mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
feat:Webhook config per policy (#9483)
* add spec.webhookConfigurations Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd Signed-off-by: ShutingZhao <shuting@nirmata.com> * configure webhook Signed-off-by: ShutingZhao <shuting@nirmata.com> * register webhook handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * skip storing finegrained policies in cache Signed-off-by: ShutingZhao <shuting@nirmata.com> * update resource validate handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * enable mutate resource handler for fine-grained policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
f4aba55e0a
commit
7170cbb0c2
28 changed files with 1371 additions and 126 deletions
|
@ -7,6 +7,7 @@ import (
|
||||||
"github.com/kyverno/kyverno/pkg/engine/variables/regex"
|
"github.com/kyverno/kyverno/pkg/engine/variables/regex"
|
||||||
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
|
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
|
||||||
admissionv1 "k8s.io/api/admission/v1"
|
admissionv1 "k8s.io/api/admission/v1"
|
||||||
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||||
"k8s.io/api/admissionregistration/v1alpha1"
|
"k8s.io/api/admissionregistration/v1alpha1"
|
||||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||||
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||||
|
@ -49,6 +50,13 @@ const (
|
||||||
Descending ForeachOrder = "Descending"
|
Descending ForeachOrder = "Descending"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
type WebhookConfiguration struct {
|
||||||
|
// MatchCondition configures admission webhook matchConditions.
|
||||||
|
// +optional
|
||||||
|
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
// AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
|
||||||
// AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
// AnyConditions get fulfilled when at least one of its sub-conditions passes.
|
||||||
// AllConditions get fulfilled only when all of its sub-conditions pass.
|
// AllConditions get fulfilled only when all of its sub-conditions pass.
|
||||||
|
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/kyverno/kyverno/pkg/toggle"
|
"github.com/kyverno/kyverno/pkg/toggle"
|
||||||
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||||
|
@ -121,6 +122,15 @@ type Spec struct {
|
||||||
// Defaults to "false" if not specified.
|
// Defaults to "false" if not specified.
|
||||||
// +optional
|
// +optional
|
||||||
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
|
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
|
||||||
|
|
||||||
|
// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
// Requires Kubernetes 1.27 or later.
|
||||||
|
// +optional
|
||||||
|
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Spec) CustomWebhookConfiguration() bool {
|
||||||
|
return s.WebhookConfiguration != nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Spec) SetRules(rules []Rule) {
|
func (s *Spec) SetRules(rules []Rule) {
|
||||||
|
@ -257,6 +267,14 @@ func (s *Spec) GetFailurePolicy(ctx context.Context) FailurePolicyType {
|
||||||
return *s.FailurePolicy
|
return *s.FailurePolicy
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetMatchConditions returns matchConditions in webhookConfiguration
|
||||||
|
func (s *Spec) GetMatchConditions() []admissionregistrationv1.MatchCondition {
|
||||||
|
if s.WebhookConfiguration != nil {
|
||||||
|
return s.WebhookConfiguration.MatchConditions
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// GetFailurePolicy returns the failure policy to be applied
|
// GetFailurePolicy returns the failure policy to be applied
|
||||||
func (s *Spec) GetApplyRules() ApplyRulesType {
|
func (s *Spec) GetApplyRules() ApplyRulesType {
|
||||||
if s.ApplyRules == nil {
|
if s.ApplyRules == nil {
|
||||||
|
|
|
@ -23,6 +23,7 @@ package v1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
k8smanifest "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
|
k8smanifest "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
|
||||||
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||||
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||||
rbacv1 "k8s.io/api/rbac/v1"
|
rbacv1 "k8s.io/api/rbac/v1"
|
||||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||||
|
@ -1408,6 +1409,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
|
||||||
*out = new(bool)
|
*out = new(bool)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
|
if in.WebhookConfiguration != nil {
|
||||||
|
in, out := &in.WebhookConfiguration, &out.WebhookConfiguration
|
||||||
|
*out = new(WebhookConfiguration)
|
||||||
|
(*in).DeepCopyInto(*out)
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1632,3 +1638,24 @@ func (in *Variable) DeepCopy() *Variable {
|
||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
|
||||||
|
*out = *in
|
||||||
|
if in.MatchConditions != nil {
|
||||||
|
in, out := &in.MatchConditions, &out.MatchConditions
|
||||||
|
*out = make([]admissionregistrationv1.MatchCondition, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.
|
||||||
|
func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(WebhookConfiguration)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
|
@ -2,10 +2,18 @@ package v2beta1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||||
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
type WebhookConfiguration struct {
|
||||||
|
// MatchCondition configures admission webhook matchConditions.
|
||||||
|
// +optional
|
||||||
|
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
// Validation defines checks to be performed on matching resources.
|
// Validation defines checks to be performed on matching resources.
|
||||||
type Validation struct {
|
type Validation struct {
|
||||||
// Message specifies a custom message to be displayed on failure.
|
// Message specifies a custom message to be displayed on failure.
|
||||||
|
|
|
@ -82,6 +82,15 @@ type Spec struct {
|
||||||
// Defaults to "false" if not specified.
|
// Defaults to "false" if not specified.
|
||||||
// +optional
|
// +optional
|
||||||
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
|
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
|
||||||
|
|
||||||
|
// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
// Requires Kubernetes 1.27 or later.
|
||||||
|
// +optional
|
||||||
|
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *Spec) CustomWebhookConfiguration() bool {
|
||||||
|
return s.WebhookConfiguration != nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Spec) SetRules(rules []Rule) {
|
func (s *Spec) SetRules(rules []Rule) {
|
||||||
|
|
|
@ -810,6 +810,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
|
||||||
*out = new(bool)
|
*out = new(bool)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
|
if in.WebhookConfiguration != nil {
|
||||||
|
in, out := &in.WebhookConfiguration, &out.WebhookConfiguration
|
||||||
|
*out = new(WebhookConfiguration)
|
||||||
|
(*in).DeepCopyInto(*out)
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -875,3 +880,24 @@ func (in *Validation) DeepCopy() *Validation {
|
||||||
in.DeepCopyInto(out)
|
in.DeepCopyInto(out)
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
|
||||||
|
*out = *in
|
||||||
|
if in.MatchConditions != nil {
|
||||||
|
in, out := &in.MatchConditions, &out.MatchConditions
|
||||||
|
*out = make([]admissionregistrationv1.MatchCondition, len(*in))
|
||||||
|
copy(*out, *in)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.
|
||||||
|
func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(WebhookConfiguration)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
|
@ -14420,6 +14420,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -23196,6 +23242,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -32272,6 +32364,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -41050,6 +41188,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
|
|
@ -4469,6 +4469,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -13245,6 +13291,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
|
|
@ -4470,6 +4470,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -13248,6 +13294,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
|
|
@ -4469,6 +4469,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -13245,6 +13291,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
|
|
@ -4470,6 +4470,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -13248,6 +13294,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
|
|
@ -14639,6 +14639,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -23415,6 +23461,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -32493,6 +32585,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
@ -41271,6 +41409,52 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
webhookConfiguration:
|
||||||
|
description: WebhookConfiguration specifies the custom configuration
|
||||||
|
for Kubernetes admission webhookconfiguration. Requires Kubernetes
|
||||||
|
1.27 or later.
|
||||||
|
properties:
|
||||||
|
matchConditions:
|
||||||
|
description: MatchCondition configures admission webhook matchConditions.
|
||||||
|
items:
|
||||||
|
description: MatchCondition represents a condition which must
|
||||||
|
by fulfilled for a request to be sent to a webhook.
|
||||||
|
properties:
|
||||||
|
expression:
|
||||||
|
description: "Expression represents the expression which
|
||||||
|
will be evaluated by CEL. Must evaluate to bool. CEL expressions
|
||||||
|
have access to the contents of the AdmissionRequest and
|
||||||
|
Authorizer, organized into CEL variables: \n 'object'
|
||||||
|
- The object from the incoming request. The value is null
|
||||||
|
for DELETE requests. 'oldObject' - The existing object.
|
||||||
|
The value is null for CREATE requests. 'request' - Attributes
|
||||||
|
of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
|
||||||
|
'authorizer' - A CEL Authorizer. May be used to perform
|
||||||
|
authorization checks for the principal (user or service
|
||||||
|
account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
|
||||||
|
'authorizer.requestResource' - A CEL ResourceCheck constructed
|
||||||
|
from the 'authorizer' and configured with the request
|
||||||
|
resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
name:
|
||||||
|
description: "Name is an identifier for this match condition,
|
||||||
|
used for strategic merging of MatchConditions, as well
|
||||||
|
as providing an identifier for logging purposes. A good
|
||||||
|
name should be descriptive of the associated expression.
|
||||||
|
Name must be a qualified name consisting of alphanumeric
|
||||||
|
characters, '-', '_' or '.', and must start and end with
|
||||||
|
an alphanumeric character (e.g. 'MyName', or 'my.name',
|
||||||
|
\ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')
|
||||||
|
with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
|
||||||
|
\n Required."
|
||||||
|
type: string
|
||||||
|
required:
|
||||||
|
- expression
|
||||||
|
- name
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
webhookTimeoutSeconds:
|
webhookTimeoutSeconds:
|
||||||
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
description: WebhookTimeoutSeconds specifies the maximum time in seconds
|
||||||
allowed to apply this policy. After the configured time expires,
|
allowed to apply this policy. After the configured time expires,
|
||||||
|
|
|
@ -293,6 +293,21 @@ If is set to “true” create & update for generate rules will use
|
||||||
Defaults to “false” if not specified.</p>
|
Defaults to “false” if not specified.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>webhookConfiguration</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.WebhookConfiguration">
|
||||||
|
WebhookConfiguration
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
Requires Kubernetes 1.27 or later.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
@ -556,6 +571,21 @@ If is set to “true” create & update for generate rules will use
|
||||||
Defaults to “false” if not specified.</p>
|
Defaults to “false” if not specified.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>webhookConfiguration</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.WebhookConfiguration">
|
||||||
|
WebhookConfiguration
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
Requires Kubernetes 1.27 or later.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
@ -3910,6 +3940,21 @@ If is set to “true” create & update for generate rules will use
|
||||||
Defaults to “false” if not specified.</p>
|
Defaults to “false” if not specified.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>webhookConfiguration</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.WebhookConfiguration">
|
||||||
|
WebhookConfiguration
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
Requires Kubernetes 1.27 or later.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<hr />
|
<hr />
|
||||||
|
@ -4441,6 +4486,40 @@ expression evaluates to nil</p>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<hr />
|
<hr />
|
||||||
|
<h3 id="kyverno.io/v1.WebhookConfiguration">WebhookConfiguration
|
||||||
|
</h3>
|
||||||
|
<p>
|
||||||
|
(<em>Appears on:</em>
|
||||||
|
<a href="#kyverno.io/v1.Spec">Spec</a>)
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<p>WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.</p>
|
||||||
|
</p>
|
||||||
|
<table class="table table-striped">
|
||||||
|
<thead class="thead-dark">
|
||||||
|
<tr>
|
||||||
|
<th>Field</th>
|
||||||
|
<th>Description</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>matchConditions</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
|
||||||
|
[]Kubernetes admissionregistration/v1.MatchCondition
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>MatchCondition configures admission webhook matchConditions.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<hr />
|
||||||
<h2 id="kyverno.io/v1alpha2">kyverno.io/v1alpha2</h2>
|
<h2 id="kyverno.io/v1alpha2">kyverno.io/v1alpha2</h2>
|
||||||
<p>
|
<p>
|
||||||
<p>Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group</p>
|
<p>Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group</p>
|
||||||
|
@ -8288,6 +8367,21 @@ If is set to “true” create & update for generate rules will use
|
||||||
Defaults to “false” if not specified.</p>
|
Defaults to “false” if not specified.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>webhookConfiguration</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v2beta1.WebhookConfiguration">
|
||||||
|
WebhookConfiguration
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
Requires Kubernetes 1.27 or later.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
@ -8550,6 +8644,21 @@ If is set to “true” create & update for generate rules will use
|
||||||
Defaults to “false” if not specified.</p>
|
Defaults to “false” if not specified.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>webhookConfiguration</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v2beta1.WebhookConfiguration">
|
||||||
|
WebhookConfiguration
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
Requires Kubernetes 1.27 or later.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
@ -9932,6 +10041,21 @@ If is set to “true” create & update for generate rules will use
|
||||||
Defaults to “false” if not specified.</p>
|
Defaults to “false” if not specified.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>webhookConfiguration</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v2beta1.WebhookConfiguration">
|
||||||
|
WebhookConfiguration
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
|
||||||
|
Requires Kubernetes 1.27 or later.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<hr />
|
<hr />
|
||||||
|
@ -10067,6 +10191,40 @@ CEL
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
<hr />
|
<hr />
|
||||||
|
<h3 id="kyverno.io/v2beta1.WebhookConfiguration">WebhookConfiguration
|
||||||
|
</h3>
|
||||||
|
<p>
|
||||||
|
(<em>Appears on:</em>
|
||||||
|
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<p>WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.</p>
|
||||||
|
</p>
|
||||||
|
<table class="table table-striped">
|
||||||
|
<thead class="thead-dark">
|
||||||
|
<tr>
|
||||||
|
<th>Field</th>
|
||||||
|
<th>Description</th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>matchConditions</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
|
||||||
|
[]Kubernetes admissionregistration/v1.MatchCondition
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>MatchCondition configures admission webhook matchConditions.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<hr />
|
||||||
<h2 id="reports.kyverno.io/v1">reports.kyverno.io/v1</h2>
|
<h2 id="reports.kyverno.io/v1">reports.kyverno.io/v1</h2>
|
||||||
<p>
|
<p>
|
||||||
</p>
|
</p>
|
||||||
|
|
|
@ -38,6 +38,7 @@ type SpecApplyConfiguration struct {
|
||||||
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
|
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
|
||||||
GenerateExisting *bool `json:"generateExisting,omitempty"`
|
GenerateExisting *bool `json:"generateExisting,omitempty"`
|
||||||
UseServerSideApply *bool `json:"useServerSideApply,omitempty"`
|
UseServerSideApply *bool `json:"useServerSideApply,omitempty"`
|
||||||
|
WebhookConfiguration *WebhookConfigurationApplyConfiguration `json:"webhookConfiguration,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// SpecApplyConfiguration constructs an declarative configuration of the Spec type for use with
|
// SpecApplyConfiguration constructs an declarative configuration of the Spec type for use with
|
||||||
|
@ -159,3 +160,11 @@ func (b *SpecApplyConfiguration) WithUseServerSideApply(value bool) *SpecApplyCo
|
||||||
b.UseServerSideApply = &value
|
b.UseServerSideApply = &value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithWebhookConfiguration sets the WebhookConfiguration field in the declarative configuration to the given value
|
||||||
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
|
// If called multiple times, the WebhookConfiguration field is set to the value of the last call.
|
||||||
|
func (b *SpecApplyConfiguration) WithWebhookConfiguration(value *WebhookConfigurationApplyConfiguration) *SpecApplyConfiguration {
|
||||||
|
b.WebhookConfiguration = value
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
/*
|
||||||
|
Copyright The Kubernetes Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package v1
|
||||||
|
|
||||||
|
import (
|
||||||
|
v1 "k8s.io/api/admissionregistration/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
// WebhookConfigurationApplyConfiguration represents an declarative configuration of the WebhookConfiguration type for use
|
||||||
|
// with apply.
|
||||||
|
type WebhookConfigurationApplyConfiguration struct {
|
||||||
|
MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// WebhookConfigurationApplyConfiguration constructs an declarative configuration of the WebhookConfiguration type for use with
|
||||||
|
// apply.
|
||||||
|
func WebhookConfiguration() *WebhookConfigurationApplyConfiguration {
|
||||||
|
return &WebhookConfigurationApplyConfiguration{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
|
||||||
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
|
// If called multiple times, values provided by each call will be appended to the MatchConditions field.
|
||||||
|
func (b *WebhookConfigurationApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *WebhookConfigurationApplyConfiguration {
|
||||||
|
for i := range values {
|
||||||
|
b.MatchConditions = append(b.MatchConditions, values[i])
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
|
@ -39,6 +39,7 @@ type SpecApplyConfiguration struct {
|
||||||
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
|
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
|
||||||
GenerateExisting *bool `json:"generateExisting,omitempty"`
|
GenerateExisting *bool `json:"generateExisting,omitempty"`
|
||||||
UseServerSideApply *bool `json:"useServerSideApply,omitempty"`
|
UseServerSideApply *bool `json:"useServerSideApply,omitempty"`
|
||||||
|
WebhookConfiguration *WebhookConfigurationApplyConfiguration `json:"webhookConfiguration,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// SpecApplyConfiguration constructs an declarative configuration of the Spec type for use with
|
// SpecApplyConfiguration constructs an declarative configuration of the Spec type for use with
|
||||||
|
@ -160,3 +161,11 @@ func (b *SpecApplyConfiguration) WithUseServerSideApply(value bool) *SpecApplyCo
|
||||||
b.UseServerSideApply = &value
|
b.UseServerSideApply = &value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithWebhookConfiguration sets the WebhookConfiguration field in the declarative configuration to the given value
|
||||||
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
|
// If called multiple times, the WebhookConfiguration field is set to the value of the last call.
|
||||||
|
func (b *SpecApplyConfiguration) WithWebhookConfiguration(value *WebhookConfigurationApplyConfiguration) *SpecApplyConfiguration {
|
||||||
|
b.WebhookConfiguration = value
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
/*
|
||||||
|
Copyright The Kubernetes Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
||||||
|
|
||||||
|
package v2beta1
|
||||||
|
|
||||||
|
import (
|
||||||
|
v1 "k8s.io/api/admissionregistration/v1"
|
||||||
|
)
|
||||||
|
|
||||||
|
// WebhookConfigurationApplyConfiguration represents an declarative configuration of the WebhookConfiguration type for use
|
||||||
|
// with apply.
|
||||||
|
type WebhookConfigurationApplyConfiguration struct {
|
||||||
|
MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// WebhookConfigurationApplyConfiguration constructs an declarative configuration of the WebhookConfiguration type for use with
|
||||||
|
// apply.
|
||||||
|
func WebhookConfiguration() *WebhookConfigurationApplyConfiguration {
|
||||||
|
return &WebhookConfigurationApplyConfiguration{}
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
|
||||||
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
|
// If called multiple times, values provided by each call will be appended to the MatchConditions field.
|
||||||
|
func (b *WebhookConfigurationApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *WebhookConfigurationApplyConfiguration {
|
||||||
|
for i := range values {
|
||||||
|
b.MatchConditions = append(b.MatchConditions, values[i])
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
|
@ -143,6 +143,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
|
||||||
return &kyvernov1.ValidationFailureActionOverrideApplyConfiguration{}
|
return &kyvernov1.ValidationFailureActionOverrideApplyConfiguration{}
|
||||||
case v1.SchemeGroupVersion.WithKind("Variable"):
|
case v1.SchemeGroupVersion.WithKind("Variable"):
|
||||||
return &kyvernov1.VariableApplyConfiguration{}
|
return &kyvernov1.VariableApplyConfiguration{}
|
||||||
|
case v1.SchemeGroupVersion.WithKind("WebhookConfiguration"):
|
||||||
|
return &kyvernov1.WebhookConfigurationApplyConfiguration{}
|
||||||
|
|
||||||
// Group=kyverno.io, Version=v1alpha2
|
// Group=kyverno.io, Version=v1alpha2
|
||||||
case v1alpha2.SchemeGroupVersion.WithKind("AdmissionReport"):
|
case v1alpha2.SchemeGroupVersion.WithKind("AdmissionReport"):
|
||||||
|
@ -257,6 +259,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
|
||||||
return &kyvernov2beta1.SpecApplyConfiguration{}
|
return &kyvernov2beta1.SpecApplyConfiguration{}
|
||||||
case v2beta1.SchemeGroupVersion.WithKind("Validation"):
|
case v2beta1.SchemeGroupVersion.WithKind("Validation"):
|
||||||
return &kyvernov2beta1.ValidationApplyConfiguration{}
|
return &kyvernov2beta1.ValidationApplyConfiguration{}
|
||||||
|
case v2beta1.SchemeGroupVersion.WithKind("WebhookConfiguration"):
|
||||||
|
return &kyvernov2beta1.WebhookConfigurationApplyConfiguration{}
|
||||||
|
|
||||||
// Group=reports.kyverno.io, Version=v1
|
// Group=reports.kyverno.io, Version=v1
|
||||||
case reportsv1.SchemeGroupVersion.WithKind("AdmissionReport"):
|
case reportsv1.SchemeGroupVersion.WithKind("AdmissionReport"):
|
||||||
|
|
|
@ -74,6 +74,8 @@ const (
|
||||||
ReadinessServicePath = "/health/readiness"
|
ReadinessServicePath = "/health/readiness"
|
||||||
// MetricsPath is the path for exposing metrics
|
// MetricsPath is the path for exposing metrics
|
||||||
MetricsPath = "/metrics"
|
MetricsPath = "/metrics"
|
||||||
|
// FineGrainedWebhookPath is the sub-path for fine-grained webhook configurationss
|
||||||
|
FineGrainedWebhookPath = "/finegrained"
|
||||||
)
|
)
|
||||||
|
|
||||||
// keys in config map
|
// keys in config map
|
||||||
|
|
|
@ -103,7 +103,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if policy.AdmissionProcessingEnabled() {
|
if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookConfiguration() {
|
||||||
return c.cache.Set(key, policy, c.client.Discovery())
|
return c.cache.Set(key, policy, c.client.Discovery())
|
||||||
} else {
|
} else {
|
||||||
c.cache.Unset(key)
|
c.cache.Unset(key)
|
||||||
|
|
|
@ -634,74 +634,85 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte
|
||||||
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
Webhooks: []admissionregistrationv1.MutatingWebhook{},
|
||||||
}
|
}
|
||||||
if c.watchdogCheck() {
|
if c.watchdogCheck() {
|
||||||
ignore := newWebhook(c.defaultTimeout, ignore)
|
|
||||||
fail := newWebhook(c.defaultTimeout, fail)
|
|
||||||
policies, err := c.getAllPolicies()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
c.recordPolicyState(config.MutatingWebhookConfigurationName, policies...)
|
|
||||||
for _, p := range policies {
|
|
||||||
if p.AdmissionProcessingEnabled() {
|
|
||||||
spec := p.GetSpec()
|
|
||||||
if spec.HasMutateStandard() || spec.HasVerifyImages() {
|
|
||||||
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
|
||||||
c.mergeWebhook(ignore, p, false)
|
|
||||||
} else {
|
|
||||||
c.mergeWebhook(fail, p, false)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
webhookCfg := config.WebhookConfig{}
|
webhookCfg := config.WebhookConfig{}
|
||||||
webhookCfgs := cfg.GetWebhooks()
|
webhookCfgs := cfg.GetWebhooks()
|
||||||
if len(webhookCfgs) > 0 {
|
if len(webhookCfgs) > 0 {
|
||||||
webhookCfg = webhookCfgs[0]
|
webhookCfg = webhookCfgs[0]
|
||||||
}
|
}
|
||||||
if !ignore.isEmpty() {
|
|
||||||
timeout := capTimeout(ignore.maxWebhookTimeout)
|
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
|
||||||
result.Webhooks = append(
|
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
|
||||||
result.Webhooks,
|
policies, err := c.getAllPolicies()
|
||||||
admissionregistrationv1.MutatingWebhook{
|
if err != nil {
|
||||||
Name: config.MutatingWebhookName + "-ignore",
|
return nil, err
|
||||||
ClientConfig: c.clientConfig(caBundle, config.MutatingWebhookServicePath+"/ignore"),
|
|
||||||
Rules: ignore.buildRulesWithOperations(admissionregistrationv1.Create, admissionregistrationv1.Update),
|
|
||||||
FailurePolicy: &ignore.failurePolicy,
|
|
||||||
SideEffects: &noneOnDryRun,
|
|
||||||
AdmissionReviewVersions: []string{"v1"},
|
|
||||||
NamespaceSelector: webhookCfg.NamespaceSelector,
|
|
||||||
ObjectSelector: webhookCfg.ObjectSelector,
|
|
||||||
TimeoutSeconds: &timeout,
|
|
||||||
ReinvocationPolicy: &ifNeeded,
|
|
||||||
MatchConditions: cfg.GetMatchConditions(),
|
|
||||||
},
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
if !fail.isEmpty() {
|
var fineGrainedIgnoreList, fineGrainedFailList []*webhook
|
||||||
timeout := capTimeout(fail.maxWebhookTimeout)
|
c.recordPolicyState(config.MutatingWebhookConfigurationName, policies...)
|
||||||
result.Webhooks = append(
|
for _, p := range policies {
|
||||||
result.Webhooks,
|
if p.AdmissionProcessingEnabled() {
|
||||||
admissionregistrationv1.MutatingWebhook{
|
spec := p.GetSpec()
|
||||||
Name: config.MutatingWebhookName + "-fail",
|
if spec.HasMutateStandard() || spec.HasVerifyImages() {
|
||||||
ClientConfig: c.clientConfig(caBundle, config.MutatingWebhookServicePath+"/fail"),
|
if spec.CustomWebhookConfiguration() {
|
||||||
Rules: fail.buildRulesWithOperations(admissionregistrationv1.Create, admissionregistrationv1.Update),
|
fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p)
|
||||||
FailurePolicy: &fail.failurePolicy,
|
fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p)
|
||||||
SideEffects: &noneOnDryRun,
|
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
||||||
AdmissionReviewVersions: []string{"v1"},
|
c.mergeWebhook(fineGrainedIgnore, p, false)
|
||||||
NamespaceSelector: webhookCfg.NamespaceSelector,
|
fineGrainedIgnoreList = append(fineGrainedIgnoreList, fineGrainedIgnore)
|
||||||
ObjectSelector: webhookCfg.ObjectSelector,
|
} else {
|
||||||
TimeoutSeconds: &timeout,
|
c.mergeWebhook(fineGrainedFail, p, false)
|
||||||
ReinvocationPolicy: &ifNeeded,
|
fineGrainedFailList = append(fineGrainedFailList, fineGrainedFail)
|
||||||
MatchConditions: cfg.GetMatchConditions(),
|
}
|
||||||
},
|
continue
|
||||||
)
|
}
|
||||||
|
|
||||||
|
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
||||||
|
c.mergeWebhook(ignoreWebhook, p, false)
|
||||||
|
} else {
|
||||||
|
c.mergeWebhook(failWebhook, p, false)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
webhooks := []*webhook{ignoreWebhook, failWebhook}
|
||||||
|
webhooks = append(webhooks, fineGrainedIgnoreList...)
|
||||||
|
webhooks = append(webhooks, fineGrainedFailList...)
|
||||||
|
result.Webhooks = c.buildResourceMutatingWebhookRules(caBundle, webhookCfg, &noneOnDryRun, webhooks)
|
||||||
} else {
|
} else {
|
||||||
c.recordPolicyState(config.MutatingWebhookConfigurationName)
|
c.recordPolicyState(config.MutatingWebhookConfigurationName)
|
||||||
}
|
}
|
||||||
return &result, nil
|
return &result, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *controller) buildResourceMutatingWebhookRules(caBundle []byte, webhookCfg config.WebhookConfig, sideEffects *admissionregistrationv1.SideEffectClass, webhooks []*webhook) []admissionregistrationv1.MutatingWebhook {
|
||||||
|
var mutatingWebhooks []admissionregistrationv1.MutatingWebhook
|
||||||
|
for _, webhook := range webhooks {
|
||||||
|
if webhook.isEmpty() {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
failurePolicy := webhook.failurePolicy
|
||||||
|
timeout := capTimeout(webhook.maxWebhookTimeout)
|
||||||
|
name, path := webhookNameAndPath(*webhook, config.MutatingWebhookName, config.MutatingWebhookServicePath)
|
||||||
|
mutatingWebhooks = append(
|
||||||
|
mutatingWebhooks,
|
||||||
|
admissionregistrationv1.MutatingWebhook{
|
||||||
|
Name: name,
|
||||||
|
ClientConfig: c.clientConfig(caBundle, path),
|
||||||
|
Rules: webhook.buildRulesWithOperations(admissionregistrationv1.Create, admissionregistrationv1.Update),
|
||||||
|
FailurePolicy: &failurePolicy,
|
||||||
|
SideEffects: sideEffects,
|
||||||
|
AdmissionReviewVersions: []string{"v1"},
|
||||||
|
NamespaceSelector: webhookCfg.NamespaceSelector,
|
||||||
|
ObjectSelector: webhookCfg.ObjectSelector,
|
||||||
|
TimeoutSeconds: &timeout,
|
||||||
|
ReinvocationPolicy: &ifNeeded,
|
||||||
|
MatchConditions: webhook.matchConditions,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
return mutatingWebhooks
|
||||||
|
}
|
||||||
|
|
||||||
func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(_ context.Context, cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(_ context.Context, cfg config.Configuration, caBundle []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error) {
|
||||||
sideEffects := &none
|
sideEffects := &none
|
||||||
if c.admissionReports {
|
if c.admissionReports {
|
||||||
|
@ -760,76 +771,90 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con
|
||||||
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
Webhooks: []admissionregistrationv1.ValidatingWebhook{},
|
||||||
}
|
}
|
||||||
if c.watchdogCheck() {
|
if c.watchdogCheck() {
|
||||||
ignore := newWebhook(c.defaultTimeout, ignore)
|
|
||||||
fail := newWebhook(c.defaultTimeout, fail)
|
|
||||||
policies, err := c.getAllPolicies()
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
c.recordPolicyState(config.ValidatingWebhookConfigurationName, policies...)
|
|
||||||
for _, p := range policies {
|
|
||||||
if p.AdmissionProcessingEnabled() {
|
|
||||||
spec := p.GetSpec()
|
|
||||||
if spec.HasValidate() || spec.HasGenerate() || spec.HasMutateExisting() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() {
|
|
||||||
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
|
||||||
c.mergeWebhook(ignore, p, true)
|
|
||||||
} else {
|
|
||||||
c.mergeWebhook(fail, p, true)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
webhookCfg := config.WebhookConfig{}
|
webhookCfg := config.WebhookConfig{}
|
||||||
webhookCfgs := cfg.GetWebhooks()
|
webhookCfgs := cfg.GetWebhooks()
|
||||||
if len(webhookCfgs) > 0 {
|
if len(webhookCfgs) > 0 {
|
||||||
webhookCfg = webhookCfgs[0]
|
webhookCfg = webhookCfgs[0]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ignoreWebhook := newWebhook(c.defaultTimeout, ignore, cfg.GetMatchConditions())
|
||||||
|
failWebhook := newWebhook(c.defaultTimeout, fail, cfg.GetMatchConditions())
|
||||||
|
policies, err := c.getAllPolicies()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
var fineGrainedIgnoreList, fineGrainedFailList []*webhook
|
||||||
|
c.recordPolicyState(config.ValidatingWebhookConfigurationName, policies...)
|
||||||
|
for _, p := range policies {
|
||||||
|
if p.AdmissionProcessingEnabled() {
|
||||||
|
spec := p.GetSpec()
|
||||||
|
if spec.HasValidate() || spec.HasGenerate() || spec.HasMutateExisting() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() {
|
||||||
|
if spec.CustomWebhookConfiguration() {
|
||||||
|
fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p)
|
||||||
|
fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p)
|
||||||
|
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
||||||
|
c.mergeWebhook(fineGrainedIgnore, p, true)
|
||||||
|
fineGrainedIgnoreList = append(fineGrainedIgnoreList, fineGrainedIgnore)
|
||||||
|
} else {
|
||||||
|
c.mergeWebhook(fineGrainedFail, p, true)
|
||||||
|
fineGrainedFailList = append(fineGrainedFailList, fineGrainedFail)
|
||||||
|
}
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
||||||
|
c.mergeWebhook(ignoreWebhook, p, true)
|
||||||
|
} else {
|
||||||
|
c.mergeWebhook(failWebhook, p, true)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sideEffects := &none
|
sideEffects := &none
|
||||||
if c.admissionReports {
|
if c.admissionReports {
|
||||||
sideEffects = &noneOnDryRun
|
sideEffects = &noneOnDryRun
|
||||||
}
|
}
|
||||||
if !ignore.isEmpty() {
|
|
||||||
timeout := capTimeout(ignore.maxWebhookTimeout)
|
webhooks := []*webhook{ignoreWebhook, failWebhook}
|
||||||
result.Webhooks = append(
|
webhooks = append(webhooks, fineGrainedIgnoreList...)
|
||||||
result.Webhooks,
|
webhooks = append(webhooks, fineGrainedFailList...)
|
||||||
admissionregistrationv1.ValidatingWebhook{
|
result.Webhooks = c.buildResourceValidatingWebhookRules(caBundle, webhookCfg, sideEffects, webhooks)
|
||||||
Name: config.ValidatingWebhookName + "-ignore",
|
|
||||||
ClientConfig: c.clientConfig(caBundle, config.ValidatingWebhookServicePath+"/ignore"),
|
|
||||||
Rules: ignore.buildRulesWithOperations(admissionregistrationv1.Create, admissionregistrationv1.Update, admissionregistrationv1.Delete, admissionregistrationv1.Connect),
|
|
||||||
FailurePolicy: &ignore.failurePolicy,
|
|
||||||
SideEffects: sideEffects,
|
|
||||||
AdmissionReviewVersions: []string{"v1"},
|
|
||||||
NamespaceSelector: webhookCfg.NamespaceSelector,
|
|
||||||
ObjectSelector: webhookCfg.ObjectSelector,
|
|
||||||
TimeoutSeconds: &timeout,
|
|
||||||
MatchConditions: cfg.GetMatchConditions(),
|
|
||||||
},
|
|
||||||
)
|
|
||||||
}
|
|
||||||
if !fail.isEmpty() {
|
|
||||||
timeout := capTimeout(fail.maxWebhookTimeout)
|
|
||||||
result.Webhooks = append(
|
|
||||||
result.Webhooks,
|
|
||||||
admissionregistrationv1.ValidatingWebhook{
|
|
||||||
Name: config.ValidatingWebhookName + "-fail",
|
|
||||||
ClientConfig: c.clientConfig(caBundle, config.ValidatingWebhookServicePath+"/fail"),
|
|
||||||
Rules: fail.buildRulesWithOperations(admissionregistrationv1.Create, admissionregistrationv1.Update, admissionregistrationv1.Delete, admissionregistrationv1.Connect),
|
|
||||||
FailurePolicy: &fail.failurePolicy,
|
|
||||||
SideEffects: sideEffects,
|
|
||||||
AdmissionReviewVersions: []string{"v1"},
|
|
||||||
NamespaceSelector: webhookCfg.NamespaceSelector,
|
|
||||||
ObjectSelector: webhookCfg.ObjectSelector,
|
|
||||||
TimeoutSeconds: &timeout,
|
|
||||||
MatchConditions: cfg.GetMatchConditions(),
|
|
||||||
},
|
|
||||||
)
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
c.recordPolicyState(config.MutatingWebhookConfigurationName)
|
c.recordPolicyState(config.MutatingWebhookConfigurationName)
|
||||||
}
|
}
|
||||||
return &result, nil
|
return &result, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *controller) buildResourceValidatingWebhookRules(caBundle []byte, webhookCfg config.WebhookConfig, sideEffects *admissionregistrationv1.SideEffectClass, webhooks []*webhook) []admissionregistrationv1.ValidatingWebhook {
|
||||||
|
var validatingWebhooks []admissionregistrationv1.ValidatingWebhook
|
||||||
|
for _, webhook := range webhooks {
|
||||||
|
if webhook.isEmpty() {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
timeout := capTimeout(webhook.maxWebhookTimeout)
|
||||||
|
name, path := webhookNameAndPath(*webhook, config.ValidatingWebhookName, config.ValidatingWebhookServicePath)
|
||||||
|
failurePolicy := webhook.failurePolicy
|
||||||
|
validatingWebhooks = append(
|
||||||
|
validatingWebhooks,
|
||||||
|
admissionregistrationv1.ValidatingWebhook{
|
||||||
|
Name: name,
|
||||||
|
ClientConfig: c.clientConfig(caBundle, path),
|
||||||
|
Rules: webhook.buildRulesWithOperations(admissionregistrationv1.Create, admissionregistrationv1.Update, admissionregistrationv1.Delete, admissionregistrationv1.Connect),
|
||||||
|
FailurePolicy: &failurePolicy,
|
||||||
|
SideEffects: sideEffects,
|
||||||
|
AdmissionReviewVersions: []string{"v1"},
|
||||||
|
NamespaceSelector: webhookCfg.NamespaceSelector,
|
||||||
|
ObjectSelector: webhookCfg.ObjectSelector,
|
||||||
|
TimeoutSeconds: &timeout,
|
||||||
|
MatchConditions: webhook.matchConditions,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
}
|
||||||
|
return validatingWebhooks
|
||||||
|
}
|
||||||
|
|
||||||
func (c *controller) getAllPolicies() ([]kyvernov1.PolicyInterface, error) {
|
func (c *controller) getAllPolicies() ([]kyvernov1.PolicyInterface, error) {
|
||||||
var policies []kyvernov1.PolicyInterface
|
var policies []kyvernov1.PolicyInterface
|
||||||
if cpols, err := c.cpolLister.List(labels.Everything()); err != nil {
|
if cpols, err := c.cpolLister.List(labels.Everything()); err != nil {
|
||||||
|
|
|
@ -7,20 +7,27 @@ import (
|
||||||
|
|
||||||
"github.com/kyverno/kyverno/api/kyverno"
|
"github.com/kyverno/kyverno/api/kyverno"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
"golang.org/x/exp/maps"
|
"golang.org/x/exp/maps"
|
||||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
|
objectmeta "k8s.io/client-go/tools/cache"
|
||||||
"k8s.io/utils/ptr"
|
"k8s.io/utils/ptr"
|
||||||
)
|
)
|
||||||
|
|
||||||
// webhook is the instance that aggregates the GVK of existing policies
|
// webhook is the instance that aggregates the GVK of existing policies
|
||||||
// based on group, kind, scopeType, failurePolicy and webhookTimeout
|
// based on group, kind, scopeType, failurePolicy and webhookTimeout
|
||||||
|
// a fine-grained webhook is created per policy with a unique path
|
||||||
type webhook struct {
|
type webhook struct {
|
||||||
|
// policyMeta is set for fine-grained webhooks
|
||||||
|
policyMeta objectmeta.ObjectName
|
||||||
|
|
||||||
maxWebhookTimeout int32
|
maxWebhookTimeout int32
|
||||||
failurePolicy admissionregistrationv1.FailurePolicyType
|
failurePolicy admissionregistrationv1.FailurePolicyType
|
||||||
rules map[groupVersionScope]sets.Set[string]
|
rules map[groupVersionScope]sets.Set[string]
|
||||||
|
matchConditions []admissionregistrationv1.MatchCondition
|
||||||
}
|
}
|
||||||
|
|
||||||
// groupVersionScope contains the GV and scopeType of a resource
|
// groupVersionScope contains the GV and scopeType of a resource
|
||||||
|
@ -34,14 +41,27 @@ func (gvs groupVersionScope) String() string {
|
||||||
return gvs.GroupVersion.String() + "/" + string(gvs.scopeType)
|
return gvs.GroupVersion.String() + "/" + string(gvs.scopeType)
|
||||||
}
|
}
|
||||||
|
|
||||||
func newWebhook(timeout int32, failurePolicy admissionregistrationv1.FailurePolicyType) *webhook {
|
func newWebhook(timeout int32, failurePolicy admissionregistrationv1.FailurePolicyType, matchConditions []admissionregistrationv1.MatchCondition) *webhook {
|
||||||
return &webhook{
|
return &webhook{
|
||||||
maxWebhookTimeout: timeout,
|
maxWebhookTimeout: timeout,
|
||||||
failurePolicy: failurePolicy,
|
failurePolicy: failurePolicy,
|
||||||
rules: map[groupVersionScope]sets.Set[string]{},
|
rules: map[groupVersionScope]sets.Set[string]{},
|
||||||
|
matchConditions: matchConditions,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func newWebhookPerPolicy(timeout int32, failurePolicy admissionregistrationv1.FailurePolicyType, matchConditions []admissionregistrationv1.MatchCondition, policy kyvernov1.PolicyInterface) *webhook {
|
||||||
|
webhook := newWebhook(timeout, failurePolicy, matchConditions)
|
||||||
|
webhook.policyMeta = objectmeta.ObjectName{
|
||||||
|
Namespace: policy.GetNamespace(),
|
||||||
|
Name: policy.GetName(),
|
||||||
|
}
|
||||||
|
if policy.GetSpec().CustomWebhookConfiguration() {
|
||||||
|
webhook.matchConditions = policy.GetSpec().GetMatchConditions()
|
||||||
|
}
|
||||||
|
return webhook
|
||||||
|
}
|
||||||
|
|
||||||
func (wh *webhook) buildRulesWithOperations(ops ...admissionregistrationv1.OperationType) []admissionregistrationv1.RuleWithOperations {
|
func (wh *webhook) buildRulesWithOperations(ops ...admissionregistrationv1.OperationType) []admissionregistrationv1.RuleWithOperations {
|
||||||
var rules []admissionregistrationv1.RuleWithOperations
|
var rules []admissionregistrationv1.RuleWithOperations
|
||||||
|
|
||||||
|
@ -122,6 +142,14 @@ func (wh *webhook) isEmpty() bool {
|
||||||
return len(wh.rules) == 0
|
return len(wh.rules) == 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (wh *webhook) key(separator string) string {
|
||||||
|
p := wh.policyMeta
|
||||||
|
if p.Namespace != "" {
|
||||||
|
return p.Namespace + separator + p.Name
|
||||||
|
}
|
||||||
|
return p.Name
|
||||||
|
}
|
||||||
|
|
||||||
func objectMeta(name string, annotations map[string]string, labels map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
func objectMeta(name string, annotations map[string]string, labels map[string]string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
|
||||||
desiredLabels := make(map[string]string)
|
desiredLabels := make(map[string]string)
|
||||||
defaultLabels := map[string]string{
|
defaultLabels := map[string]string{
|
||||||
|
@ -167,3 +195,18 @@ func capTimeout(maxWebhookTimeout int32) int32 {
|
||||||
}
|
}
|
||||||
return maxWebhookTimeout
|
return maxWebhookTimeout
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func webhookNameAndPath(wh webhook, baseName, basePath string) (name string, path string) {
|
||||||
|
if wh.failurePolicy == ignore {
|
||||||
|
name = baseName + "-ignore"
|
||||||
|
path = basePath + "/ignore"
|
||||||
|
} else {
|
||||||
|
name = baseName + "-fail"
|
||||||
|
path = basePath + "/fail"
|
||||||
|
}
|
||||||
|
if wh.policyMeta.Name != "" {
|
||||||
|
name = name + "-finegrained-" + wh.key("-")
|
||||||
|
path = path + config.FineGrainedWebhookPath + "/" + wh.key("/")
|
||||||
|
}
|
||||||
|
return name, path
|
||||||
|
}
|
||||||
|
|
|
@ -12,9 +12,9 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func Test_webhook_isEmpty(t *testing.T) {
|
func Test_webhook_isEmpty(t *testing.T) {
|
||||||
empty := newWebhook(DefaultWebhookTimeout, admissionregistrationv1.Ignore)
|
empty := newWebhook(DefaultWebhookTimeout, admissionregistrationv1.Ignore, []admissionregistrationv1.MatchCondition{})
|
||||||
assert.Equal(t, empty.isEmpty(), true)
|
assert.Equal(t, empty.isEmpty(), true)
|
||||||
notEmpty := newWebhook(DefaultWebhookTimeout, admissionregistrationv1.Ignore)
|
notEmpty := newWebhook(DefaultWebhookTimeout, admissionregistrationv1.Ignore, []admissionregistrationv1.MatchCondition{})
|
||||||
notEmpty.set(GroupVersionResourceScope{
|
notEmpty.set(GroupVersionResourceScope{
|
||||||
GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
GroupVersionResource: schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||||
Scope: admissionregistrationv1.NamespacedScope,
|
Scope: admissionregistrationv1.NamespacedScope,
|
||||||
|
|
|
@ -123,6 +123,10 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
||||||
spec := policy.GetSpec()
|
spec := policy.GetSpec()
|
||||||
background := spec.BackgroundProcessingEnabled()
|
background := spec.BackgroundProcessingEnabled()
|
||||||
mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate()
|
mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate()
|
||||||
|
if policy.GetSpec().CustomWebhookConfiguration() &&
|
||||||
|
!kubeutils.HigherThanKubernetesVersion(client.GetKubeClient().Discovery(), logging.GlobalLogger(), 1, 27, 0) {
|
||||||
|
return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above")
|
||||||
|
}
|
||||||
|
|
||||||
warnings = append(warnings, checkValidationFailureAction(spec)...)
|
warnings = append(warnings, checkValidationFailureAction(spec)...)
|
||||||
var errs field.ErrorList
|
var errs field.ErrorList
|
||||||
|
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
|
"github.com/julienschmidt/httprouter"
|
||||||
admissionv1 "k8s.io/api/admission/v1"
|
admissionv1 "k8s.io/api/admission/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -47,8 +48,11 @@ func (inner AdmissionHandler) withAdmission(logger logr.Logger) HttpHandler {
|
||||||
"uid", admissionReview.Request.UID,
|
"uid", admissionReview.Request.UID,
|
||||||
"user", admissionReview.Request.UserInfo,
|
"user", admissionReview.Request.UserInfo,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
params := httprouter.ParamsFromContext(request.Context())
|
||||||
admissionRequest := AdmissionRequest{
|
admissionRequest := AdmissionRequest{
|
||||||
AdmissionRequest: *admissionReview.Request,
|
AdmissionRequest: *admissionReview.Request,
|
||||||
|
URLParams: params.ByName("policy"),
|
||||||
}
|
}
|
||||||
admissionResponse := inner(request.Context(), logger, admissionRequest, startTime)
|
admissionResponse := inner(request.Context(), logger, admissionRequest, startTime)
|
||||||
admissionReview.Response = &admissionResponse
|
admissionReview.Response = &admissionResponse
|
||||||
|
|
|
@ -23,6 +23,8 @@ type AdmissionRequest struct {
|
||||||
|
|
||||||
// GroupVersionKind is the top level GVK.
|
// GroupVersionKind is the top level GVK.
|
||||||
GroupVersionKind schema.GroupVersionKind
|
GroupVersionKind schema.GroupVersionKind
|
||||||
|
|
||||||
|
URLParams string
|
||||||
}
|
}
|
||||||
|
|
||||||
type AdmissionResponse = admissionv1.AdmissionResponse
|
type AdmissionResponse = admissionv1.AdmissionResponse
|
||||||
|
|
|
@ -3,6 +3,8 @@ package resource
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
|
@ -101,16 +103,13 @@ func NewHandlers(
|
||||||
|
|
||||||
func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
||||||
kind := request.Kind.Kind
|
kind := request.Kind.Kind
|
||||||
logger = logger.WithValues("kind", kind)
|
logger = logger.WithValues("kind", kind).WithValues("URLParams", request.URLParams)
|
||||||
logger.V(4).Info("received an admission request in validating webhook")
|
logger.V(4).Info("received an admission request in validating webhook")
|
||||||
|
|
||||||
// timestamp at which this admission request got triggered
|
policies, mutatePolicies, generatePolicies, _, err := h.retrieveAndCategorizePolicies(ctx, logger, request, failurePolicy, false)
|
||||||
gvr := schema.GroupVersionResource(request.Resource)
|
if err != nil {
|
||||||
policies := filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.ValidateEnforce, gvr, request.SubResource, request.Namespace)...)
|
return errorResponse(logger, request.UID, err, "failed to fetch policy with key")
|
||||||
mutatePolicies := filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Mutate, gvr, request.SubResource, request.Namespace)...)
|
}
|
||||||
generatePolicies := filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Generate, gvr, request.SubResource, request.Namespace)...)
|
|
||||||
imageVerifyValidatePolicies := filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesValidate, gvr, request.SubResource, request.Namespace)...)
|
|
||||||
policies = append(policies, imageVerifyValidatePolicies...)
|
|
||||||
|
|
||||||
if len(policies) == 0 && len(mutatePolicies) == 0 && len(generatePolicies) == 0 {
|
if len(policies) == 0 && len(mutatePolicies) == 0 && len(generatePolicies) == 0 {
|
||||||
logger.V(4).Info("no policies matched admission request")
|
logger.V(4).Info("no policies matched admission request")
|
||||||
|
@ -143,11 +142,13 @@ func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, req
|
||||||
|
|
||||||
func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
||||||
kind := request.Kind.Kind
|
kind := request.Kind.Kind
|
||||||
logger = logger.WithValues("kind", kind)
|
logger = logger.WithValues("kind", kind).WithValues("URLParams", request.URLParams)
|
||||||
logger.V(4).Info("received an admission request in mutating webhook")
|
logger.V(4).Info("received an admission request in mutating webhook")
|
||||||
gvr := schema.GroupVersionResource(request.Resource)
|
|
||||||
mutatePolicies := filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Mutate, gvr, request.SubResource, request.Namespace)...)
|
_, mutatePolicies, _, verifyImagesPolicies, err := h.retrieveAndCategorizePolicies(ctx, logger, request, failurePolicy, true)
|
||||||
verifyImagesPolicies := filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesMutate, gvr, request.SubResource, request.Namespace)...)
|
if err != nil {
|
||||||
|
return errorResponse(logger, request.UID, err, "failed to fetch policy with key")
|
||||||
|
}
|
||||||
if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 {
|
if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 {
|
||||||
logger.V(4).Info("no policies matched mutate admission request")
|
logger.V(4).Info("no policies matched mutate admission request")
|
||||||
return admissionutils.ResponseSuccess(request.UID)
|
return admissionutils.ResponseSuccess(request.UID)
|
||||||
|
@ -184,6 +185,66 @@ func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, reque
|
||||||
return admissionutils.MutationResponse(request.UID, patch, warnings...)
|
return admissionutils.MutationResponse(request.UID, patch, warnings...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h *resourceHandlers) retrieveAndCategorizePolicies(
|
||||||
|
ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, mutation bool) (
|
||||||
|
[]kyvernov1.PolicyInterface, []kyvernov1.PolicyInterface, []kyvernov1.PolicyInterface, []kyvernov1.PolicyInterface, error,
|
||||||
|
) {
|
||||||
|
var policies, mutatePolicies, generatePolicies, imageVerifyValidatePolicies []kyvernov1.PolicyInterface
|
||||||
|
if request.URLParams == "" {
|
||||||
|
gvr := schema.GroupVersionResource(request.Resource)
|
||||||
|
policies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.ValidateEnforce, gvr, request.SubResource, request.Namespace)...)
|
||||||
|
mutatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Mutate, gvr, request.SubResource, request.Namespace)...)
|
||||||
|
generatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Generate, gvr, request.SubResource, request.Namespace)...)
|
||||||
|
if mutation {
|
||||||
|
imageVerifyValidatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesMutate, gvr, request.SubResource, request.Namespace)...)
|
||||||
|
} else {
|
||||||
|
imageVerifyValidatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesValidate, gvr, request.SubResource, request.Namespace)...)
|
||||||
|
policies = append(policies, imageVerifyValidatePolicies...)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
meta := strings.Split(request.URLParams, "/")
|
||||||
|
polName := meta[1]
|
||||||
|
polNamespace := ""
|
||||||
|
|
||||||
|
if len(meta) >= 3 {
|
||||||
|
polNamespace = meta[1]
|
||||||
|
polName = meta[2]
|
||||||
|
}
|
||||||
|
|
||||||
|
var policy kyvernov1.PolicyInterface
|
||||||
|
var err error
|
||||||
|
if polNamespace == "" {
|
||||||
|
policy, err = h.cpolLister.Get(polName)
|
||||||
|
} else {
|
||||||
|
policy, err = h.polLister.Policies(polNamespace).Get(polName)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, nil, nil, fmt.Errorf("key %s/%s: %v", polNamespace, polName, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
filteredPolicies := filterPolicies(ctx, failurePolicy, policy)
|
||||||
|
if len(filteredPolicies) == 0 {
|
||||||
|
logger.V(4).Info("no policy found with key", "namespace", polNamespace, "name", polName)
|
||||||
|
return nil, nil, nil, nil, nil
|
||||||
|
}
|
||||||
|
policy = filteredPolicies[0]
|
||||||
|
spec := policy.GetSpec()
|
||||||
|
if spec.HasValidate() {
|
||||||
|
policies = append(policies, policy)
|
||||||
|
}
|
||||||
|
if spec.HasGenerate() {
|
||||||
|
generatePolicies = append(generatePolicies, policy)
|
||||||
|
}
|
||||||
|
if spec.HasMutate() {
|
||||||
|
mutatePolicies = append(mutatePolicies, policy)
|
||||||
|
}
|
||||||
|
if spec.HasVerifyImages() {
|
||||||
|
policies = append(policies, policy)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return policies, mutatePolicies, generatePolicies, imageVerifyValidatePolicies, nil
|
||||||
|
}
|
||||||
|
|
||||||
func filterPolicies(ctx context.Context, failurePolicy string, policies ...kyvernov1.PolicyInterface) []kyvernov1.PolicyInterface {
|
func filterPolicies(ctx context.Context, failurePolicy string, policies ...kyvernov1.PolicyInterface) []kyvernov1.PolicyInterface {
|
||||||
var results []kyvernov1.PolicyInterface
|
var results []kyvernov1.PolicyInterface
|
||||||
for _, policy := range policies {
|
for _, policy := range policies {
|
||||||
|
|
|
@ -285,4 +285,6 @@ func registerWebhookHandlers(
|
||||||
mux.HandlerFunc("POST", basePath, builder(all).ToHandlerFunc(name))
|
mux.HandlerFunc("POST", basePath, builder(all).ToHandlerFunc(name))
|
||||||
mux.HandlerFunc("POST", basePath+"/ignore", builder(ignore).ToHandlerFunc(name))
|
mux.HandlerFunc("POST", basePath+"/ignore", builder(ignore).ToHandlerFunc(name))
|
||||||
mux.HandlerFunc("POST", basePath+"/fail", builder(fail).ToHandlerFunc(name))
|
mux.HandlerFunc("POST", basePath+"/fail", builder(fail).ToHandlerFunc(name))
|
||||||
|
mux.HandlerFunc("POST", basePath+"/ignore"+config.FineGrainedWebhookPath+"/*policy", builder(ignore).ToHandlerFunc(name))
|
||||||
|
mux.HandlerFunc("POST", basePath+"/fail"+config.FineGrainedWebhookPath+"/*policy", builder(fail).ToHandlerFunc(name))
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue