mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
feat: use k8s 1.28 libs (#8037)
* feat: use k8s 1.28 libs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix validating admission policies Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix a typo Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
0a56049466
commit
57a0f81040
25 changed files with 3456 additions and 389 deletions
|
|
@ -231,7 +231,7 @@ func (in *CEL) DeepCopyInto(out *CEL) {
|
|||
if in.ParamRef != nil {
|
||||
in, out := &in.ParamRef, &out.ParamRef
|
||||
*out = new(v1alpha1.ParamRef)
|
||||
**out = **in
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.AuditAnnotations != nil {
|
||||
in, out := &in.AuditAnnotations, &out.AuditAnnotations
|
||||
|
|
|
|||
|
|
@ -6301,7 +6301,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -6415,12 +6421,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -10508,10 +10600,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -10630,12 +10729,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -14454,7 +14643,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -14568,12 +14763,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -18715,10 +18996,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -18837,12 +19125,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -23026,7 +23404,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -23140,12 +23524,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -27234,10 +27704,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -27356,12 +27833,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -31181,7 +31748,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -31295,12 +31868,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -35442,10 +36101,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -35564,12 +36230,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -2484,7 +2484,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -2598,12 +2604,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -6691,10 +6783,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -6813,12 +6912,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -10637,7 +10826,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -10751,12 +10946,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -14898,10 +15179,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -15020,12 +15308,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -2485,7 +2485,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -2599,12 +2605,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -6693,10 +6785,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -6815,12 +6914,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -10640,7 +10829,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -10754,12 +10949,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -14901,10 +15182,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -15023,12 +15311,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -6504,7 +6504,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -6618,12 +6624,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -10711,10 +10803,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -10833,12 +10932,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -14657,7 +14846,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -14771,12 +14966,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -18918,10 +19199,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -19040,12 +19328,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -23229,7 +23607,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -23343,12 +23727,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -27437,10 +27907,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -27559,12 +28036,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -31384,7 +31951,13 @@ spec:
|
|||
of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
|
||||
- 'params' - Parameter resource referred to
|
||||
by the policy binding being evaluated. Only
|
||||
populated if the policy has a ParamKind. - 'authorizer'
|
||||
populated if the policy has a ParamKind. - 'namespaceObject'
|
||||
- The namespace object that the incoming object
|
||||
belongs to. The value is null for cluster-scoped
|
||||
resources. - 'variables' - Map of composited
|
||||
variables, from its name to its lazily evaluated
|
||||
value. For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform authorization
|
||||
checks for the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
|
|
@ -31498,12 +32071,98 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector` are
|
||||
mutually exclusive properties. If one is set,
|
||||
the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of the
|
||||
referenced resource. Allows limiting the search
|
||||
for params to a specific namespace. Applies to
|
||||
both `name` and `selector` fields. \n A per-namespace
|
||||
parameter may be used by specifying a namespace-scoped
|
||||
`paramKind` in the policy and leaving this field
|
||||
empty. \n - If `paramKind` is cluster-scoped,
|
||||
this field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the object
|
||||
being evaluated for admission will be used when
|
||||
this field is left unset. Take care that if this
|
||||
is left empty the binding must not match any cluster-scoped
|
||||
resources, which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but there
|
||||
are no parameters matched by the binding. If the
|
||||
value is set to `Allow`, then no matched parameters
|
||||
will be treated as successful validation by the
|
||||
binding. If set to `Deny`, then no matched parameters
|
||||
will be subject to the `failurePolicy` of the
|
||||
policy. \n Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match multiple
|
||||
param objects based on their labels. Supply selector:
|
||||
{} to match all resources of the ParamKind. \n
|
||||
If multiple params are found, they are all evaluated
|
||||
with the policy expressions and the results are
|
||||
ANDed together. \n One of `name` or `selector`
|
||||
must be set, but `name` and `selector` are mutually
|
||||
exclusive properties. If one is set, the other
|
||||
must be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values, a key,
|
||||
and an operator that relates the key and
|
||||
values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's
|
||||
relationship to a set of values. Valid
|
||||
operators are In, NotIn, Exists and
|
||||
DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty.
|
||||
If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This
|
||||
array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is
|
||||
"In", and the values array contains only "value".
|
||||
The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
@ -35645,10 +36304,17 @@ spec:
|
|||
- 'params' - Parameter resource referred
|
||||
to by the policy binding being evaluated.
|
||||
Only populated if the policy has a ParamKind.
|
||||
- 'authorizer' - A CEL Authorizer. May be
|
||||
used to perform authorization checks for
|
||||
the principal (user or service account)
|
||||
of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'namespaceObject' - The namespace object
|
||||
that the incoming object belongs to. The
|
||||
value is null for cluster-scoped resources.
|
||||
- 'variables' - Map of composited variables,
|
||||
from its name to its lazily evaluated value.
|
||||
For example, a variable named 'foo' can
|
||||
be accessed as 'variables.foo'. - 'authorizer'
|
||||
- A CEL Authorizer. May be used to perform
|
||||
authorization checks for the principal (user
|
||||
or service account) of the request. See
|
||||
https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||
- 'authorizer.requestResource' - A CEL ResourceCheck
|
||||
constructed from the 'authorizer' and configured
|
||||
with the request resource. \n The `apiVersion`,
|
||||
|
|
@ -35767,12 +36433,102 @@ spec:
|
|||
description: ParamRef references a parameter resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name of the resource being referenced.
|
||||
description: "`name` is the name of the resource
|
||||
being referenced. \n `name` and `selector`
|
||||
are mutually exclusive properties. If one
|
||||
is set, the other must be unset."
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced resource.
|
||||
Should be empty for the cluster-scoped resources
|
||||
description: "namespace is the namespace of
|
||||
the referenced resource. Allows limiting the
|
||||
search for params to a specific namespace.
|
||||
Applies to both `name` and `selector` fields.
|
||||
\n A per-namespace parameter may be used by
|
||||
specifying a namespace-scoped `paramKind`
|
||||
in the policy and leaving this field empty.
|
||||
\n - If `paramKind` is cluster-scoped, this
|
||||
field MUST be unset. Setting this field results
|
||||
in a configuration error. \n - If `paramKind`
|
||||
is namespace-scoped, the namespace of the
|
||||
object being evaluated for admission will
|
||||
be used when this field is left unset. Take
|
||||
care that if this is left empty the binding
|
||||
must not match any cluster-scoped resources,
|
||||
which will result in an error."
|
||||
type: string
|
||||
parameterNotFoundAction:
|
||||
description: "`parameterNotFoundAction` controls
|
||||
the behavior of the binding when the resource
|
||||
exists, and name or selector is valid, but
|
||||
there are no parameters matched by the binding.
|
||||
If the value is set to `Allow`, then no matched
|
||||
parameters will be treated as successful validation
|
||||
by the binding. If set to `Deny`, then no
|
||||
matched parameters will be subject to the
|
||||
`failurePolicy` of the policy. \n Allowed
|
||||
values are `Allow` or `Deny` Default to `Deny`"
|
||||
type: string
|
||||
selector:
|
||||
description: "selector can be used to match
|
||||
multiple param objects based on their labels.
|
||||
Supply selector: {} to match all resources
|
||||
of the ParamKind. \n If multiple params are
|
||||
found, they are all evaluated with the policy
|
||||
expressions and the results are ANDed together.
|
||||
\n One of `name` or `selector` must be set,
|
||||
but `name` and `selector` are mutually exclusive
|
||||
properties. If one is set, the other must
|
||||
be unset."
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list
|
||||
of label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: A label selector requirement
|
||||
is a selector that contains values,
|
||||
a key, and an operator that relates
|
||||
the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key
|
||||
that the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a
|
||||
key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists
|
||||
and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of
|
||||
string values. If the operator is
|
||||
In or NotIn, the values array must
|
||||
be non-empty. If the operator is
|
||||
Exists or DoesNotExist, the values
|
||||
array must be empty. This array
|
||||
is replaced during a strategic merge
|
||||
patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator
|
||||
is "In", and the values array contains
|
||||
only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
|
|
|
|||
38
go.mod
38
go.mod
|
|
@ -21,7 +21,7 @@ require (
|
|||
github.com/go-git/go-git/v5 v5.8.1
|
||||
github.com/go-logr/logr v1.2.4
|
||||
github.com/go-logr/zapr v1.2.4
|
||||
github.com/google/gnostic v0.6.9
|
||||
github.com/google/gnostic-models v0.6.8
|
||||
github.com/google/go-containerregistry v0.16.1
|
||||
github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20230802205906-a54d64203cff
|
||||
github.com/in-toto/in-toto-golang v0.9.0
|
||||
|
|
@ -73,20 +73,20 @@ require (
|
|||
gopkg.in/yaml.v2 v2.4.0
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
gotest.tools v2.2.0+incompatible
|
||||
k8s.io/api v0.27.4
|
||||
k8s.io/apiextensions-apiserver v0.27.4
|
||||
k8s.io/apimachinery v0.27.4
|
||||
k8s.io/apiserver v0.27.4
|
||||
k8s.io/cli-runtime v0.27.4
|
||||
k8s.io/client-go v0.27.4
|
||||
k8s.io/api v0.28.0
|
||||
k8s.io/apiextensions-apiserver v0.28.0
|
||||
k8s.io/apimachinery v0.28.0
|
||||
k8s.io/apiserver v0.28.0
|
||||
k8s.io/cli-runtime v0.28.0
|
||||
k8s.io/client-go v0.28.0
|
||||
k8s.io/klog/v2 v2.100.1
|
||||
k8s.io/kube-aggregator v0.27.4
|
||||
k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5
|
||||
k8s.io/pod-security-admission v0.27.4
|
||||
k8s.io/utils v0.0.0-20230505201702-9f6742963106
|
||||
k8s.io/kube-aggregator v0.28.0
|
||||
k8s.io/kube-openapi v0.0.0-20230811205723-7ac0aad8c58d
|
||||
k8s.io/pod-security-admission v0.28.0
|
||||
k8s.io/utils v0.0.0-20230726121419-3b25d923346b
|
||||
sigs.k8s.io/controller-runtime v0.15.1
|
||||
sigs.k8s.io/kustomize/api v0.13.4
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.2
|
||||
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3
|
||||
sigs.k8s.io/release-utils v0.7.4
|
||||
sigs.k8s.io/structured-merge-diff/v4 v4.3.0
|
||||
sigs.k8s.io/yaml v1.3.0
|
||||
|
|
@ -94,8 +94,7 @@ require (
|
|||
|
||||
require (
|
||||
cloud.google.com/go/compute v1.20.1 // indirect
|
||||
github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect
|
||||
github.com/google/cel-go v0.12.6 // indirect
|
||||
github.com/google/cel-go v0.16.0 // indirect
|
||||
github.com/stoewer/go-strcase v1.2.0 // indirect
|
||||
)
|
||||
|
||||
|
|
@ -142,6 +141,7 @@ require (
|
|||
github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
|
||||
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
|
||||
github.com/aliyun/credentials-go v1.2.7 // indirect
|
||||
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
|
||||
github.com/aws/aws-sdk-go-v2 v1.20.0 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/config v1.18.32 // indirect
|
||||
github.com/aws/aws-sdk-go-v2/credentials v1.13.31 // indirect
|
||||
|
|
@ -288,7 +288,7 @@ require (
|
|||
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
github.com/prometheus/client_model v0.4.0 // indirect
|
||||
github.com/prometheus/common v0.42.0 // indirect
|
||||
github.com/prometheus/common v0.44.0 // indirect
|
||||
github.com/prometheus/procfs v0.10.1 // indirect
|
||||
github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
|
||||
github.com/r3labs/diff v1.1.0 // indirect
|
||||
|
|
@ -336,7 +336,7 @@ require (
|
|||
go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.39.0 // indirect
|
||||
go.opentelemetry.io/proto/otlp v0.19.0 // indirect
|
||||
go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 // indirect
|
||||
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
|
||||
go.step.sm/crypto v0.32.2 // indirect
|
||||
golang.org/x/mod v0.12.0 // indirect
|
||||
golang.org/x/net v0.14.0 // indirect
|
||||
|
|
@ -357,8 +357,8 @@ require (
|
|||
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
|
||||
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
|
||||
gopkg.in/warnings.v0 v0.1.2 // indirect
|
||||
k8s.io/component-base v0.27.4 // indirect
|
||||
k8s.io/kubectl v0.26.3 // indirect
|
||||
k8s.io/component-base v0.28.0 // indirect
|
||||
k8s.io/kubectl v0.28.0 // indirect
|
||||
oras.land/oras-go/v2 v2.2.1 // indirect
|
||||
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
|
||||
)
|
||||
|
|
|
|||
84
go.sum
84
go.sum
|
|
@ -206,8 +206,8 @@ github.com/andybalholm/brotli v1.0.0/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu
|
|||
github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
|
||||
github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
|
||||
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
|
||||
github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 h1:yL7+Jz0jTC6yykIK/Wh74gnTJnrGr5AyrNMXuA0gves=
|
||||
github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
|
||||
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
|
||||
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
|
||||
github.com/aokoli/goutils v1.0.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ=
|
||||
github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
|
||||
github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
|
||||
|
|
@ -285,7 +285,6 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb
|
|||
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
|
||||
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
|
||||
github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
|
||||
github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
|
||||
github.com/buildkite/agent/v3 v3.49.0 h1:FSmRQz8YFhaCXg4MfE7JucPcY7mQ/HWM55ir1j3E9qM=
|
||||
github.com/buildkite/agent/v3 v3.49.0/go.mod h1:iasSyh3KPjOPCnyvnZB1trkkX7jrdL8PnLBgjdVJxgU=
|
||||
github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
|
||||
|
|
@ -440,7 +439,6 @@ github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBD
|
|||
github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
|
||||
github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
|
||||
github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
||||
github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0=
|
||||
github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
|
||||
github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
|
||||
github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
|
||||
|
|
@ -678,15 +676,15 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
|
|||
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||
github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
|
||||
github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
|
||||
github.com/google/cel-go v0.12.6 h1:kjeKudqV0OygrAqA9fX6J55S8gj+Jre2tckIm5RoG4M=
|
||||
github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw=
|
||||
github.com/google/cel-go v0.16.0 h1:DG9YQ8nFCFXAs/FDDwBxmL1tpKNrdlGUM9U3537bX/Y=
|
||||
github.com/google/cel-go v0.16.0/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
|
||||
github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
|
||||
github.com/google/certificate-transparency-go v1.1.1/go.mod h1:FDKqPvSXawb2ecErVRrD+nfy23RCzyl7eqVCEmlT1Zs=
|
||||
github.com/google/certificate-transparency-go v1.1.6 h1:SW5K3sr7ptST/pIvNkSVWMiJqemRmkjJPPT0jzXdOOY=
|
||||
github.com/google/certificate-transparency-go v1.1.6/go.mod h1:0OJjOsOk+wj6aYQgP7FU0ioQ0AJUmnWPFMqTjQeazPQ=
|
||||
github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw=
|
||||
github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0=
|
||||
github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E=
|
||||
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
|
||||
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
|
||||
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
|
||||
|
|
@ -1216,8 +1214,8 @@ github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16
|
|||
github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
|
||||
github.com/prometheus/common v0.28.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
|
||||
github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
|
||||
github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
|
||||
github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
|
||||
github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
|
||||
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
|
||||
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
|
||||
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
|
||||
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
|
||||
|
|
@ -1262,7 +1260,7 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
|
|||
github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
|
||||
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
|
||||
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
|
||||
github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
|
||||
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
|
||||
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
|
|
@ -1460,12 +1458,10 @@ github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+
|
|||
github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
|
||||
github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
|
||||
github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
|
||||
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
|
||||
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
|
||||
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
|
||||
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
|
||||
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
|
||||
github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
|
||||
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
|
||||
github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
|
||||
github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
|
||||
|
|
@ -1546,8 +1542,8 @@ go.opentelemetry.io/otel/trace v1.16.0/go.mod h1:Yt9vYq1SdNz3xdjZZK7wcXv1qv2pwLk
|
|||
go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
|
||||
go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw=
|
||||
go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
|
||||
go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 h1:Ss6D3hLXTM0KobyBYEAygXzFfGcjnmfEJOBgSbemCtg=
|
||||
go.starlark.net v0.0.0-20230302034142-4b1e35fe2254/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
|
||||
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY=
|
||||
go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
|
||||
go.step.sm/crypto v0.32.2 h1:EhJpFRNgU3RaNEO3WZ62Kn2gF9NWNglNG4DvSPeuiTs=
|
||||
go.step.sm/crypto v0.32.2/go.mod h1:JwarCq+Sn6N8IbRSKfSJfjUNKfO8c4N1mcNxYXuxXzc=
|
||||
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
|
||||
|
|
@ -1706,7 +1702,6 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
|
|||
golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
|
||||
golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
|
||||
golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||
golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
||||
golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
|
|
@ -2068,7 +2063,6 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D
|
|||
google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
|
||||
google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
|
||||
google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
|
||||
google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8=
|
||||
google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
|
||||
|
|
@ -2182,32 +2176,32 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
|
|||
honnef.co/go/tools v0.1.4/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
|
||||
k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
|
||||
k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
|
||||
k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs=
|
||||
k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y=
|
||||
k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM=
|
||||
k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY=
|
||||
k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk=
|
||||
k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs=
|
||||
k8s.io/apiextensions-apiserver v0.27.4 h1:ie1yZG4nY/wvFMIR2hXBeSVq+HfNzib60FjnBYtPGSs=
|
||||
k8s.io/apiextensions-apiserver v0.27.4/go.mod h1:KHZaDr5H9IbGEnSskEUp/DsdXe1hMQ7uzpQcYUFt2bM=
|
||||
k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E=
|
||||
k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE=
|
||||
k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
|
||||
k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
|
||||
k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs=
|
||||
k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
|
||||
k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
|
||||
k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
|
||||
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
|
||||
k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA=
|
||||
k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho=
|
||||
k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE=
|
||||
k8s.io/cli-runtime v0.27.4 h1:Zb0eci+58eHZNnoHhjRFc7W88s8dlG12VtIl3Nv2Hto=
|
||||
k8s.io/cli-runtime v0.27.4/go.mod h1:k9Z1xiZq2xNplQmehpDquLgc+rE+pubpO1cK4al4Mlw=
|
||||
k8s.io/apiserver v0.28.0 h1:wVh7bK6Xj7hq+5ntInysTeQRAOqqFoKGUOW2yj8DXrY=
|
||||
k8s.io/apiserver v0.28.0/go.mod h1:MvLmtxhQ0Tb1SZk4hfJBjs8iqr5nhYeaFSaoEcz7Lk4=
|
||||
k8s.io/cli-runtime v0.28.0 h1:Tcz1nnccXZDNIzoH6EwjCs+7ezkUGhorzCweEvlVOFg=
|
||||
k8s.io/cli-runtime v0.28.0/go.mod h1:U+ySmOKBm/JUCmebhmecXeTwNN1RzI7DW4+OM8Oryas=
|
||||
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
|
||||
k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
|
||||
k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk=
|
||||
k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc=
|
||||
k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM=
|
||||
k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc=
|
||||
k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
|
||||
k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
|
||||
k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
|
||||
k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0=
|
||||
k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c=
|
||||
k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY=
|
||||
k8s.io/component-base v0.28.0 h1:HQKy1enJrOeJlTlN4a6dU09wtmXaUvThC0irImfqyxI=
|
||||
k8s.io/component-base v0.28.0/go.mod h1:Yyf3+ZypLfMydVzuLBqJ5V7Kx6WwDr/5cN+dFjw1FNk=
|
||||
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
|
||||
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
|
||||
|
|
@ -2216,20 +2210,20 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
|
|||
k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
|
||||
k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
|
||||
k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
|
||||
k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc=
|
||||
k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM=
|
||||
k8s.io/kube-aggregator v0.28.0 h1:8uH1SoRLlDdhdaW64eAK1BDWUXr2jLtVhiShysTzcok=
|
||||
k8s.io/kube-aggregator v0.28.0/go.mod h1:wD7UarSU4HRyeDUIZLEHpvXNqL613w59yaM7ctjYapA=
|
||||
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
|
||||
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
|
||||
k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 h1:azYPdzztXxPSa8wb+hksEKayiz0o+PPisO/d+QhWnoo=
|
||||
k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5/go.mod h1:kzo02I3kQ4BTtEfVLaPbjvCkX97YqGve33wzlb3fofQ=
|
||||
k8s.io/kubectl v0.26.3 h1:bZ5SgFyeEXw6XTc1Qji0iNdtqAC76lmeIIQULg2wNXM=
|
||||
k8s.io/kubectl v0.26.3/go.mod h1:02+gv7Qn4dupzN3fi/9OvqqdW+uG/4Zi56vc4Zmsp1g=
|
||||
k8s.io/pod-security-admission v0.27.4 h1:AA32ID+ECNJoUU8yuzLt4WzKPDZg7zMmP2cZ9rVsFyE=
|
||||
k8s.io/pod-security-admission v0.27.4/go.mod h1:GOcnrXk8TT5cPhtCxdlkOAvBnX3QmZiMHqPw9PbZhPs=
|
||||
k8s.io/kube-openapi v0.0.0-20230811205723-7ac0aad8c58d h1:lGN9colvFFZIY0Guxkzdd73CoDXHIbhlQkfi7n/26Ak=
|
||||
k8s.io/kube-openapi v0.0.0-20230811205723-7ac0aad8c58d/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
|
||||
k8s.io/kubectl v0.28.0 h1:qhfju0OaU+JGeBlToPeeIg2UJUWP++QwTkpio6nlPKg=
|
||||
k8s.io/kubectl v0.28.0/go.mod h1:1We+E5nSX3/TVoSQ6y5Bzld5OhTBHZHlKEYl7g/NaTk=
|
||||
k8s.io/pod-security-admission v0.28.0 h1:Vz8XTjMAKHQFZv9Q4GdmO59CUtelkPPDRJTy/WTTc3g=
|
||||
k8s.io/pod-security-admission v0.28.0/go.mod h1:hABVUcP7SRALDvESOK+RYIAWc9uZ5I1eSdcUwsOYTU8=
|
||||
k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
|
||||
k8s.io/utils v0.0.0-20210111153108-fddb29f9d009/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
|
||||
k8s.io/utils v0.0.0-20230505201702-9f6742963106 h1:EObNQ3TW2D+WptiYXlApGNLVy0zm/JIBVY9i+M4wpAU=
|
||||
k8s.io/utils v0.0.0-20230505201702-9f6742963106/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
|
||||
k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
|
||||
k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
|
||||
mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
|
||||
mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
|
||||
mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
|
||||
|
|
@ -2247,10 +2241,10 @@ sigs.k8s.io/controller-runtime v0.15.1 h1:9UvgKD4ZJGcj24vefUFgZFP3xej/3igL9BsOUT
|
|||
sigs.k8s.io/controller-runtime v0.15.1/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
|
||||
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
|
||||
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
|
||||
sigs.k8s.io/kustomize/api v0.13.4 h1:E38Hfx0G9R9v7vRgKshviPotJQETG0S2gD3JdHLCAsI=
|
||||
sigs.k8s.io/kustomize/api v0.13.4/go.mod h1:Bkaavz5RKK6ZzP0zgPrB7QbpbBJKiHuD3BB0KujY7Ls=
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.2 h1:9WSwztbzwGszG1bZTziQUmVMrJccnyrLb5ZMKpJGvXw=
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.2/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4=
|
||||
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0=
|
||||
sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 h1:W6cLQc5pnqM7vh3b7HvGNfXrJ/xL6BDMS0v1V/HHg5U=
|
||||
sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3/go.mod h1:JWP1Fj0VWGHyw3YUPjXSQnRnrwezrZSrApfX5S0nIag=
|
||||
sigs.k8s.io/release-utils v0.7.4 h1:17LmJrydpUloTCtaoWj95uKlcrUp4h2A9Sa+ZL+lV9w=
|
||||
sigs.k8s.io/release-utils v0.7.4/go.mod h1:JEt2QPHItd5Pg2UKLAU8PEaSlF4bUjCZimpxFDgymVU=
|
||||
sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -31,7 +31,7 @@ type withLogging struct {
|
|||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "OpenAPISchema")
|
||||
ret0, ret1 := c.inner.OpenAPISchema()
|
||||
|
|
@ -135,7 +135,7 @@ type withMetrics struct {
|
|||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
defer c.recorder.Record("open_api_schema")
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
|
|
@ -182,7 +182,7 @@ type withTracing struct {
|
|||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client {
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -31,7 +31,7 @@ type withLogging struct {
|
|||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "OpenAPISchema")
|
||||
ret0, ret1 := c.inner.OpenAPISchema()
|
||||
|
|
@ -135,7 +135,7 @@ type withMetrics struct {
|
|||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
defer c.recorder.Record("open_api_schema")
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
|
|
@ -182,7 +182,7 @@ type withTracing struct {
|
|||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import (
|
|||
"fmt"
|
||||
"strings"
|
||||
|
||||
openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
|
|
|
|||
|
|
@ -3,6 +3,8 @@ package client
|
|||
import (
|
||||
"github.com/go-logr/logr"
|
||||
mutatingwebhookconfigurations "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/mutatingwebhookconfigurations"
|
||||
validatingadmissionpolicies "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicies"
|
||||
validatingadmissionpolicybindings "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/validatingadmissionpolicybindings"
|
||||
validatingwebhookconfigurations "github.com/kyverno/kyverno/pkg/clients/kube/admissionregistrationv1beta1/validatingwebhookconfigurations"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
|
||||
|
|
@ -34,6 +36,14 @@ func (c *withMetrics) MutatingWebhookConfigurations() k8s_io_client_go_kubernete
|
|||
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "MutatingWebhookConfiguration", c.clientType)
|
||||
return mutatingwebhookconfigurations.WithMetrics(c.inner.MutatingWebhookConfigurations(), recorder)
|
||||
}
|
||||
func (c *withMetrics) ValidatingAdmissionPolicies() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface {
|
||||
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingAdmissionPolicy", c.clientType)
|
||||
return validatingadmissionpolicies.WithMetrics(c.inner.ValidatingAdmissionPolicies(), recorder)
|
||||
}
|
||||
func (c *withMetrics) ValidatingAdmissionPolicyBindings() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface {
|
||||
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingAdmissionPolicyBinding", c.clientType)
|
||||
return validatingadmissionpolicybindings.WithMetrics(c.inner.ValidatingAdmissionPolicyBindings(), recorder)
|
||||
}
|
||||
func (c *withMetrics) ValidatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingWebhookConfigurationInterface {
|
||||
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingWebhookConfiguration", c.clientType)
|
||||
return validatingwebhookconfigurations.WithMetrics(c.inner.ValidatingWebhookConfigurations(), recorder)
|
||||
|
|
@ -50,6 +60,12 @@ func (c *withTracing) RESTClient() rest.Interface {
|
|||
func (c *withTracing) MutatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.MutatingWebhookConfigurationInterface {
|
||||
return mutatingwebhookconfigurations.WithTracing(c.inner.MutatingWebhookConfigurations(), c.client, "MutatingWebhookConfiguration")
|
||||
}
|
||||
func (c *withTracing) ValidatingAdmissionPolicies() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface {
|
||||
return validatingadmissionpolicies.WithTracing(c.inner.ValidatingAdmissionPolicies(), c.client, "ValidatingAdmissionPolicy")
|
||||
}
|
||||
func (c *withTracing) ValidatingAdmissionPolicyBindings() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface {
|
||||
return validatingadmissionpolicybindings.WithTracing(c.inner.ValidatingAdmissionPolicyBindings(), c.client, "ValidatingAdmissionPolicyBinding")
|
||||
}
|
||||
func (c *withTracing) ValidatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingWebhookConfigurationInterface {
|
||||
return validatingwebhookconfigurations.WithTracing(c.inner.ValidatingWebhookConfigurations(), c.client, "ValidatingWebhookConfiguration")
|
||||
}
|
||||
|
|
@ -65,6 +81,12 @@ func (c *withLogging) RESTClient() rest.Interface {
|
|||
func (c *withLogging) MutatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.MutatingWebhookConfigurationInterface {
|
||||
return mutatingwebhookconfigurations.WithLogging(c.inner.MutatingWebhookConfigurations(), c.logger.WithValues("resource", "MutatingWebhookConfigurations"))
|
||||
}
|
||||
func (c *withLogging) ValidatingAdmissionPolicies() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface {
|
||||
return validatingadmissionpolicies.WithLogging(c.inner.ValidatingAdmissionPolicies(), c.logger.WithValues("resource", "ValidatingAdmissionPolicies"))
|
||||
}
|
||||
func (c *withLogging) ValidatingAdmissionPolicyBindings() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface {
|
||||
return validatingadmissionpolicybindings.WithLogging(c.inner.ValidatingAdmissionPolicyBindings(), c.logger.WithValues("resource", "ValidatingAdmissionPolicyBindings"))
|
||||
}
|
||||
func (c *withLogging) ValidatingWebhookConfigurations() k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingWebhookConfigurationInterface {
|
||||
return validatingwebhookconfigurations.WithLogging(c.inner.ValidatingWebhookConfigurations(), c.logger.WithValues("resource", "ValidatingWebhookConfigurations"))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,446 @@
|
|||
package resource
|
||||
|
||||
import (
|
||||
context "context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/tracing"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_api_admissionregistration_v1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
|
||||
k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
|
||||
k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1 "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1"
|
||||
k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
func WithLogging(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface, logger logr.Logger) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface {
|
||||
return &withLogging{inner, logger}
|
||||
}
|
||||
|
||||
func WithMetrics(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface, recorder metrics.Recorder) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface {
|
||||
return &withMetrics{inner, recorder}
|
||||
}
|
||||
|
||||
func WithTracing(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface, client, kind string) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface {
|
||||
return &withTracing{inner, client, kind}
|
||||
}
|
||||
|
||||
type withLogging struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface
|
||||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Apply")
|
||||
ret0, ret1 := c.inner.Apply(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Apply failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Apply done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "ApplyStatus")
|
||||
ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "ApplyStatus failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("ApplyStatus done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Create")
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Create failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Create done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Delete")
|
||||
ret0 := c.inner.Delete(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret0); err != nil {
|
||||
logger.Error(err, "Delete failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Delete done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "DeleteCollection")
|
||||
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret0); err != nil {
|
||||
logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("DeleteCollection done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Get")
|
||||
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Get failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Get done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyList, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "List")
|
||||
ret0, ret1 := c.inner.List(arg0, arg1)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "List failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("List done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Patch")
|
||||
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Patch failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Patch done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Update")
|
||||
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Update failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Update done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "UpdateStatus")
|
||||
ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("UpdateStatus done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Watch")
|
||||
ret0, ret1 := c.inner.Watch(arg0, arg1)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Watch failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Watch done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
type withMetrics struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface
|
||||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "apply")
|
||||
return c.inner.Apply(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "apply_status")
|
||||
return c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "create")
|
||||
return c.inner.Create(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
defer c.recorder.RecordWithContext(arg0, "delete")
|
||||
return c.inner.Delete(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
defer c.recorder.RecordWithContext(arg0, "delete_collection")
|
||||
return c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "get")
|
||||
return c.inner.Get(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyList, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "list")
|
||||
return c.inner.List(arg0, arg1)
|
||||
}
|
||||
func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "patch")
|
||||
return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
}
|
||||
func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "update")
|
||||
return c.inner.Update(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "update_status")
|
||||
return c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "watch")
|
||||
return c.inner.Watch(arg0, arg1)
|
||||
}
|
||||
|
||||
type withTracing struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyInterface
|
||||
client string
|
||||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Apply"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Apply"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Apply(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "ApplyStatus"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("ApplyStatus"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Create"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Delete"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0 := c.inner.Delete(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret0)
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("DeleteCollection"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret0)
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Get"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyList, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("List"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.List(arg0, arg1)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Patch"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Update"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("UpdateStatus"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Watch"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Watch(arg0, arg1)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
|
@ -0,0 +1,374 @@
|
|||
package resource
|
||||
|
||||
import (
|
||||
context "context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/tracing"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_api_admissionregistration_v1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
|
||||
k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
|
||||
k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1 "k8s.io/client-go/applyconfigurations/admissionregistration/v1beta1"
|
||||
k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1 "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
func WithLogging(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface, logger logr.Logger) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface {
|
||||
return &withLogging{inner, logger}
|
||||
}
|
||||
|
||||
func WithMetrics(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface, recorder metrics.Recorder) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface {
|
||||
return &withMetrics{inner, recorder}
|
||||
}
|
||||
|
||||
func WithTracing(inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface, client, kind string) k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface {
|
||||
return &withTracing{inner, client, kind}
|
||||
}
|
||||
|
||||
type withLogging struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface
|
||||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Apply")
|
||||
ret0, ret1 := c.inner.Apply(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Apply failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Apply done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Create")
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Create failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Create done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Delete")
|
||||
ret0 := c.inner.Delete(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret0); err != nil {
|
||||
logger.Error(err, "Delete failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Delete done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "DeleteCollection")
|
||||
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret0); err != nil {
|
||||
logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("DeleteCollection done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Get")
|
||||
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Get failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Get done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingList, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "List")
|
||||
ret0, ret1 := c.inner.List(arg0, arg1)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "List failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("List done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Patch")
|
||||
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Patch failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Patch done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Update")
|
||||
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Update failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Update done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Watch")
|
||||
ret0, ret1 := c.inner.Watch(arg0, arg1)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Watch failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Watch done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
type withMetrics struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface
|
||||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "apply")
|
||||
return c.inner.Apply(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "create")
|
||||
return c.inner.Create(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
defer c.recorder.RecordWithContext(arg0, "delete")
|
||||
return c.inner.Delete(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
defer c.recorder.RecordWithContext(arg0, "delete_collection")
|
||||
return c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "get")
|
||||
return c.inner.Get(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingList, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "list")
|
||||
return c.inner.List(arg0, arg1)
|
||||
}
|
||||
func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "patch")
|
||||
return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
}
|
||||
func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "update")
|
||||
return c.inner.Update(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "watch")
|
||||
return c.inner.Watch(arg0, arg1)
|
||||
}
|
||||
|
||||
type withTracing struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingInterface
|
||||
client string
|
||||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Apply"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Apply"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Apply(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Create"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Delete"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0 := c.inner.Delete(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret0)
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("DeleteCollection"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret0)
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Get"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBindingList, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("List"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.List(arg0, arg1)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Patch"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_admissionregistration_v1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Update"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Watch"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Watch(arg0, arg1)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
|
@ -2,6 +2,7 @@ package client
|
|||
|
||||
import (
|
||||
"github.com/go-logr/logr"
|
||||
selfsubjectreviews "github.com/kyverno/kyverno/pkg/clients/kube/authenticationv1/selfsubjectreviews"
|
||||
tokenreviews "github.com/kyverno/kyverno/pkg/clients/kube/authenticationv1/tokenreviews"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
k8s_io_client_go_kubernetes_typed_authentication_v1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
|
||||
|
|
@ -29,6 +30,10 @@ type withMetrics struct {
|
|||
func (c *withMetrics) RESTClient() rest.Interface {
|
||||
return c.inner.RESTClient()
|
||||
}
|
||||
func (c *withMetrics) SelfSubjectReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface {
|
||||
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "SelfSubjectReview", c.clientType)
|
||||
return selfsubjectreviews.WithMetrics(c.inner.SelfSubjectReviews(), recorder)
|
||||
}
|
||||
func (c *withMetrics) TokenReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.TokenReviewInterface {
|
||||
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "TokenReview", c.clientType)
|
||||
return tokenreviews.WithMetrics(c.inner.TokenReviews(), recorder)
|
||||
|
|
@ -42,6 +47,9 @@ type withTracing struct {
|
|||
func (c *withTracing) RESTClient() rest.Interface {
|
||||
return c.inner.RESTClient()
|
||||
}
|
||||
func (c *withTracing) SelfSubjectReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface {
|
||||
return selfsubjectreviews.WithTracing(c.inner.SelfSubjectReviews(), c.client, "SelfSubjectReview")
|
||||
}
|
||||
func (c *withTracing) TokenReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.TokenReviewInterface {
|
||||
return tokenreviews.WithTracing(c.inner.TokenReviews(), c.client, "TokenReview")
|
||||
}
|
||||
|
|
@ -54,6 +62,9 @@ type withLogging struct {
|
|||
func (c *withLogging) RESTClient() rest.Interface {
|
||||
return c.inner.RESTClient()
|
||||
}
|
||||
func (c *withLogging) SelfSubjectReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface {
|
||||
return selfsubjectreviews.WithLogging(c.inner.SelfSubjectReviews(), c.logger.WithValues("resource", "SelfSubjectReviews"))
|
||||
}
|
||||
func (c *withLogging) TokenReviews() k8s_io_client_go_kubernetes_typed_authentication_v1.TokenReviewInterface {
|
||||
return tokenreviews.WithLogging(c.inner.TokenReviews(), c.logger.WithValues("resource", "TokenReviews"))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,83 @@
|
|||
package resource
|
||||
|
||||
import (
|
||||
context "context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/tracing"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_api_authentication_v1 "k8s.io/api/authentication/v1"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
k8s_io_client_go_kubernetes_typed_authentication_v1 "k8s.io/client-go/kubernetes/typed/authentication/v1"
|
||||
)
|
||||
|
||||
func WithLogging(inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface, logger logr.Logger) k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface {
|
||||
return &withLogging{inner, logger}
|
||||
}
|
||||
|
||||
func WithMetrics(inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface, recorder metrics.Recorder) k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface {
|
||||
return &withMetrics{inner, recorder}
|
||||
}
|
||||
|
||||
func WithTracing(inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface, client, kind string) k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface {
|
||||
return &withTracing{inner, client, kind}
|
||||
}
|
||||
|
||||
type withLogging struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface
|
||||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_authentication_v1.SelfSubjectReview, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_authentication_v1.SelfSubjectReview, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Create")
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Create failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Create done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
type withMetrics struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface
|
||||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_authentication_v1.SelfSubjectReview, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_authentication_v1.SelfSubjectReview, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "create")
|
||||
return c.inner.Create(arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
type withTracing struct {
|
||||
inner k8s_io_client_go_kubernetes_typed_authentication_v1.SelfSubjectReviewInterface
|
||||
client string
|
||||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_authentication_v1.SelfSubjectReview, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_authentication_v1.SelfSubjectReview, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Create"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
|
@ -4,7 +4,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -31,7 +31,7 @@ type withLogging struct {
|
|||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "OpenAPISchema")
|
||||
ret0, ret1 := c.inner.OpenAPISchema()
|
||||
|
|
@ -135,7 +135,7 @@ type withMetrics struct {
|
|||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
defer c.recorder.Record("open_api_schema")
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
|
|
@ -182,7 +182,7 @@ type withTracing struct {
|
|||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client {
|
||||
|
|
|
|||
|
|
@ -46,17 +46,6 @@ func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_extensions_v1beta1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "ApplyStatus")
|
||||
ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "ApplyStatus failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("ApplyStatus done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Create")
|
||||
|
|
@ -134,17 +123,6 @@ func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_extensions_v
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "UpdateStatus")
|
||||
ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("UpdateStatus done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Watch")
|
||||
|
|
@ -166,10 +144,6 @@ func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco
|
|||
defer c.recorder.RecordWithContext(arg0, "apply")
|
||||
return c.inner.Apply(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_extensions_v1beta1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "apply_status")
|
||||
return c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "create")
|
||||
return c.inner.Create(arg0, arg1, arg2)
|
||||
|
|
@ -198,10 +172,6 @@ func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_extensions_v
|
|||
defer c.recorder.RecordWithContext(arg0, "update")
|
||||
return c.inner.Update(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "update_status")
|
||||
return c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "watch")
|
||||
return c.inner.Watch(arg0, arg1)
|
||||
|
|
@ -234,27 +204,6 @@ func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_extensions_v1beta1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "ApplyStatus"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("ApplyStatus"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
|
|
@ -402,27 +351,6 @@ func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_extensions_v
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_extensions_v1beta1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_extensions_v1beta1.NetworkPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("UpdateStatus"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
|
|
|
|||
|
|
@ -46,17 +46,6 @@ func (c *withLogging) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_networking_v1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "ApplyStatus")
|
||||
ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "ApplyStatus failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("ApplyStatus done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Create(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Create")
|
||||
|
|
@ -134,17 +123,6 @@ func (c *withLogging) Update(arg0 context.Context, arg1 *k8s_io_api_networking_v
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "UpdateStatus")
|
||||
ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("UpdateStatus done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Watch")
|
||||
|
|
@ -166,10 +144,6 @@ func (c *withMetrics) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco
|
|||
defer c.recorder.RecordWithContext(arg0, "apply")
|
||||
return c.inner.Apply(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_networking_v1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "apply_status")
|
||||
return c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Create(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "create")
|
||||
return c.inner.Create(arg0, arg1, arg2)
|
||||
|
|
@ -198,10 +172,6 @@ func (c *withMetrics) Update(arg0 context.Context, arg1 *k8s_io_api_networking_v
|
|||
defer c.recorder.RecordWithContext(arg0, "update")
|
||||
return c.inner.Update(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "update_status")
|
||||
return c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "watch")
|
||||
return c.inner.Watch(arg0, arg1)
|
||||
|
|
@ -234,27 +204,6 @@ func (c *withTracing) Apply(arg0 context.Context, arg1 *k8s_io_client_go_applyco
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) ApplyStatus(arg0 context.Context, arg1 *k8s_io_client_go_applyconfigurations_networking_v1.NetworkPolicyApplyConfiguration, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ApplyOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "ApplyStatus"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("ApplyStatus"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.ApplyStatus(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Create(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
|
|
@ -402,27 +351,6 @@ func (c *withTracing) Update(arg0 context.Context, arg1 *k8s_io_api_networking_v
|
|||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *k8s_io_api_networking_v1.NetworkPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*k8s_io_api_networking_v1.NetworkPolicy, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("UpdateStatus"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
github_com_google_gnostic_openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
github_com_google_gnostic_models_openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -31,7 +31,7 @@ type withLogging struct {
|
|||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withLogging) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "OpenAPISchema")
|
||||
ret0, ret1 := c.inner.OpenAPISchema()
|
||||
|
|
@ -135,7 +135,7 @@ type withMetrics struct {
|
|||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withMetrics) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
defer c.recorder.Record("open_api_schema")
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
|
|
@ -182,7 +182,7 @@ type withTracing struct {
|
|||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_openapiv2.Document, error) {
|
||||
func (c *withTracing) OpenAPISchema() (*github_com_google_gnostic_models_openapiv2.Document, error) {
|
||||
return c.inner.OpenAPISchema()
|
||||
}
|
||||
func (c *withTracing) OpenAPIV3() k8s_io_client_go_openapi.Client {
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
package openapi
|
||||
|
||||
import (
|
||||
openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ import (
|
|||
"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
|
||||
"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
|
||||
celconfig "k8s.io/apiserver/pkg/apis/cel"
|
||||
"k8s.io/apiserver/pkg/cel/environment"
|
||||
)
|
||||
|
||||
type validateCELHandler struct {
|
||||
|
|
@ -43,6 +44,7 @@ func (h validateCELHandler) Process(
|
|||
}
|
||||
|
||||
oldResource := policyContext.OldResource()
|
||||
gvr := schema.GroupVersionResource(policyContext.RequestResource())
|
||||
|
||||
var object, oldObject, versionedParams runtime.Object
|
||||
object = resource.DeepCopyObject()
|
||||
|
|
@ -114,15 +116,18 @@ func (h validateCELHandler) Process(
|
|||
auditExpressions = append(auditExpressions, auditCondition)
|
||||
}
|
||||
|
||||
filterCompiler := cel.NewFilterCompiler()
|
||||
filter := filterCompiler.Compile(expressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit)
|
||||
messageExpressionfilter := filterCompiler.Compile(messageExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit)
|
||||
auditAnnotationFilter := filterCompiler.Compile(auditExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit)
|
||||
matchConditionFilter := filterCompiler.Compile(matchExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit)
|
||||
compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
|
||||
if err != nil {
|
||||
return resource, handlers.WithError(rule, engineapi.Validation, "Error while creating composited compiler", err)
|
||||
}
|
||||
filter := compositedCompiler.Compile(expressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions)
|
||||
messageExpressionfilter := compositedCompiler.Compile(messageExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions)
|
||||
auditAnnotationFilter := compositedCompiler.Compile(auditExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions)
|
||||
matchConditionFilter := compositedCompiler.Compile(matchExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, environment.StoredExpressions)
|
||||
|
||||
newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, nil, "", "")
|
||||
newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, "", "", "")
|
||||
|
||||
validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil, nil)
|
||||
validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil)
|
||||
|
||||
admissionAttributes := admission.NewAttributesRecord(
|
||||
object,
|
||||
|
|
@ -130,7 +135,7 @@ func (h validateCELHandler) Process(
|
|||
resource.GroupVersionKind(),
|
||||
resource.GetNamespace(),
|
||||
resource.GetName(),
|
||||
schema.GroupVersionResource{},
|
||||
gvr,
|
||||
"",
|
||||
admission.Operation(policyContext.Operation()),
|
||||
nil,
|
||||
|
|
@ -138,7 +143,7 @@ func (h validateCELHandler) Process(
|
|||
nil,
|
||||
)
|
||||
versionedAttr, _ := admission.NewVersionedAttributes(admissionAttributes, admissionAttributes.GetKind(), nil)
|
||||
validateResult := validator.Validate(ctx, versionedAttr, versionedParams, celconfig.RuntimeCELCostBudget)
|
||||
validateResult := validator.Validate(ctx, gvr, versionedAttr, versionedParams, nil, celconfig.RuntimeCELCostBudget, nil)
|
||||
|
||||
for _, decision := range validateResult.Decisions {
|
||||
switch decision.Action {
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ import (
|
|||
"sync"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/google/gnostic/compiler"
|
||||
openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
"github.com/google/gnostic-models/compiler"
|
||||
openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
openapicontroller "github.com/kyverno/kyverno/pkg/controllers/openapi"
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ import (
|
|||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/google/gnostic/compiler"
|
||||
openapiv2 "github.com/google/gnostic/openapiv2"
|
||||
"github.com/google/gnostic-models/compiler"
|
||||
openapiv2 "github.com/google/gnostic-models/openapiv2"
|
||||
"github.com/kyverno/kyverno/data"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"golang.org/x/exp/slices"
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ import (
|
|||
"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
|
||||
"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
|
||||
celconfig "k8s.io/apiserver/pkg/apis/cel"
|
||||
"k8s.io/apiserver/pkg/cel/environment"
|
||||
)
|
||||
|
||||
func GetKinds(policy v1alpha1.ValidatingAdmissionPolicy) []string {
|
||||
|
|
@ -115,30 +116,41 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U
|
|||
auditExpressions = append(auditExpressions, auditCondition)
|
||||
}
|
||||
|
||||
filterCompiler := cel.NewFilterCompiler()
|
||||
filter := filterCompiler.Compile(
|
||||
engineResponse := engineapi.NewEngineResponse(resource, engineapi.NewValidatingAdmissionPolicy(policy), nil)
|
||||
policyResp := engineapi.NewPolicyResponse()
|
||||
var ruleResp *engineapi.RuleResponse
|
||||
|
||||
compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion()))
|
||||
if err != nil {
|
||||
ruleResp = engineapi.RuleError(policy.GetName(), engineapi.Validation, "Error creating composited compiler", err)
|
||||
policyResp.Add(engineapi.NewExecutionStats(startTime, time.Now()), *ruleResp)
|
||||
engineResponse = engineResponse.WithPolicyResponse(policyResp)
|
||||
return engineResponse
|
||||
}
|
||||
|
||||
filter := compositedCompiler.Compile(
|
||||
expressions,
|
||||
cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false},
|
||||
celconfig.PerCallLimit,
|
||||
environment.StoredExpressions,
|
||||
)
|
||||
messageExpressionfilter := filterCompiler.Compile(
|
||||
messageExpressionfilter := compositedCompiler.Compile(
|
||||
messageExpressions,
|
||||
cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false},
|
||||
celconfig.PerCallLimit,
|
||||
environment.StoredExpressions,
|
||||
)
|
||||
auditAnnotationFilter := filterCompiler.Compile(
|
||||
auditAnnotationFilter := compositedCompiler.Compile(
|
||||
auditExpressions,
|
||||
cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false},
|
||||
celconfig.PerCallLimit,
|
||||
environment.StoredExpressions,
|
||||
)
|
||||
matchConditionFilter := filterCompiler.Compile(
|
||||
matchConditionFilter := compositedCompiler.Compile(
|
||||
matchExpressions,
|
||||
cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false},
|
||||
celconfig.PerCallLimit,
|
||||
environment.StoredExpressions,
|
||||
)
|
||||
|
||||
newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, &failPolicy, string(matchPolicy), "")
|
||||
validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil, nil)
|
||||
newMatcher := matchconditions.NewMatcher(matchConditionFilter, &failPolicy, "", string(matchPolicy), "")
|
||||
validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil)
|
||||
|
||||
admissionAttributes := admission.NewAttributesRecord(
|
||||
resource.DeepCopyObject(),
|
||||
|
|
@ -153,13 +165,9 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U
|
|||
nil,
|
||||
)
|
||||
versionedAttr, _ := admission.NewVersionedAttributes(admissionAttributes, admissionAttributes.GetKind(), nil)
|
||||
validateResult := validator.Validate(context.TODO(), versionedAttr, nil, celconfig.RuntimeCELCostBudget)
|
||||
validateResult := validator.Validate(context.TODO(), schema.GroupVersionResource{}, versionedAttr, nil, nil, celconfig.RuntimeCELCostBudget, nil)
|
||||
|
||||
engineResponse := engineapi.NewEngineResponse(resource, engineapi.NewValidatingAdmissionPolicy(policy), nil)
|
||||
policyResp := engineapi.NewPolicyResponse()
|
||||
var ruleResp *engineapi.RuleResponse
|
||||
isPass := true
|
||||
|
||||
for _, policyDecision := range validateResult.Decisions {
|
||||
if policyDecision.Evaluation == validatingadmissionpolicy.EvalError {
|
||||
isPass = false
|
||||
|
|
|
|||
Loading…
Reference in a new issue