PolicyExceptions that match those selectors.
func (c *policyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v2alpha1.PolicyExceptionList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v2alpha1.PolicyExceptionList{}
err = c.client.Get().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested policyExceptions.
func (c *policyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a policyException and creates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *policyExceptions) Create(ctx context.Context, policyException *v2alpha1.PolicyException, opts v1.CreateOptions) (result *v2alpha1.PolicyException, err error) {
result = &v2alpha1.PolicyException{}
err = c.client.Post().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Body(policyException).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a policyException and updates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *policyExceptions) Update(ctx context.Context, policyException *v2alpha1.PolicyException, opts v1.UpdateOptions) (result *v2alpha1.PolicyException, err error) {
result = &v2alpha1.PolicyException{}
err = c.client.Put().
Namespace(c.ns).
Resource("policyexceptions").
Name(policyException.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(policyException).
Do(ctx).
Into(result)
return
}
// Delete takes name of the policyException and deletes it. Returns an error if one occurs.
func (c *policyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("policyexceptions").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *policyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched policyException.
func (c *policyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2alpha1.PolicyException, err error) {
result = &v2alpha1.PolicyException{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("policyexceptions").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

2
pkg/client/informers/externalversions/generic.go
View file

@ -83,6 +83,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().CleanupPolicies().Informer()}, nil
case v2alpha1.SchemeGroupVersion.WithResource("clustercleanuppolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().ClusterCleanupPolicies().Informer()}, nil
case v2alpha1.SchemeGroupVersion.WithResource("policyexceptions"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().PolicyExceptions().Informer()}, nil
// Group=wgpolicyk8s.io, Version=v1alpha2
case policyreportv1alpha2.SchemeGroupVersion.WithResource("clusterpolicyreports"):

7
pkg/client/informers/externalversions/kyverno/v2alpha1/interface.go
View file

@ -28,6 +28,8 @@ type Interface interface {
CleanupPolicies() CleanupPolicyInformer
// ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer.
ClusterCleanupPolicies() ClusterCleanupPolicyInformer
// PolicyExceptions returns a PolicyExceptionInformer.
PolicyExceptions() PolicyExceptionInformer
}
type version struct {
@ -50,3 +52,8 @@ func (v *version) CleanupPolicies() CleanupPolicyInformer {
func (v *version) ClusterCleanupPolicies() ClusterCleanupPolicyInformer {
return &clusterCleanupPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
// PolicyExceptions returns a PolicyExceptionInformer.
func (v *version) PolicyExceptions() PolicyExceptionInformer {
return &policyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}

90
pkg/client/informers/externalversions/kyverno/v2alpha1/policyexception.go Normal file
View file

@ -0,0 +1,90 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v2alpha1
import (
"context"
time "time"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
v2alpha1 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// PolicyExceptionInformer provides access to a shared informer and lister for
// PolicyExceptions.
type PolicyExceptionInformer interface {
Informer() cache.SharedIndexInformer
Lister() v2alpha1.PolicyExceptionLister
}
type policyExceptionInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewPolicyExceptionInformer constructs a new informer for PolicyException type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredPolicyExceptionInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredPolicyExceptionInformer constructs a new informer for PolicyException type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.KyvernoV2alpha1().PolicyExceptions(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.KyvernoV2alpha1().PolicyExceptions(namespace).Watch(context.TODO(), options)
},
},
&kyvernov2alpha1.PolicyException{},
resyncPeriod,
indexers,
)
}
func (f *policyExceptionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredPolicyExceptionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *policyExceptionInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&kyvernov2alpha1.PolicyException{}, f.defaultInformer)
}
func (f *policyExceptionInformer) Lister() v2alpha1.PolicyExceptionLister {
return v2alpha1.NewPolicyExceptionLister(f.Informer().GetIndexer())
}

8
pkg/client/listers/kyverno/v2alpha1/expansion_generated.go
View file

@ -29,3 +29,11 @@ type CleanupPolicyNamespaceListerExpansion interface{}
// ClusterCleanupPolicyListerExpansion allows custom methods to be added to
// ClusterCleanupPolicyLister.
type ClusterCleanupPolicyListerExpansion interface{}
// PolicyExceptionListerExpansion allows custom methods to be added to
// PolicyExceptionLister.
type PolicyExceptionListerExpansion interface{}
// PolicyExceptionNamespaceListerExpansion allows custom methods to be added to
// PolicyExceptionNamespaceLister.
type PolicyExceptionNamespaceListerExpansion interface{}

99
pkg/client/listers/kyverno/v2alpha1/policyexception.go Normal file
View file

@ -0,0 +1,99 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v2alpha1
import (
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// PolicyExceptionLister helps list PolicyExceptions.
// All objects returned here must be treated as read-only.
type PolicyExceptionLister interface {
// List lists all PolicyExceptions in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v2alpha1.PolicyException, err error)
// PolicyExceptions returns an object that can list and get PolicyExceptions.
PolicyExceptions(namespace string) PolicyExceptionNamespaceLister
PolicyExceptionListerExpansion
}
// policyExceptionLister implements the PolicyExceptionLister interface.
type policyExceptionLister struct {
indexer cache.Indexer
}
// NewPolicyExceptionLister returns a new PolicyExceptionLister.
func NewPolicyExceptionLister(indexer cache.Indexer) PolicyExceptionLister {
return &policyExceptionLister{indexer: indexer}
}
// List lists all PolicyExceptions in the indexer.
func (s *policyExceptionLister) List(selector labels.Selector) (ret []*v2alpha1.PolicyException, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v2alpha1.PolicyException))
})
return ret, err
}
// PolicyExceptions returns an object that can list and get PolicyExceptions.
func (s *policyExceptionLister) PolicyExceptions(namespace string) PolicyExceptionNamespaceLister {
return policyExceptionNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// PolicyExceptionNamespaceLister helps list and get PolicyExceptions.
// All objects returned here must be treated as read-only.
type PolicyExceptionNamespaceLister interface {
// List lists all PolicyExceptions in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v2alpha1.PolicyException, err error)
// Get retrieves the PolicyException from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v2alpha1.PolicyException, error)
PolicyExceptionNamespaceListerExpansion
}
// policyExceptionNamespaceLister implements the PolicyExceptionNamespaceLister
// interface.
type policyExceptionNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all PolicyExceptions in the indexer for a given namespace.
func (s policyExceptionNamespaceLister) List(selector labels.Selector) (ret []*v2alpha1.PolicyException, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v2alpha1.PolicyException))
})
return ret, err
}
// Get retrieves the PolicyException from the indexer for a given namespace and name.
func (s policyExceptionNamespaceLister) Get(name string) (*v2alpha1.PolicyException, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v2alpha1.Resource("policyexception"), name)
}
return obj.(*v2alpha1.PolicyException), nil
}

11
pkg/clients/kyverno/kyvernov2alpha1/client.generated.go
View file

@ -5,6 +5,7 @@ import (
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
cleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2alpha1/cleanuppolicies"
clustercleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2alpha1/clustercleanuppolicies"
policyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2alpha1/policyexceptions"
"github.com/kyverno/kyverno/pkg/metrics"
"k8s.io/client-go/rest"
)
@ -38,6 +39,10 @@ func (c *withMetrics) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_cl
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterCleanupPolicy", c.clientType)
return clustercleanuppolicies.WithMetrics(c.inner.ClusterCleanupPolicies(), recorder)
}
func (c *withMetrics) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface {
recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "PolicyException", c.clientType)
return policyexceptions.WithMetrics(c.inner.PolicyExceptions(namespace), recorder)
}
type withTracing struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.KyvernoV2alpha1Interface
@ -53,6 +58,9 @@ func (c *withTracing) CleanupPolicies(namespace string) github_com_kyverno_kyver
func (c *withTracing) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.ClusterCleanupPolicyInterface {
return clustercleanuppolicies.WithTracing(c.inner.ClusterCleanupPolicies(), c.client, "ClusterCleanupPolicy")
}
func (c *withTracing) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface {
return policyexceptions.WithTracing(c.inner.PolicyExceptions(namespace), c.client, "PolicyException")
}
type withLogging struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.KyvernoV2alpha1Interface
@ -68,3 +76,6 @@ func (c *withLogging) CleanupPolicies(namespace string) github_com_kyverno_kyver
func (c *withLogging) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.ClusterCleanupPolicyInterface {
return clustercleanuppolicies.WithLogging(c.inner.ClusterCleanupPolicies(), c.logger.WithValues("resource", "ClusterCleanupPolicies"))
}
func (c *withLogging) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface {
return policyexceptions.WithLogging(c.inner.PolicyExceptions(namespace), c.logger.WithValues("resource", "PolicyExceptions").WithValues("namespace", namespace))
}

337
pkg/clients/kyverno/kyvernov2alpha1/policyexceptions/resource.generated.go Normal file
View file

@ -0,0 +1,337 @@
package resource
import (
context "context"
"fmt"
"time"
"github.com/go-logr/logr"
github_com_kyverno_kyverno_api_kyverno_v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/tracing"
"go.opentelemetry.io/otel/trace"
"go.uber.org/multierr"
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
)
func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface {
return &withLogging{inner, logger}
}
func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface {
return &withMetrics{inner, recorder}
}
func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface {
return &withTracing{inner, client, kind}
}
type withLogging struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface
logger logr.Logger
}
func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Create")
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Create failed", "duration", time.Since(start))
} else {
logger.Info("Create done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
start := time.Now()
logger := c.logger.WithValues("operation", "Delete")
ret0 := c.inner.Delete(arg0, arg1, arg2)
if err := multierr.Combine(ret0); err != nil {
logger.Error(err, "Delete failed", "duration", time.Since(start))
} else {
logger.Info("Delete done", "duration", time.Since(start))
}
return ret0
}
func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
start := time.Now()
logger := c.logger.WithValues("operation", "DeleteCollection")
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
if err := multierr.Combine(ret0); err != nil {
logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
} else {
logger.Info("DeleteCollection done", "duration", time.Since(start))
}
return ret0
}
func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Get")
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Get failed", "duration", time.Since(start))
} else {
logger.Info("Get done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyExceptionList, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "List")
ret0, ret1 := c.inner.List(arg0, arg1)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "List failed", "duration", time.Since(start))
} else {
logger.Info("List done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Patch")
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Patch failed", "duration", time.Since(start))
} else {
logger.Info("Patch done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Update")
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Update failed", "duration", time.Since(start))
} else {
logger.Info("Update done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Watch")
ret0, ret1 := c.inner.Watch(arg0, arg1)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Watch failed", "duration", time.Since(start))
} else {
logger.Info("Watch done", "duration", time.Since(start))
}
return ret0, ret1
}
type withMetrics struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface
recorder metrics.Recorder
}
func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "create")
return c.inner.Create(arg0, arg1, arg2)
}
func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
defer c.recorder.RecordWithContext(arg0, "delete")
return c.inner.Delete(arg0, arg1, arg2)
}
func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
defer c.recorder.RecordWithContext(arg0, "delete_collection")
return c.inner.DeleteCollection(arg0, arg1, arg2)
}
func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "get")
return c.inner.Get(arg0, arg1, arg2)
}
func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyExceptionList, error) {
defer c.recorder.RecordWithContext(arg0, "list")
return c.inner.List(arg0, arg1)
}
func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "patch")
return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
}
func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "update")
return c.inner.Update(arg0, arg1, arg2)
}
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
defer c.recorder.RecordWithContext(arg0, "watch")
return c.inner.Watch(arg0, arg1)
}
type withTracing struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.PolicyExceptionInterface
client string
kind string
}
func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Create"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Delete"),
),
)
defer span.End()
}
ret0 := c.inner.Delete(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret0)
}
return ret0
}
func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("DeleteCollection"),
),
)
defer span.End()
}
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret0)
}
return ret0
}
func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Get"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyExceptionList, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("List"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.List(arg0, arg1)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Patch"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2alpha1.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Update"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Watch"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Watch(arg0, arg1)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}