mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

Allow definition of inline variables in context (#3658)

Browse source 
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
This commit is contained in:
Sambhav Kothari 2022-04-25 12:06:07 +01:00 committed by GitHub
parent c2107a2946
commit 44b5bf0b57
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 1301 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
api/kyverno/v1/common_types.go
View file

@ -56,6 +56,26 @@ type ContextEntry struct {
// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
// details.
ImageRegistry *ImageRegistry `json:"imageRegistry,omitempty" yaml:"imageRegistry,omitempty"`
// Variable defines an arbitrary JMESPath context variable that can be defined inline.
Variable *Variable `json:"variable,omitempty" yaml:"variable,omitempty"`
}
// Variable defines an arbitrary JMESPath context variable that can be defined inline.
type Variable struct {
// Value is any arbitrary JSON object representable in YAML or JSON form.
// +optional
Value *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
// JMESPath is an optional JMESPath Expression that can be used to
// transform the variable.
// +optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
// Default is an optional arbitrary JSON object that the variable may take if the JMESPath
// expression evaluates to nil
// +optional
Default *apiextv1.JSON `json:"default,omitempty" yaml:"default,omitempty"`
}
// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image

30
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -357,6 +357,11 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
*out = new(ImageRegistry)
**out = **in
}
if in.Variable != nil {
in, out := &in.Variable, &out.Variable
*out = new(Variable)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextEntry.
@ -1196,6 +1201,31 @@ func (in *ValidationFailureActionOverride) DeepCopy() *ValidationFailureActionOv
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Variable) DeepCopyInto(out *Variable) {
*out = *in
if in.Value != nil {
in, out := &in.Value, &out.Value
*out = new(apiextensionsv1.JSON)
(*in).DeepCopyInto(*out)
}
if in.Default != nil {
in, out := &in.Default, &out.Default
*out = new(apiextensionsv1.JSON)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variable.
func (in *Variable) DeepCopy() *Variable {
if in == nil {
return nil
}
out := new(Variable)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ViolatedRule) DeepCopyInto(out *ViolatedRule) {
*out = *in

156
charts/kyverno/templates/crds.yaml
View file

@ -113,6 +113,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -972,6 +985,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -1135,6 +1161,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -1580,6 +1619,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -2439,6 +2491,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -2602,6 +2667,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -3758,6 +3836,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -4617,6 +4708,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -4780,6 +4884,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -5225,6 +5342,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -6084,6 +6214,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -6247,6 +6390,19 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:

116
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -140,6 +140,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -1567,6 +1585,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -1820,6 +1858,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -2520,6 +2578,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -3947,6 +4023,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -4200,6 +4296,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:

116
config/crds/kyverno.io_policies.yaml
View file

@ -141,6 +141,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -1568,6 +1586,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -1821,6 +1859,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -2522,6 +2580,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -3949,6 +4025,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -4202,6 +4298,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:

232
config/install.yaml
View file

@ -157,6 +157,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -1584,6 +1602,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -1837,6 +1875,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -2537,6 +2595,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -3964,6 +4040,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -4217,6 +4313,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -5807,6 +5923,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -7234,6 +7368,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -7487,6 +7641,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -8188,6 +8362,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -9615,6 +9807,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -9868,6 +10080,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:

232
config/install_debug.yaml
View file

@ -146,6 +146,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -1573,6 +1591,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -1826,6 +1864,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -2526,6 +2584,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -3953,6 +4029,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -4206,6 +4302,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -5772,6 +5888,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -7199,6 +7333,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -7452,6 +7606,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:
@ -8153,6 +8327,24 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary JSON
object that the variable may take if the JMESPath
expression evaluates to nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type: string
value:
description: Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
exclude:
@ -9580,6 +9772,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
list:
@ -9833,6 +10045,26 @@ spec:
name:
description: Name is the variable name.
type: string
variable:
description: Variable defines an arbitrary JMESPath
context variable that can be defined inline.
properties:
default:
description: Default is an optional arbitrary
JSON object that the variable may take
if the JMESPath expression evaluates to
nil
x-kubernetes-preserve-unknown-fields: true
jmesPath:
description: JMESPath is an optional JMESPath
Expression that can be used to transform
the variable.
type: string
value:
description: Value is any arbitrary JSON
object representable in YAML or JSON form.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
deny:

101
docs/crd/v1/index.html
View file

@ -209,8 +209,8 @@ string
<td>
<code>conditions</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.AnyAllConditions">
[]*github.com/kyverno/kyverno/api/kyverno/v1.AnyAllConditions
<a href="#kyverno.io/v1.*./api/kyverno/v1.AnyAllConditions">
[]*./api/kyverno/v1.AnyAllConditions
</a>
</em>
</td>
@ -330,8 +330,8 @@ value N, then N must be less than or equal to the size of entries, and at least
<td>
<code>entries</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.Attestor">
[]*github.com/kyverno/kyverno/api/kyverno/v1.Attestor
<a href="#kyverno.io/v1.*./api/kyverno/v1.Attestor">
[]*./api/kyverno/v1.Attestor
</a>
</em>
</td>
@ -817,6 +817,19 @@ ImageRegistry
details.</p>
</td>
</tr>
<tr>
<td>
<code>variable</code></br>
<em>
<a href="#kyverno.io/v1.Variable">
Variable
</a>
</em>
</td>
<td>
<p>Variable defines an arbitrary JMESPath context variable that can be defined inline.</p>
</td>
</tr>
</tbody>
</table>
<hr />
@ -1560,8 +1573,8 @@ Deprecated.</p>
<td>
<code>attestors</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.AttestorSet">
[]*github.com/kyverno/kyverno/api/kyverno/v1.AttestorSet
<a href="#kyverno.io/v1.*./api/kyverno/v1.AttestorSet">
[]*./api/kyverno/v1.AttestorSet
</a>
</em>
</td>
@ -1573,8 +1586,8 @@ Deprecated.</p>
<td>
<code>attestations</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.Attestation">
[]*github.com/kyverno/kyverno/api/kyverno/v1.Attestation
<a href="#kyverno.io/v1.*./api/kyverno/v1.Attestation">
[]*./api/kyverno/v1.Attestation
</a>
</em>
</td>
@ -1848,8 +1861,8 @@ See <a href="https://tools.ietf.org/html/rfc6902">https://tools.ietf.org/html/rf
<td>
<code>foreach</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.ForEachMutation">
[]*github.com/kyverno/kyverno/api/kyverno/v1.ForEachMutation
<a href="#kyverno.io/v1.*./api/kyverno/v1.ForEachMutation">
[]*./api/kyverno/v1.ForEachMutation
</a>
</em>
</td>
@ -2331,7 +2344,7 @@ ResourceDescription
</table>
<hr />
<h3 id="kyverno.io/v1.ResourceFilters">ResourceFilters
(<code>[]github.com/kyverno/kyverno/api/kyverno/v1.ResourceFilter</code> alias)</p></h3>
(<code>[]./api/kyverno/v1.ResourceFilter</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.MatchResources">MatchResources</a>)
@ -2559,8 +2572,8 @@ Generation
<td>
<code>verifyImages</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.ImageVerification">
[]*github.com/kyverno/kyverno/api/kyverno/v1.ImageVerification
<a href="#kyverno.io/v1.*./api/kyverno/v1.ImageVerification">
[]*./api/kyverno/v1.ImageVerification
</a>
</em>
</td>
@ -2845,8 +2858,8 @@ string
<td>
<code>foreach</code></br>
<em>
<a href="#kyverno.io/v1.*github.com/kyverno/kyverno/api/kyverno/v1.ForEachValidation">
[]*github.com/kyverno/kyverno/api/kyverno/v1.ForEachValidation
<a href="#kyverno.io/v1.*./api/kyverno/v1.ForEachValidation">
[]*./api/kyverno/v1.ForEachValidation
</a>
</em>
</td>
@ -2948,6 +2961,64 @@ ValidationFailureAction
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.Variable">Variable
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ContextEntry">ContextEntry</a>)
</p>
<p>
<p>Variable defines an arbitrary JMESPath context variable that can be defined inline.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>value</code></br>
<em>
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON
</em>
</td>
<td>
<em>(Optional)</em>
<p>Value is any arbitrary JSON object representable in YAML or JSON form.</p>
</td>
</tr>
<tr>
<td>
<code>jmesPath</code></br>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>JMESPath is an optional JMESPath Expression that can be used to
transform the variable.</p>
</td>
</tr>
<tr>
<td>
<code>default</code></br>
<em>
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON
</em>
</td>
<td>
<em>(Optional)</em>
<p>Default is an optional arbitrary JSON object that the variable may take if the JMESPath
expression evaluates to nil</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ViolatedRule">ViolatedRule
</h3>
<p>

17
pkg/engine/context/context.go
View file

@ -40,6 +40,9 @@ type Interface interface {
// AddContextEntry adds a context entry to the context
AddContextEntry(name string, dataRaw []byte) error
// ReplaceContextEntry replaces a context entry to the context
ReplaceContextEntry(name string, dataRaw []byte) error
// AddResource merges resource json under request.object
AddResource(data map[string]interface{}) error
@ -138,6 +141,20 @@ func (ctx *context) AddContextEntry(name string, dataRaw []byte) error {
return addToContext(ctx, data, name)
}
func (ctx *context) ReplaceContextEntry(name string, dataRaw []byte) error {
var data interface{}
if err := json.Unmarshal(dataRaw, &data); err != nil {
logger.Error(err, "failed to unmarshal the resource")
return err
}
// Adding a nil entry to clean out any existing data in the context with the entry name
if err := addToContext(ctx, nil, name); err != nil {
logger.Error(err, "unable to replace context entry", "context entry name", name)
return err
}
return addToContext(ctx, data, name)
}
// AddResource data at path: request.object
func (ctx *context) AddResource(data map[string]interface{}) error {
return addToContext(ctx, data, "request", "object")

71
pkg/engine/jsonContext.go
View file

@ -23,12 +23,15 @@ func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ctx
policyName := ctx.Policy.GetName()
if store.GetMock() {
if store.GetRegistryAccess() {
for _, entry := range contextEntries {
if entry.ImageRegistry != nil {
if err := loadImageData(logger, entry, ctx); err != nil {
return err
}
hasRegistryAccess := store.GetRegistryAccess()
for _, entry := range contextEntries {
if entry.ImageRegistry != nil && hasRegistryAccess {
if err := loadImageData(logger, entry, ctx); err != nil {
return err
}
} else if entry.Variable != nil {
if err := loadVariable(logger, entry, ctx); err != nil {
return err
}
}
}
@ -62,12 +65,68 @@ func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ctx
if err := loadImageData(logger, entry, ctx); err != nil {
return err
}
} else if entry.Variable != nil {
if err := loadVariable(logger, entry, ctx); err != nil {
return err
}
}
}
}
return nil
}
func loadVariable(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyContext) (err error) {
path := ""
if entry.Variable.JMESPath != "" {
jp, err := variables.SubstituteAll(logger, ctx.JSONContext, entry.Variable.JMESPath)
if err != nil {
return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.JMESPath, err)
}
path = jp.(string)
}
var defaultValue interface{} = nil
if entry.Variable.Default != nil {
value, err := variables.DocumentToUntyped(entry.Variable.Default)
if err != nil {
return fmt.Errorf("invalid default for variable %s", entry.Name)
}
defaultValue, err = variables.SubstituteAll(logger, ctx.JSONContext, value)
if err != nil {
return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.Default, err)
}
}
var output interface{} = defaultValue
if entry.Variable.Value != nil {
value, _ := variables.DocumentToUntyped(entry.Variable.Value)
variable, err := variables.SubstituteAll(logger, ctx.JSONContext, value)
if err != nil {
return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.Value, err)
}
if path != "" {
variable, err := applyJMESPath(path, variable)
if err == nil {
output = variable
}
} else {
output = variable
}
} else {
if path != "" {
if variable, err := ctx.JSONContext.Query(path); err == nil {
output = variable
}
}
}
if output == nil {
return fmt.Errorf("unable to add context entry for variable %s since it evaluated to nil", entry.Name)
}
if outputBytes, err := json.Marshal(output); err == nil {
return ctx.JSONContext.ReplaceContextEntry(entry.Name, outputBytes)
} else {
return fmt.Errorf("unable to add context entry for variable %s: %w", entry.Name, err)
}
}
func loadImageData(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyContext) error {
if len(registryclient.Secrets) > 0 {
if err := registryclient.UpdateKeychain(); err != nil {

72
pkg/policy/validate.go
View file

@ -489,7 +489,7 @@ func getAllowedVariables(background bool) *regexp.Regexp {
func addContextVariables(entries []kyverno.ContextEntry, ctx *context.MockContext) {
for _, contextEntry := range entries {
if contextEntry.APICall != nil || contextEntry.ImageRegistry != nil {
if contextEntry.APICall != nil || contextEntry.ImageRegistry != nil || contextEntry.Variable != nil {
ctx.AddVariable(contextEntry.Name + "*")
}
@ -819,17 +819,24 @@ func validateRuleContext(rule kyverno.Rule) error {
if entry.Name == "" {
return fmt.Errorf("a name is required for context entries")
}
for _, v := range []string{"images", "request", "serviceAccountName", "serviceAccountNamespace", "element", "elementIndex"} {
if entry.Name == v || strings.HasPrefix(entry.Name, v+".") {
return fmt.Errorf("entry name %s is invalid as it conflicts with a pre-defined variable %s", entry.Name, v)
}
}
contextNames = append(contextNames, entry.Name)
var err error
if entry.ConfigMap != nil {
if entry.ConfigMap != nil && entry.APICall == nil && entry.ImageRegistry == nil && entry.Variable == nil {
err = validateConfigMap(entry)
} else if entry.APICall != nil {
} else if entry.ConfigMap == nil && entry.APICall != nil && entry.ImageRegistry == nil && entry.Variable == nil {
err = validateAPICall(entry)
} else if entry.ImageRegistry != nil {
} else if entry.ConfigMap == nil && entry.APICall == nil && entry.ImageRegistry != nil && entry.Variable == nil {
err = validateImageRegistry(entry)
} else if entry.ConfigMap == nil && entry.APICall == nil && entry.ImageRegistry == nil && entry.Variable != nil {
err = validateVariable(entry)
} else {
return fmt.Errorf("a configMap or apiCall or imageRegistry is required for context entries")
return fmt.Errorf("exactly one of configMap or apiCall or imageRegistry or variable is required for context entries")
}
if err != nil {
@ -851,19 +858,26 @@ func validateRuleContext(rule kyverno.Rule) error {
return nil
}
func validateVariable(entry kyverno.ContextEntry) error {
// If JMESPath contains variables, the validation will fail because it's not possible to infer which value
// will be inserted by the variable
// Skip validation if a variable is detected
jmesPath := variables.ReplaceAllVars(entry.Variable.JMESPath, func(s string) string { return "kyvernojmespathvariable" })
if !strings.Contains(jmesPath, "kyvernojmespathvariable") && entry.Variable.JMESPath != "" {
if _, err := jmespath.NewParser().Parse(entry.Variable.JMESPath); err != nil {
return fmt.Errorf("failed to parse JMESPath %s: %v", entry.Variable.JMESPath, err)
}
}
if entry.Variable.Value == nil && jmesPath == "" {
return fmt.Errorf("a variable must define a value or a jmesPath expression")
}
if entry.Variable.Default != nil && jmesPath == "" {
return fmt.Errorf("a variable must define a default value only when a jmesPath expression is defined")
}
return nil
}
func validateConfigMap(entry kyverno.ContextEntry) error {
if entry.ConfigMap == nil {
return fmt.Errorf("configMap is empty")
}
if entry.APICall != nil {
return fmt.Errorf("both configMap and apiCall are not allowed in a context entry")
}
if entry.ImageRegistry != nil {
return fmt.Errorf("both imageRegistry and configMap are not allowed in a context entry")
}
if entry.ConfigMap.Name == "" {
return fmt.Errorf("a name is required for configMap context entry")
}
@ -876,18 +890,6 @@ func validateConfigMap(entry kyverno.ContextEntry) error {
}
func validateAPICall(entry kyverno.ContextEntry) error {
if entry.APICall == nil {
return fmt.Errorf("apiCall is empty")
}
if entry.ConfigMap != nil {
return fmt.Errorf("both configMap and apiCall are not allowed in a context entry")
}
if entry.ImageRegistry != nil {
return fmt.Errorf("both imageRegistry and apiCall are not allowed in a context entry")
}
// Replace all variables to prevent validation failing on variable keys.
urlPath := variables.ReplaceAllVars(entry.APICall.URLPath, func(s string) string { return "kyvernoapicallvariable" })
@ -911,18 +913,6 @@ func validateAPICall(entry kyverno.ContextEntry) error {
}
func validateImageRegistry(entry kyverno.ContextEntry) error {
if entry.ImageRegistry == nil {
return fmt.Errorf("imageRegistry is empty")
}
if entry.ConfigMap != nil {
return fmt.Errorf("both configMap and imageRegistry are not allowed in a context entry")
}
if entry.APICall != nil {
return fmt.Errorf("both configMap and apiCall are not allowed in a context entry")
}
if entry.ImageRegistry.Reference == "" {
return fmt.Errorf("a ref is required for imageRegistry context entry")
}

46
test/cli/test/context-entries/kyverno-test.yaml Normal file
View file

@ -0,0 +1,46 @@
name: test-variables
policies:
- policies.yaml
resources:
- resources.yaml
results:
- policy: example
rule: defined-value
resource: example
kind: Pod
result: pass
- policy: example
rule: defined-jmespath
resource: example
kind: Pod
result: pass
- policy: example
rule: defined-jmespath-with-default
resource: example
kind: Pod
result: pass
- policy: example
rule: defined-value-with-variable
resource: example
kind: Pod
result: pass
- policy: example
rule: defined-jmespath-with-default-variable
resource: example
kind: Pod
result: pass
- policy: example
rule: defined-value-jmespath
resource: example
kind: Pod
result: pass
- policy: example
rule: defined-value-jmespath-variable
resource: example
kind: Pod
result: pass
- policy: example
rule: value-override
resource: example
kind: Pod
result: pass

148
test/cli/test/context-entries/policies.yaml Normal file
View file

@ -0,0 +1,148 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: example
spec:
rules:
- name: defined-value
context:
- name: example
variable:
value:
test:
nested:
value: 1
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ example.test.nested.value }}"
operator: NotEquals
value: 1
- name: defined-jmespath
context:
- name: objName
variable:
jmesPath: request.object.metadata.name
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ objName }}"
operator: NotEquals
value: "example"
- name: defined-jmespath-with-default
context:
- name: objName
variable:
jmesPath: request.object.metadata.generateName
default: example
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ objName }}"
operator: NotEquals
value: "example"
- name: defined-value-with-variable
context:
- name: obj
variable:
value:
name: "{{ request.object.metadata.name }}"
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ obj.name }}"
operator: NotEquals
value: "example"
- name: defined-jmespath-with-default-variable
context:
- name: objName
variable:
jmesPath: request.object.metadata.generateName
default: "{{ request.object.metadata.name }}"
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ objName }}"
operator: NotEquals
value: "example"
- name: defined-value-jmespath
context:
- name: objName
variable:
value:
name: "{{ request.object.metadata.name }}"
jmesPath: name
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ objName }}"
operator: NotEquals
value: "example"
- name: defined-value-jmespath-variable
context:
- name: jpExpression
variable:
value: name
- name: objName
variable:
value:
name: "{{ request.object.metadata.name }}"
jmesPath: "{{ jpExpression }}"
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
- key: "{{ objName }}"
operator: NotEquals
value: "example"
- name: value-override
context:
- name: obj
variable:
value:
notName: not-example
- name: obj
variable:
value:
name: example
match:
resources:
kinds:
- Pod
validate:
deny:
conditions:
any:
- key: "{{ obj.name }}"
operator: NotEquals
value: "example"
- key: "{{ to_string(obj.notName) }}"
operator: NotEquals
value: 'null'

6
test/cli/test/context-entries/resources.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: Pod
metadata:
name: example
spec:
containers: []