mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: support disabling schema validation on the patched resource (#5197)

Browse source 
* Support disable schema validation on the patched resource

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api doc

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2022-11-03 16:12:44 +08:00 committed by GitHub
parent 076f2c3c49
commit 3fc157717a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 41 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
api/kyverno/v1/clusterpolicy_types.go
View file

@ -103,6 +103,10 @@ func (p *ClusterPolicy) IsReady() bool {
return p.Status.IsReady()
}
func (p *ClusterPolicy) ValidateSchema() bool {
return p.Spec.ValidateSchema()
}
// Validate implements programmatic validation
// namespaced means that the policy is bound to a namespace and therefore
// should not filter/generate cluster wide resources.

1
api/kyverno/v1/policy_interface.go
View file

@ -19,4 +19,5 @@ type PolicyInterface interface {
GetKind() string
CreateDeepCopy() PolicyInterface
IsReady() bool
ValidateSchema() bool
}

4
api/kyverno/v1/policy_types.go
View file

@ -104,6 +104,10 @@ func (p *Policy) IsReady() bool {
return p.Status.IsReady()
}
func (p *Policy) ValidateSchema() bool {
return p.Spec.ValidateSchema()
}
// Validate implements programmatic validation.
// namespaced means that the policy is bound to a namespace and therefore
// should not filter/generate cluster wide resources.

9
api/kyverno/v1/spec_types.go
View file

@ -75,7 +75,7 @@ type Spec struct {
// +kubebuilder:default=true
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
// SchemaValidation skips policy validation checks.
// SchemaValidation skips validation checks for policies as well as patched resources.
// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
// +optional
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
@ -224,6 +224,13 @@ func (s *Spec) GetApplyRules() ApplyRulesType {
return *s.ApplyRules
}
func (s *Spec) ValidateSchema() bool {
if s.SchemaValidation != nil {
return *s.SchemaValidation
}
return true
}
// ValidateRuleNames checks if the rule names are unique across a policy
func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList) {
names := sets.NewString()

2
api/kyverno/v2beta1/spec_types.go
View file

@ -48,7 +48,7 @@ type Spec struct {
// +kubebuilder:default=true
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
// SchemaValidation skips policy validation checks.
// SchemaValidation skips validation checks for policies as well as patched resources.
// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
// +optional
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`

8
charts/kyverno/templates/crds.yaml
View file

@ -2829,7 +2829,7 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit
@ -6351,7 +6351,7 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit
@ -10500,7 +10500,7 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit
@ -14022,7 +14022,7 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
description: SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit

12
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2878,9 +2878,9 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional.
The default value is set to "true", it must be set to "false" to
disable the validation checks.
description: SchemaValidation skips validation checks for policies
as well as patched resources. Optional. The default value is set
to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit
@ -8499,9 +8499,9 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional.
The default value is set to "true", it must be set to "false" to
disable the validation checks.
description: SchemaValidation skips validation checks for policies
as well as patched resources. Optional. The default value is set
to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit

12
config/crds/kyverno.io_policies.yaml
View file

@ -2879,9 +2879,9 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional.
The default value is set to "true", it must be set to "false" to
disable the validation checks.
description: SchemaValidation skips validation checks for policies
as well as patched resources. Optional. The default value is set
to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit
@ -8502,9 +8502,9 @@ spec:
type: object
type: array
schemaValidation:
description: SchemaValidation skips policy validation checks. Optional.
The default value is set to "true", it must be set to "false" to
disable the validation checks.
description: SchemaValidation skips validation checks for policies
as well as patched resources. Optional. The default value is set
to "true", it must be set to "false" to disable the validation checks.
type: boolean
validationFailureAction:
default: audit

12
docs/user/crd/index.html
View file

@ -205,7 +205,7 @@ bool
</td>
<td>
<em>(Optional)</em>
<p>SchemaValidation skips policy validation checks.
<p>SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to disable the validation checks.</p>
</td>
</tr>
@ -546,7 +546,7 @@ bool
</td>
<td>
<em>(Optional)</em>
<p>SchemaValidation skips policy validation checks.
<p>SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to disable the validation checks.</p>
</td>
</tr>
@ -3476,7 +3476,7 @@ bool
</td>
<td>
<em>(Optional)</em>
<p>SchemaValidation skips policy validation checks.
<p>SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to disable the validation checks.</p>
</td>
</tr>
@ -5093,7 +5093,7 @@ bool
</td>
<td>
<em>(Optional)</em>
<p>SchemaValidation skips policy validation checks.
<p>SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to disable the validation checks.</p>
</td>
</tr>
@ -5318,7 +5318,7 @@ bool
</td>
<td>
<em>(Optional)</em>
<p>SchemaValidation skips policy validation checks.
<p>SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to disable the validation checks.</p>
</td>
</tr>
@ -6145,7 +6145,7 @@ bool
</td>
<td>
<em>(Optional)</em>
<p>SchemaValidation skips policy validation checks.
<p>SchemaValidation skips validation checks for policies as well as patched resources.
Optional. The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to disable the validation checks.</p>
</td>
</tr>

2
pkg/webhooks/resource/mutation/mutation.go
View file

@ -156,7 +156,7 @@ func (h *mutationHandler) applyMutation(request *admissionv1.AdmissionRequest, p
return nil, nil, fmt.Errorf("failed to apply policy %s rules %v", policyContext.Policy.GetName(), engineResponse.GetFailedRules())
}
if engineResponse.PatchedResource.GetKind() != "*" {
if policyContext.Policy.ValidateSchema() && engineResponse.PatchedResource.GetKind() != "*" {
err := h.openApiManager.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetAPIVersion(), engineResponse.PatchedResource.GetKind())
if err != nil {
return nil, nil, errors.Wrapf(err, "failed to validate resource mutated by policy %s", policyContext.Policy.GetName())