diff --git a/api/policies.kyverno.io/v1alpha1/policy_status.go b/api/policies.kyverno.io/v1alpha1/policy_status.go
index 0a6e253f40..2487d4f47f 100644
--- a/api/policies.kyverno.io/v1alpha1/policy_status.go
+++ b/api/policies.kyverno.io/v1alpha1/policy_status.go
@@ -25,6 +25,14 @@ type PolicyStatus struct {
// +optional
Autogen AutogenStatus `json:"autogen"`
+
+ // Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not
+ // +optional
+ Generated bool `json:"generated"`
+
+ // Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ // It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ Message string `json:"message"`
}
// AutogenStatus contains autogen status information.
diff --git a/api/policies.kyverno.io/v1alpha1/validating_policy.go b/api/policies.kyverno.io/v1alpha1/validating_policy.go
index 1a12d28542..149725caef 100644
--- a/api/policies.kyverno.io/v1alpha1/validating_policy.go
+++ b/api/policies.kyverno.io/v1alpha1/validating_policy.go
@@ -54,6 +54,10 @@ func (s *ValidatingPolicy) GetStatus() *PolicyStatus {
return &s.Status
}
+func (s *ValidatingPolicy) GetKind() string {
+ return s.Kind
+}
+
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index 8d50959501..4050260e70 100644
--- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -1314,11 +1314,22 @@ spec:
- type
type: object
type: array
+ generated:
+ description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ is generated from the policy or not
+ type: boolean
+ message:
+ description: |-
+ Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
+ required:
+ - message
type: object
required:
- spec
diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
index 921d656c0c..dccdce2b07 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
@@ -1308,11 +1308,22 @@ spec:
- type
type: object
type: array
+ generated:
+ description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ is generated from the policy or not
+ type: boolean
+ message:
+ description: |-
+ Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
+ required:
+ - message
type: object
required:
- spec
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 092c37d0fa..a0bf9a0eb0 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -289,6 +289,7 @@ func createrLeaderControllers(
kyvernoClient,
dynamicClient.Discovery(),
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
+ kyvernoInformer.Policies().V1alpha1().ValidatingPolicies(),
kyvernoInformer.Kyverno().V2().PolicyExceptions(),
kubeInformer.Admissionregistration().V1().ValidatingAdmissionPolicies(),
kubeInformer.Admissionregistration().V1().ValidatingAdmissionPolicyBindings(),
diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml
index 937347b30d..9290f09da0 100644
--- a/config/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io/policies.kyverno.io_mutatingpolicies.yaml
@@ -1290,11 +1290,22 @@ spec:
- type
type: object
type: array
+ generated:
+ description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ is generated from the policy or not
+ type: boolean
+ message:
+ description: |-
+ Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
+ required:
+ - message
type: object
required:
- spec
diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index 921d656c0c..dccdce2b07 100644
--- a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -1308,11 +1308,22 @@ spec:
- type
type: object
type: array
+ generated:
+ description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ is generated from the policy or not
+ type: boolean
+ message:
+ description: |-
+ Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
+ required:
+ - message
type: object
required:
- spec
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 2f19f7fe28..2bced0afe7 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -49856,11 +49856,22 @@ spec:
- type
type: object
type: array
+ generated:
+ description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ is generated from the policy or not
+ type: boolean
+ message:
+ description: |-
+ Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+ It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
+ required:
+ - message
type: object
required:
- spec
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index cb1fe89b68..c0c86e4f89 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -12134,6 +12134,30 @@ AutogenStatus
(Optional)
+
+
+generated
+
+bool
+
+ |
+
+(Optional)
+ Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not
+ |
+
+
+
+message
+
+string
+
+ |
+
+ Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
+It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
+ |
+
diff --git a/pkg/admissionpolicy/builder.go b/pkg/admissionpolicy/builder.go
index 472f8c400d..3ad6222192 100644
--- a/pkg/admissionpolicy/builder.go
+++ b/pkg/admissionpolicy/builder.go
@@ -7,6 +7,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
"github.com/kyverno/kyverno/pkg/clients/dclient"
+ engineapi "github.com/kyverno/kyverno/pkg/engine/api"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -17,90 +18,109 @@ import (
func BuildValidatingAdmissionPolicy(
discoveryClient dclient.IDiscovery,
vap *admissionregistrationv1.ValidatingAdmissionPolicy,
- cpol kyvernov1.PolicyInterface,
+ policy engineapi.GenericPolicy,
exceptions []kyvernov2.PolicyException,
) error {
+ var matchResources admissionregistrationv1.MatchResources
+ var matchConditions []admissionregistrationv1.MatchCondition
+ var paramKind *admissionregistrationv1.ParamKind
+ var validations []admissionregistrationv1.Validation
+ var auditAnnotations []admissionregistrationv1.AuditAnnotation
+ var variables []admissionregistrationv1.Variable
+
+ if cpol := policy.AsKyvernoPolicy(); cpol != nil {
+ // construct the rules
+ var matchRules, excludeRules []admissionregistrationv1.NamedRuleWithOperations
+
+ rule := cpol.GetSpec().Rules[0]
+
+ // convert the match block
+ match := rule.MatchResources
+ if !match.ResourceDescription.IsEmpty() {
+ if err := translateResource(discoveryClient, &matchResources, &matchRules, match.ResourceDescription, true); err != nil {
+ return err
+ }
+ }
+
+ if match.Any != nil {
+ if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.Any, true); err != nil {
+ return err
+ }
+ }
+ if match.All != nil {
+ if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.All, true); err != nil {
+ return err
+ }
+ }
+
+ // convert the exclude block
+ if exclude := rule.ExcludeResources; exclude != nil {
+ if !exclude.ResourceDescription.IsEmpty() {
+ if err := translateResource(discoveryClient, &matchResources, &excludeRules, exclude.ResourceDescription, false); err != nil {
+ return err
+ }
+ }
+
+ if exclude.Any != nil {
+ if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.Any, false); err != nil {
+ return err
+ }
+ }
+ if exclude.All != nil {
+ if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.All, false); err != nil {
+ return err
+ }
+ }
+ }
+
+ // convert the exceptions if exist
+ for _, exception := range exceptions {
+ match := exception.Spec.Match
+ if match.Any != nil {
+ if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.Any, false); err != nil {
+ return err
+ }
+ }
+
+ if match.All != nil {
+ if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.All, false); err != nil {
+ return err
+ }
+ }
+ }
+
+ matchConditions = rule.CELPreconditions
+ paramKind = rule.Validation.CEL.ParamKind
+ validations = rule.Validation.CEL.Expressions
+ auditAnnotations = rule.Validation.CEL.AuditAnnotations
+ variables = rule.Validation.CEL.Variables
+ } else if vpol := policy.AsValidatingPolicy(); vpol != nil {
+ matchResources = *vpol.Spec.MatchConstraints
+ matchConditions = vpol.Spec.MatchConditions
+ paramKind = vpol.Spec.ParamKind
+ validations = vpol.Spec.Validations
+ auditAnnotations = vpol.Spec.AuditAnnotations
+ variables = vpol.Spec.Variables
+ }
+
// set owner reference
vap.OwnerReferences = []metav1.OwnerReference{
{
- APIVersion: "kyverno.io/v1",
- Kind: cpol.GetKind(),
- Name: cpol.GetName(),
- UID: cpol.GetUID(),
+ APIVersion: policy.GetAPIVersion(),
+ Kind: policy.GetKind(),
+ Name: policy.GetName(),
+ UID: policy.GetUID(),
},
}
-
- // construct the rules
- var matchResources admissionregistrationv1.MatchResources
- var matchRules, excludeRules []admissionregistrationv1.NamedRuleWithOperations
-
- rule := cpol.GetSpec().Rules[0]
-
- // convert the match block
- match := rule.MatchResources
- if !match.ResourceDescription.IsEmpty() {
- if err := translateResource(discoveryClient, &matchResources, &matchRules, match.ResourceDescription, true); err != nil {
- return err
- }
- }
-
- if match.Any != nil {
- if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.Any, true); err != nil {
- return err
- }
- }
- if match.All != nil {
- if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.All, true); err != nil {
- return err
- }
- }
-
- // convert the exclude block
- if exclude := rule.ExcludeResources; exclude != nil {
- if !exclude.ResourceDescription.IsEmpty() {
- if err := translateResource(discoveryClient, &matchResources, &excludeRules, exclude.ResourceDescription, false); err != nil {
- return err
- }
- }
-
- if exclude.Any != nil {
- if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.Any, false); err != nil {
- return err
- }
- }
- if exclude.All != nil {
- if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.All, false); err != nil {
- return err
- }
- }
- }
-
- // convert the exceptions if exist
- for _, exception := range exceptions {
- match := exception.Spec.Match
- if match.Any != nil {
- if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.Any, false); err != nil {
- return err
- }
- }
-
- if match.All != nil {
- if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, match.All, false); err != nil {
- return err
- }
- }
- }
-
// set policy spec
vap.Spec = admissionregistrationv1.ValidatingAdmissionPolicySpec{
MatchConstraints: &matchResources,
- ParamKind: rule.Validation.CEL.ParamKind,
- Variables: rule.Validation.CEL.Variables,
- Validations: rule.Validation.CEL.Expressions,
- AuditAnnotations: rule.Validation.CEL.AuditAnnotations,
- MatchConditions: rule.CELPreconditions,
+ ParamKind: paramKind,
+ Variables: variables,
+ Validations: validations,
+ AuditAnnotations: auditAnnotations,
+ MatchConditions: matchConditions,
}
-
// set labels
controllerutils.SetManagedByKyvernoLabel(vap)
return nil
@@ -109,46 +129,53 @@ func BuildValidatingAdmissionPolicy(
// BuildValidatingAdmissionPolicyBinding is used to build a Kubernetes ValidatingAdmissionPolicyBinding from a Kyverno policy
func BuildValidatingAdmissionPolicyBinding(
vapbinding *admissionregistrationv1.ValidatingAdmissionPolicyBinding,
- cpol kyvernov1.PolicyInterface,
+ policy engineapi.GenericPolicy,
) error {
+ var validationActions []admissionregistrationv1.ValidationAction
+ var paramRef *admissionregistrationv1.ParamRef
+ var policyName string
+
+ if cpol := policy.AsKyvernoPolicy(); cpol != nil {
+ rule := cpol.GetSpec().Rules[0]
+ validateAction := rule.Validation.FailureAction
+ if validateAction != nil {
+ if validateAction.Enforce() {
+ validationActions = append(validationActions, admissionregistrationv1.Deny)
+ } else if validateAction.Audit() {
+ validationActions = append(validationActions, admissionregistrationv1.Audit)
+ validationActions = append(validationActions, admissionregistrationv1.Warn)
+ }
+ } else {
+ validateAction := cpol.GetSpec().ValidationFailureAction
+ if validateAction.Enforce() {
+ validationActions = append(validationActions, admissionregistrationv1.Deny)
+ } else if validateAction.Audit() {
+ validationActions = append(validationActions, admissionregistrationv1.Audit)
+ validationActions = append(validationActions, admissionregistrationv1.Warn)
+ }
+ }
+ paramRef = rule.Validation.CEL.ParamRef
+ policyName = "cpol-" + cpol.GetName()
+ } else if vpol := policy.AsValidatingPolicy(); vpol != nil {
+ validationActions = vpol.Spec.ValidationAction
+ policyName = "vpol-" + vpol.GetName()
+ }
+
// set owner reference
vapbinding.OwnerReferences = []metav1.OwnerReference{
{
- APIVersion: "kyverno.io/v1",
- Kind: cpol.GetKind(),
- Name: cpol.GetName(),
- UID: cpol.GetUID(),
+ APIVersion: policy.GetAPIVersion(),
+ Kind: policy.GetKind(),
+ Name: policy.GetName(),
+ UID: policy.GetUID(),
},
}
-
- // set validation action for vap binding
- var validationActions []admissionregistrationv1.ValidationAction
- validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
- if validateAction != nil {
- if validateAction.Enforce() {
- validationActions = append(validationActions, admissionregistrationv1.Deny)
- } else if validateAction.Audit() {
- validationActions = append(validationActions, admissionregistrationv1.Audit)
- validationActions = append(validationActions, admissionregistrationv1.Warn)
- }
- } else {
- validateAction := cpol.GetSpec().ValidationFailureAction
- if validateAction.Enforce() {
- validationActions = append(validationActions, admissionregistrationv1.Deny)
- } else if validateAction.Audit() {
- validationActions = append(validationActions, admissionregistrationv1.Audit)
- validationActions = append(validationActions, admissionregistrationv1.Warn)
- }
- }
-
- // set validating admission policy binding spec
- rule := cpol.GetSpec().Rules[0]
+ // set binding spec
vapbinding.Spec = admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
- PolicyName: cpol.GetName(),
- ParamRef: rule.Validation.CEL.ParamRef,
+ PolicyName: policyName,
+ ParamRef: paramRef,
ValidationActions: validationActions,
}
-
// set labels
controllerutils.SetManagedByKyvernoLabel(vapbinding)
return nil
diff --git a/pkg/controllers/validatingadmissionpolicy-generate/controller.go b/pkg/controllers/validatingadmissionpolicy-generate/controller.go
index b98e330d84..1f08613e44 100644
--- a/pkg/controllers/validatingadmissionpolicy-generate/controller.go
+++ b/pkg/controllers/validatingadmissionpolicy-generate/controller.go
@@ -8,15 +8,19 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/admissionpolicy"
"github.com/kyverno/kyverno/pkg/auth/checker"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
+ policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/controllers"
+ engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/logging"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@@ -25,7 +29,6 @@ import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/labels"
admissionregistrationv1informers "k8s.io/client-go/informers/admissionregistration/v1"
"k8s.io/client-go/kubernetes"
admissionregistrationv1listers "k8s.io/client-go/listers/admissionregistration/v1"
@@ -48,6 +51,7 @@ type controller struct {
// listers
cpolLister kyvernov1listers.ClusterPolicyLister
+ vpolLister policiesv1alpha1listers.ValidatingPolicyLister
polexLister kyvernov2listers.PolicyExceptionLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
vapbindingLister admissionregistrationv1listers.ValidatingAdmissionPolicyBindingLister
@@ -64,6 +68,7 @@ func NewController(
kyvernoClient versioned.Interface,
discoveryClient dclient.IDiscovery,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
+ vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
polexInformer kyvernov2informers.PolicyExceptionInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
vapbindingInformer admissionregistrationv1informers.ValidatingAdmissionPolicyBindingInformer,
@@ -79,6 +84,7 @@ func NewController(
kyvernoClient: kyvernoClient,
discoveryClient: discoveryClient,
cpolLister: cpolInformer.Lister(),
+ vpolLister: vpolInformer.Lister(),
polexLister: polexInformer.Lister(),
vapLister: vapInformer.Lister(),
vapbindingLister: vapbindingInformer.Lister(),
@@ -92,17 +98,22 @@ func NewController(
logger.Error(err, "failed to register event handlers")
}
+ // Set up an event handler for when validating policies change
+ if _, err := controllerutils.AddEventHandlersT(vpolInformer.Informer(), c.addVP, c.updateVP, c.deleteVP); err != nil {
+ logger.Error(err, "failed to register event handlers")
+ }
+
// Set up an event handler for when policy exceptions change
if _, err := controllerutils.AddEventHandlersT(polexInformer.Informer(), c.addException, c.updateException, c.deleteException); err != nil {
logger.Error(err, "failed to register event handlers")
}
- // Set up an event handler for when validating admission policies change
+ // Set up an event handler for when ValidatingAdmissionPolicies change
if _, err := controllerutils.AddEventHandlersT(vapInformer.Informer(), c.addVAP, c.updateVAP, c.deleteVAP); err != nil {
logger.Error(err, "failed to register event handlers")
}
- // Set up an event handler for when validating admission policy bindings change
+ // Set up an event handler for when ValidatingAdmissionPolicyBindings change
if _, err := controllerutils.AddEventHandlersT(vapbindingInformer.Informer(), c.addVAPbinding, c.updateVAPbinding, c.deleteVAPbinding); err != nil {
logger.Error(err, "failed to register event handlers")
}
@@ -114,6 +125,35 @@ func (c *controller) Run(ctx context.Context, workers int) {
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile)
}
+func (c *controller) addVP(obj *policiesv1alpha1.ValidatingPolicy) {
+ logger.V(2).Info("validating policy created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
+ c.enqueueVP(obj)
+}
+
+func (c *controller) updateVP(old, obj *policiesv1alpha1.ValidatingPolicy) {
+ if datautils.DeepEqual(old.GetSpec(), obj.GetSpec()) {
+ return
+ }
+ logger.V(2).Info("validating policy updated", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
+ c.enqueueVP(obj)
+}
+
+func (c *controller) deleteVP(obj *policiesv1alpha1.ValidatingPolicy) {
+ vpol := kubeutils.GetObjectWithTombstone(obj).(*policiesv1alpha1.ValidatingPolicy)
+
+ logger.V(2).Info("validating policy deleted", "uid", vpol.GetUID(), "kind", vpol.GetKind(), "name", vpol.GetName())
+ c.enqueueVP(obj)
+}
+
+func (c *controller) enqueueVP(obj *policiesv1alpha1.ValidatingPolicy) {
+ key, err := cache.MetaNamespaceKeyFunc(obj)
+ if err != nil {
+ logger.Error(err, "failed to extract policy name")
+ return
+ }
+ c.queue.Add("ValidatingPolicy/" + key)
+}
+
func (c *controller) addPolicy(obj kyvernov1.PolicyInterface) {
logger.V(2).Info("policy created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
c.enqueuePolicy(obj)
@@ -148,7 +188,7 @@ func (c *controller) enqueuePolicy(obj kyvernov1.PolicyInterface) {
logger.Error(err, "failed to extract policy name")
return
}
- c.queue.Add(key)
+ c.queue.Add("ClusterPolicy/" + key)
}
func (c *controller) addException(obj *kyvernov2.PolicyException) {
@@ -214,6 +254,12 @@ func (c *controller) enqueueVAP(v *admissionregistrationv1.ValidatingAdmissionPo
return
}
c.enqueuePolicy(cpol)
+ } else if v.OwnerReferences[0].Kind == "ValidatingPolicy" {
+ vpol, err := c.vpolLister.Get(v.OwnerReferences[0].Name)
+ if err != nil {
+ return
+ }
+ c.enqueueVP(vpol)
}
}
}
@@ -241,119 +287,104 @@ func (c *controller) enqueueVAPbinding(vb *admissionregistrationv1.ValidatingAdm
return
}
c.enqueuePolicy(cpol)
+ } else if vb.OwnerReferences[0].Kind == "ValidatingPolicy" {
+ vpol, err := c.vpolLister.Get(vb.OwnerReferences[0].Name)
+ if err != nil {
+ return
+ }
+ c.enqueueVP(vpol)
}
}
}
-func (c *controller) getClusterPolicy(name string) (*kyvernov1.ClusterPolicy, error) {
- cpolicy, err := c.cpolLister.Get(name)
- if err != nil {
- return nil, err
- }
- return cpolicy, nil
-}
-
-func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1.ValidatingAdmissionPolicy, error) {
- vap, err := c.vapLister.Get(name)
- if err != nil {
- return nil, err
- }
- return vap, nil
-}
-
-func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1.ValidatingAdmissionPolicyBinding, error) {
- vapbinding, err := c.vapbindingLister.Get(name)
- if err != nil {
- return nil, err
- }
- return vapbinding, nil
-}
-
-// getExceptions get exceptions that match both the policy and the rule if exists.
-func (c *controller) getExceptions(policyName, rule string) ([]kyvernov2.PolicyException, error) {
- var exceptions []kyvernov2.PolicyException
- polexs, err := c.polexLister.List(labels.Everything())
- if err != nil {
- return nil, err
- }
- for _, polex := range polexs {
- if polex.Contains(policyName, rule) {
- exceptions = append(exceptions, *polex)
- }
- }
- return exceptions, nil
-}
-
-func constructVapBindingName(vapName string) string {
- return vapName + "-binding"
-}
-
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
- policy, err := c.getClusterPolicy(name)
- if err != nil {
- if apierrors.IsNotFound(err) {
+ var policy engineapi.GenericPolicy
+ var exceptions []kyvernov2.PolicyException
+ var err error
+ var vapName string
+
+ polType := strings.Split(key, "/")[0]
+ if polType == "ClusterPolicy" {
+ cpol, err := c.getClusterPolicy(name)
+ if err != nil {
+ if apierrors.IsNotFound(err) {
+ return nil
+ }
+ logger.Error(err, "unable to get the policy from policy informer")
+ return err
+ }
+ spec := cpol.GetSpec()
+ if !spec.HasValidate() {
return nil
}
- logger.Error(err, "unable to get the policy from policy informer")
- return err
+ policy = engineapi.NewKyvernoPolicy(cpol)
+ vapName = "cpol-" + policy.GetName()
+ } else {
+ vpol, err := c.getValidatingPolicy(name)
+ if err != nil {
+ if apierrors.IsNotFound(err) {
+ return nil
+ }
+ logger.Error(err, "unable to get the policy from policy informer")
+ return err
+ }
+ policy = engineapi.NewValidatingPolicy(vpol)
+ vapName = "vpol-" + policy.GetName()
}
- spec := policy.GetSpec()
- if !spec.HasValidate() {
- return nil
- }
-
- // check if the controller has the required permissions to generate validating admission policies.
+ // check if the controller has the required permissions to generate ValidatingAdmissionPolicies.
if !admissionpolicy.HasValidatingAdmissionPolicyPermission(c.checker) {
logger.V(2).Info("insufficient permissions to generate ValidatingAdmissionPolicies")
- c.updateClusterPolicyStatus(ctx, *policy, false, "insufficient permissions to generate ValidatingAdmissionPolicies")
+ c.updatePolicyStatus(ctx, policy, false, "insufficient permissions to generate ValidatingAdmissionPolicies")
return nil
}
-
- // check if the controller has the required permissions to generate validating admission policy bindings.
+ // check if the controller has the required permissions to generate ValidatingAdmissionPolicyBindings.
if !admissionpolicy.HasValidatingAdmissionPolicyBindingPermission(c.checker) {
logger.V(2).Info("insufficient permissions to generate ValidatingAdmissionPolicyBindings")
- c.updateClusterPolicyStatus(ctx, *policy, false, "insufficient permissions to generate ValidatingAdmissionPolicyBindings")
+ c.updatePolicyStatus(ctx, policy, false, "insufficient permissions to generate ValidatingAdmissionPolicyBindings")
return nil
}
- vapName := policy.GetName()
vapBindingName := constructVapBindingName(vapName)
-
+ // get the ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding if exists.
observedVAP, vapErr := c.getValidatingAdmissionPolicy(vapName)
observedVAPbinding, vapBindingErr := c.getValidatingAdmissionPolicyBinding(vapBindingName)
- exceptions, err := c.getExceptions(name, spec.Rules[0].Name)
- if err != nil {
- return err
- }
-
- if ok, msg := admissionpolicy.CanGenerateVAP(spec, exceptions); !ok {
- // delete the ValidatingAdmissionPolicy if exist
- if vapErr == nil {
- err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
- if err != nil {
- return err
- }
- }
- // delete the ValidatingAdmissionPolicyBinding if exist
- if vapBindingErr == nil {
- err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
- if err != nil {
- return err
- }
+ // in case of clusterpolicies, check if we can generate a VAP from it.
+ if polType == "ClusterPolicy" {
+ spec := policy.AsKyvernoPolicy().GetSpec()
+ exceptions, err = c.getExceptions(name, spec.Rules[0].Name)
+ if err != nil {
+ return err
}
- if msg == "" {
- msg = "skip generating ValidatingAdmissionPolicy: a policy exception is configured."
+ if ok, msg := admissionpolicy.CanGenerateVAP(spec, exceptions); !ok {
+ // delete the ValidatingAdmissionPolicy if exist
+ if vapErr == nil {
+ err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
+ if err != nil {
+ return err
+ }
+ }
+ // delete the ValidatingAdmissionPolicyBinding if exist
+ if vapBindingErr == nil {
+ err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
+ if err != nil {
+ return err
+ }
+ }
+
+ if msg == "" {
+ msg = "skip generating ValidatingAdmissionPolicy: a policy exception is configured."
+ }
+ c.updatePolicyStatus(ctx, policy, false, msg)
+ return nil
}
- c.updateClusterPolicyStatus(ctx, *policy, false, msg)
- return nil
}
if vapErr != nil {
if !apierrors.IsNotFound(vapErr) {
- c.updateClusterPolicyStatus(ctx, *policy, false, vapErr.Error())
+ c.updatePolicyStatus(ctx, policy, false, vapErr.Error())
return vapErr
}
observedVAP = &admissionregistrationv1.ValidatingAdmissionPolicy{
@@ -362,10 +393,9 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
},
}
}
-
if vapBindingErr != nil {
if !apierrors.IsNotFound(vapBindingErr) {
- c.updateClusterPolicyStatus(ctx, *policy, false, vapBindingErr.Error())
+ c.updatePolicyStatus(ctx, policy, false, vapBindingErr.Error())
return vapBindingErr
}
observedVAPbinding = &admissionregistrationv1.ValidatingAdmissionPolicyBinding{
@@ -378,16 +408,16 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
if observedVAP.ResourceVersion == "" {
err := admissionpolicy.BuildValidatingAdmissionPolicy(c.discoveryClient, observedVAP, policy, exceptions)
if err != nil {
- c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+ c.updatePolicyStatus(ctx, policy, false, err.Error())
return err
}
_, err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies().Create(ctx, observedVAP, metav1.CreateOptions{})
if err != nil {
- c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+ c.updatePolicyStatus(ctx, policy, false, err.Error())
return err
}
} else {
- _, err = controllerutils.Update(
+ _, err := controllerutils.Update(
ctx,
observedVAP,
c.client.AdmissionregistrationV1().ValidatingAdmissionPolicies(),
@@ -395,7 +425,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
return admissionpolicy.BuildValidatingAdmissionPolicy(c.discoveryClient, observed, policy, exceptions)
})
if err != nil {
- c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+ c.updatePolicyStatus(ctx, policy, false, err.Error())
return err
}
}
@@ -403,16 +433,16 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
if observedVAPbinding.ResourceVersion == "" {
err := admissionpolicy.BuildValidatingAdmissionPolicyBinding(observedVAPbinding, policy)
if err != nil {
- c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+ c.updatePolicyStatus(ctx, policy, false, err.Error())
return err
}
_, err = c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings().Create(ctx, observedVAPbinding, metav1.CreateOptions{})
if err != nil {
- c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+ c.updatePolicyStatus(ctx, policy, false, err.Error())
return err
}
} else {
- _, err = controllerutils.Update(
+ _, err := controllerutils.Update(
ctx,
observedVAPbinding,
c.client.AdmissionregistrationV1().ValidatingAdmissionPolicyBindings(),
@@ -420,23 +450,33 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
return admissionpolicy.BuildValidatingAdmissionPolicyBinding(observed, policy)
})
if err != nil {
- c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
+ c.updatePolicyStatus(ctx, policy, false, err.Error())
return err
}
}
- c.updateClusterPolicyStatus(ctx, *policy, true, "")
+ c.updatePolicyStatus(ctx, policy, true, "")
// generate events
e := event.NewValidatingAdmissionPolicyEvent(policy, observedVAP.Name, observedVAPbinding.Name)
c.eventGen.Add(e...)
return nil
}
-func (c *controller) updateClusterPolicyStatus(ctx context.Context, cpol kyvernov1.ClusterPolicy, generated bool, msg string) {
- latest := cpol.DeepCopy()
- latest.Status.ValidatingAdmissionPolicy.Generated = generated
- latest.Status.ValidatingAdmissionPolicy.Message = msg
+func (c *controller) updatePolicyStatus(ctx context.Context, policy engineapi.GenericPolicy, generated bool, msg string) {
+ if pol := policy.AsKyvernoPolicy(); pol != nil {
+ cpol := pol.(*kyvernov1.ClusterPolicy)
+ latest := cpol.DeepCopy()
+ latest.Status.ValidatingAdmissionPolicy.Generated = generated
+ latest.Status.ValidatingAdmissionPolicy.Message = msg
- new, _ := c.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
- logging.V(3).Info("updated kyverno policy status", "name", cpol.GetName(), "status", new.Status)
+ new, _ := c.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+ logging.V(3).Info("updated cluster policy status", "name", cpol.GetName(), "status", new.Status)
+ } else if vpol := policy.AsValidatingPolicy(); vpol != nil {
+ latest := vpol.DeepCopy()
+ latest.Status.Generated = generated
+ latest.Status.Message = msg
+
+ new, _ := c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+ logging.V(3).Info("updated validating policy status", "name", vpol.GetName(), "status", new.Status)
+ }
}
diff --git a/pkg/controllers/validatingadmissionpolicy-generate/utils.go b/pkg/controllers/validatingadmissionpolicy-generate/utils.go
new file mode 100644
index 0000000000..9678a53425
--- /dev/null
+++ b/pkg/controllers/validatingadmissionpolicy-generate/utils.go
@@ -0,0 +1,64 @@
+package validatingadmissionpolicygenerate
+
+import (
+ kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+ "k8s.io/apimachinery/pkg/labels"
+)
+
+// getClusterPolicy gets the Kyverno ClusterPolicy
+func (c *controller) getClusterPolicy(name string) (*kyvernov1.ClusterPolicy, error) {
+ cpolicy, err := c.cpolLister.Get(name)
+ if err != nil {
+ return nil, err
+ }
+ return cpolicy, nil
+}
+
+// getClusterPolicy gets the Kyverno ValidatingPolicy
+func (c *controller) getValidatingPolicy(name string) (*policiesv1alpha1.ValidatingPolicy, error) {
+ vpol, err := c.vpolLister.Get(name)
+ if err != nil {
+ return nil, err
+ }
+ return vpol, nil
+}
+
+// getValidatingAdmissionPolicy gets the Kubernetes ValidatingAdmissionPolicy
+func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1.ValidatingAdmissionPolicy, error) {
+ vap, err := c.vapLister.Get(name)
+ if err != nil {
+ return nil, err
+ }
+ return vap, nil
+}
+
+// getValidatingAdmissionPolicyBinding gets the Kubernetes ValidatingAdmissionPolicyBinding
+func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1.ValidatingAdmissionPolicyBinding, error) {
+ vapbinding, err := c.vapbindingLister.Get(name)
+ if err != nil {
+ return nil, err
+ }
+ return vapbinding, nil
+}
+
+// getExceptions get PolicyExceptions that match both the ClusterPolicy and the rule if exists.
+func (c *controller) getExceptions(policyName, rule string) ([]kyvernov2.PolicyException, error) {
+ var exceptions []kyvernov2.PolicyException
+ polexs, err := c.polexLister.List(labels.Everything())
+ if err != nil {
+ return nil, err
+ }
+ for _, polex := range polexs {
+ if polex.Contains(policyName, rule) {
+ exceptions = append(exceptions, *polex)
+ }
+ }
+ return exceptions, nil
+}
+
+func constructVapBindingName(vapName string) string {
+ return vapName + "-binding"
+}
diff --git a/pkg/event/events.go b/pkg/event/events.go
index 10fcdd4ee2..3837b39a32 100644
--- a/pkg/event/events.go
+++ b/pkg/event/events.go
@@ -335,10 +335,10 @@ func NewCleanupPolicyEvent(policy kyvernov2.CleanupPolicyInterface, resource uns
}
}
-func NewValidatingAdmissionPolicyEvent(policy kyvernov1.PolicyInterface, vapName, vapBindingName string) []Info {
+func NewValidatingAdmissionPolicyEvent(policy engineapi.GenericPolicy, vapName, vapBindingName string) []Info {
regarding := corev1.ObjectReference{
// TODO: iirc it's not safe to assume api version is set
- APIVersion: "kyverno.io/v1",
+ APIVersion: policy.GetAPIVersion(),
Kind: policy.GetKind(),
Name: policy.GetName(),
Namespace: policy.GetNamespace(),
diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go
index effdb9ef8a..a3a26d6891 100644
--- a/pkg/validation/policy/validate.go
+++ b/pkg/validation/policy/validate.go
@@ -20,6 +20,7 @@ import (
"github.com/kyverno/kyverno/pkg/admissionpolicy"
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/clients/dclient"
+ engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/engine/variables/operator"
@@ -473,7 +474,8 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
Name: policy.GetName(),
},
}
- err = admissionpolicy.BuildValidatingAdmissionPolicy(client.Discovery(), vap, policy, nil)
+ genericPolicy := engineapi.NewKyvernoPolicy(policy)
+ err = admissionpolicy.BuildValidatingAdmissionPolicy(client.Discovery(), vap, genericPolicy, nil)
if err != nil {
return nil, err
}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml
index ce0502fb4e..ed1c746b2b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: block-ephemeral-containers
+ name: cpol-block-ephemeral-containers
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml
index 47b0616dc9..78f2d1011d 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml
@@ -3,12 +3,12 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: block-ephemeral-containers-binding
+ name: cpol-block-ephemeral-containers-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: block-ephemeral-containers
spec:
- policyName: block-ephemeral-containers
+ policyName: cpol-block-ephemeral-containers
validationActions:
- Deny
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
index 65eacd1fb7..1adeade824 100755
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
@@ -44,4 +44,4 @@ spec:
($error != null): true
# This check ensures the contents of stderr are exactly as shown.
(trim_space($stderr)): |-
- The pods "my-pod" is invalid: : ValidatingAdmissionPolicy 'deny-exec-by-namespace-name' with binding 'deny-exec-by-namespace-name-binding' denied request: Pods in this namespace may not be exec'd into.
+ The pods "my-pod" is invalid: : ValidatingAdmissionPolicy 'cpol-deny-exec-by-namespace-name' with binding 'cpol-deny-exec-by-namespace-name-binding' denied request: Pods in this namespace may not be exec'd into.
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
index 1ad7760901..9922843881 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: deny-exec-by-namespace-name
+ name: cpol-deny-exec-by-namespace-name
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
index 88d0180d6a..3e8309386a 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
@@ -3,12 +3,12 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: deny-exec-by-namespace-name-binding
+ name: cpol-deny-exec-by-namespace-name-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: deny-exec-by-namespace-name
spec:
- policyName: deny-exec-by-namespace-name
+ policyName: cpol-deny-exec-by-namespace-name
validationActions:
- Deny
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml
index 118fe4200e..ba51a9d937 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t9
+ name: cpol-disallow-host-path-t9
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml
index 15ce2bc245..efc5fa9d20 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t9-binding
+ name: cpol-disallow-host-path-t9-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t9
spec:
- policyName: disallow-host-path-t9
+ policyName: cpol-disallow-host-path-t9
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml
index 8930b164c1..b216becf8f 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t16
+ name: cpol-disallow-host-path-t16
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml
index c9e3dc6866..5e8d40e4ec 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml
@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t16-binding
+ name: cpol-disallow-host-path-t16-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t16
spec:
- policyName: disallow-host-path-t16
+ policyName: cpol-disallow-host-path-t16
validationActions:
- Audit
- Warn
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml
index 28619b9599..b117d9537e 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t14
+ name: cpol-disallow-host-path-t14
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml
index bd73ef2131..812eb1433c 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml
@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t14-binding
+ name: cpol-disallow-host-path-t14-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t14
spec:
- policyName: disallow-host-path-t14
+ policyName: cpol-disallow-host-path-t14
validationActions:
- Audit
- Warn
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml
index 3fbdc9554e..5476f5a455 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t15
+ name: cpol-disallow-host-path-t15
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml
index a931823634..be3bed2f15 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml
@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t15-binding
+ name: cpol-disallow-host-path-t15-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t15
spec:
- policyName: disallow-host-path-t15
+ policyName: cpol-disallow-host-path-t15
validationActions:
- Audit
- Warn
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml
index 851bb237d8..4c33c98e94 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t13
+ name: cpol-disallow-host-path-t13
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml
index c9e81a087d..1f2ef9ba3f 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml
@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t13-binding
+ name: cpol-disallow-host-path-t13-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t13
spec:
- policyName: disallow-host-path-t13
+ policyName: cpol-disallow-host-path-t13
validationActions:
- Audit
- Warn
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml
index a94d4ad30e..5e562a3bf3 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t8
+ name: cpol-disallow-host-path-t8
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml
index e42d6eced4..297af02135 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t8-binding
+ name: cpol-disallow-host-path-t8-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t8
spec:
- policyName: disallow-host-path-t8
+ policyName: cpol-disallow-host-path-t8
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml
index f84e70f038..2d44e93f2b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t7
+ name: cpol-disallow-host-path-t7
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml
index 158f0651d0..717491d35f 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t7-binding
+ name: cpol-disallow-host-path-t7-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t7
spec:
- policyName: disallow-host-path-t7
+ policyName: cpol-disallow-host-path-t7
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicy.yaml
index 69c181de0b..0a8b503ff0 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-4
+ name: cpol-check-label-app-4
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicybinding.yaml
index dd2e5e45df..b49faacfee 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicybinding.yaml
@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-4-binding
+ name: cpol-check-label-app-4-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: check-label-app-4
spec:
- policyName: check-label-app-4
+ policyName: cpol-check-label-app-4
validationActions:
- Audit
- Warn
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml
index d8507f8f35..1b804f9528 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app5
+ name: cpol-check-label-app5
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml
index 961dc1887e..4f05985329 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml
@@ -3,13 +3,13 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app5-binding
+ name: cpol-check-label-app5-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: check-label-app5
spec:
- policyName: check-label-app5
+ policyName: cpol-check-label-app5
validationActions:
- Audit
- Warn
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
index 3be6bdd52e..60f624dd1b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app4
+ name: cpol-check-label-app4
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicybinding.yaml
index ad677ede04..8ec5058d29 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app4-binding
+ name: cpol-check-label-app4-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: check-label-app4
spec:
- policyName: check-label-app4
+ policyName: cpol-check-label-app4
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml
index afd8932e11..182a11f89a 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t4
+ name: cpol-disallow-host-path-t4
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml
index 45349d8186..90d2b03d39 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t4-binding
+ name: cpol-disallow-host-path-t4-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-t4
spec:
- policyName: disallow-host-path-t4
+ policyName: cpol-disallow-host-path-t4
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicy.yaml
index be7ddd1178..d03d2ba043 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicybinding.yaml
index fe812a602a..416f5400ca 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path
spec:
- policyName: disallow-host-path
+ policyName: cpol-disallow-host-path
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicy.yaml
index d0e89bd9f5..90fe0d3c68 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicybinding.yaml
index fe812a602a..416f5400ca 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path
spec:
- policyName: disallow-host-path
+ policyName: cpol-disallow-host-path
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicy.yaml
index f9205eb293..c964ccc5b8 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicy.yaml
@@ -3,7 +3,7 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicybinding.yaml
index fe812a602a..416f5400ca 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicybinding.yaml
@@ -3,11 +3,11 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path
spec:
- policyName: disallow-host-path
+ policyName: cpol-disallow-host-path
validationActions: [Audit, Warn]
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml
index c23861dbe2..0b0c513d2b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t12
+ name: cpol-disallow-host-path-t12
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
index 8ab634230e..947b03cfb1 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t12-binding
+ name: cpol-disallow-host-path-t12-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml
index 312d86cc24..3be3ee2906 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t13
+ name: cpol-disallow-host-path-t13
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml
index eb05f53f37..2f49fe7e33 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t13-binding
+ name: cpol-disallow-host-path-t13-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicy.yaml
index 9878078d93..f36d25cd1f 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-3
+ name: cpol-check-label-app-3
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicybinding.yaml
index cc8f01384e..fa0a8fa908 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-3-binding
+ name: cpol-check-label-app-3-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml
index c1f3615b0e..2e90e0dab6 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-5
+ name: cpol-check-label-app-5
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml
index 4189aabacf..35b7be055d 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-5-binding
+ name: cpol-check-label-app-5-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml
index c134a3ba16..be999b8e21 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t1
+ name: cpol-disallow-host-path-t1
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml
index 538dfd7342..8a0d65aeef 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t1-binding
+ name: cpol-disallow-host-path-t1-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml
index 3541666e47..e8ba273614 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t2
+ name: cpol-disallow-host-path-t2
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml
index 5cc9b33c37..9bf67bc451 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t2-binding
+ name: cpol-disallow-host-path-t2-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml
index 82fa2b6923..18f9560a3e 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t17
+ name: cpol-disallow-host-path-t17
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml
index 0dbcf17e31..82148c4106 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t17-binding
+ name: cpol-disallow-host-path-t17-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml
index c040f24b6d..306651ed10 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t10
+ name: cpol-disallow-host-path-t10
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
index 1bc0f37943..766cc9d18e 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t10-binding
+ name: cpol-disallow-host-path-t10-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml
index d5dbc9e6c8..1212a0a187 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app2
+ name: cpol-check-label-app2
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml
index 0196d2f107..7e922d170f 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app2-binding
+ name: cpol-check-label-app2-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml
index c9f32c39bd..58ebd8acf5 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app1
+ name: cpol-check-label-app1
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml
index 32096ec8f9..6fcf24c28e 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app1-binding
+ name: cpol-check-label-app1-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml
index 1a77de113d..d6291528f4 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t3
+ name: cpol-disallow-host-path-t3
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml
index 0b66481583..f170373acb 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t3-binding
+ name: cpol-disallow-host-path-t3-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml
index a8a91e23be..69a130b5b6 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t5
+ name: cpol-disallow-host-path-t5
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml
index 12bd7b384b..aa044902d0 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t5-binding
+ name: cpol-disallow-host-path-t5-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml
index 2dac4cd7ab..9be1bf8d88 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t6
+ name: cpol-disallow-host-path-t6
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml
index e4b10d8b5d..f30f6a8ad7 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-t6-binding
+ name: cpol-disallow-host-path-t6-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml
index 2a182e3e8e..ffa9049a75 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-latest-tag
+ name: cpol-disallow-latest-tag
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml
index 0b837350e9..7c7c62ccb2 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-latest-tag-binding
+ name: cpol-disallow-latest-tag-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml
index d05ab79e61..07cd372d44 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app
+ name: cpol-check-label-app
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml
index f3d31005ff..6856ad71ba 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app-binding
+ name: cpol-check-label-app-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml
index 9ef0eaf44f..09166045d4 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: require-ns-purpose-label
+ name: cpol-require-ns-purpose-label
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml
index 997d3bfcfe..6454784901 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: require-ns-purpose-label-binding
+ name: cpol-require-ns-purpose-label-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml
index c9f32c39bd..58ebd8acf5 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app1
+ name: cpol-check-label-app1
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml
index 32096ec8f9..6fcf24c28e 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: check-label-app1-binding
+ name: cpol-check-label-app1-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicy.yaml
index f75956084b..cd7bf95d8b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
spec: {}
\ No newline at end of file
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicybinding.yaml
index 93be57e732..8a93bb4dab 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-conditions/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicy.yaml
index f75956084b..cd7bf95d8b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
spec: {}
\ No newline at end of file
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicybinding.yaml
index 93be57e732..8a93bb4dab 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-namespace-selector/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicy.yaml
index f75956084b..cd7bf95d8b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
spec: {}
\ No newline at end of file
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicybinding.yaml
index 93be57e732..8a93bb4dab 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-and-object-selector/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicy.yaml
index f75956084b..cd7bf95d8b 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicy.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path
+ name: cpol-disallow-host-path
spec: {}
\ No newline at end of file
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicybinding.yaml
index 93be57e732..8a93bb4dab 100644
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exception-in-specific-namespace/validatingadmissionpolicybinding.yaml
@@ -3,5 +3,5 @@ kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
- name: disallow-host-path-binding
+ name: cpol-disallow-host-path-binding
spec: {}
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/chainsaw-test.yaml
new file mode 100755
index 0000000000..183e3f90aa
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/chainsaw-test.yaml
@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ name: check-deployment-labels
+spec:
+ steps:
+ - name: create policy
+ try:
+ - create:
+ file: policy.yaml
+ - sleep:
+ duration: 10s
+ - name: check validatingadmissionpolicy
+ try:
+ - assert:
+ file: validatingadmissionpolicy.yaml
+ - name: check validatingadmissionpolicybinding
+ try:
+ - assert:
+ file: validatingadmissionpolicy.yaml
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/policy.yaml
new file mode 100644
index 0000000000..90be6cb02f
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+ name: check-deployment-labels
+spec:
+ validationActions:
+ - Audit
+ matchConstraints:
+ resourceRules:
+ - apiGroups: [apps]
+ apiVersions: [v1]
+ operations: [CREATE, UPDATE]
+ resources: [deployments]
+ variables:
+ - name: environment
+ expression: >-
+ has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'
+ validations:
+ - expression: >-
+ variables.environment == true
+ message: >-
+ Deployment labels must be env=prod
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicy.yaml
new file mode 100644
index 0000000000..9f54c03c44
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicy.yaml
@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: kyverno
+ name: vpol-check-deployment-labels
+ ownerReferences:
+ - apiVersion: policies.kyverno.io/v1alpha1
+ kind: ValidatingPolicy
+ name: check-deployment-labels
+spec:
+ failurePolicy: Fail
+ matchConstraints:
+ resourceRules:
+ - apiGroups:
+ - apps
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - deployments
+ variables:
+ - expression: has(object.metadata.labels) && 'env' in object.metadata.labels &&
+ object.metadata.labels['env'] == 'prod'
+ name: environment
+ validations:
+ - expression: variables.environment == true
+ message: Deployment labels must be env=prod
diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicybinding.yaml
new file mode 100644
index 0000000000..1dc9beb2b2
--- /dev/null
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/validatingpolicy/check-deployment-labels/validatingadmissionpolicybinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+ labels:
+ app.kubernetes.io/managed-by: kyverno
+ name: vpol-check-deployment-labels-binding
+ ownerReferences:
+ - apiVersion: policies.kyverno.io/v1alpha1
+ kind: ValidatingPolicy
+ name: check-deployment-labels
+spec:
+ policyName: vpol-check-deployment-labels
+ validationActions:
+ - Audit