mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

Service call (#5755)

Browse source 
* fix digest and verify logic

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* allow attestations with no attestors

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* require predicateType

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix typo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* updates

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make service optional

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make codegen-all

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* linter issues

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* gofmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add api token

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* codegen again!

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix API call

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests and formatting

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* revert changes to clientset & rename requestType

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Jim Bugwadia 2022-12-27 00:36:49 -08:00 committed by GitHub
parent 532fab6ee2
commit 787a1dc40a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 36052 additions and 711 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
api/kyverno/v1/common_types.go
View file

@ -5,6 +5,7 @@ import (
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/pod-security-admission/api"
@ -60,8 +61,8 @@ type ContextEntry struct {
// ConfigMap is the ConfigMap reference.
ConfigMap *ConfigMapReference `json:"configMap,omitempty" yaml:"configMap,omitempty"`
// APICall defines an HTTP request to the Kubernetes API server. The JSON
// data retrieved is stored in the context.
// APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
// The data returned is stored in the context with the name for the context entry.
APICall *APICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`
// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@ -112,25 +113,58 @@ type ConfigMapReference struct {
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}
// APICall defines an HTTP request to the Kubernetes API server. The JSON
// data retrieved is stored in the context. An APICall contains a URLPath
// used to perform the HTTP GET request and an optional JMESPath used to
// transform the retrieved JSON data.
type APICall struct {
// URLPath is the URL path to be used in the HTTP GET request to the
// Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments").
// The format required is the same format used by the `kubectl get --raw` command.
// +kubebuilder:validation:Optional
URLPath string `json:"urlPath" yaml:"urlPath"`
// Service is an API call to a JSON web service
// +kubebuilder:validation:Optional
Service *ServiceCall `json:"service,omitempty" yaml:"service,omitempty"`
// JMESPath is an optional JSON Match Expression that can be used to
// transform the JSON response returned from the API server. For example
// transform the JSON response returned from the server. For example
// a JMESPath of "items | length(@)" applied to the API server response
// to the URLPath "/apis/apps/v1/deployments" will return the total count
// for the URLPath "/apis/apps/v1/deployments" will return the total count
// of deployments across all namespaces.
// +optional
// +kubebuilder:validation:Optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}
type ServiceCall struct {
// URL is the JSON web service URL.
// The typical format is `https://{service}.{namespace}:{port}/{path}`.
URL string `json:"urlPath" yaml:"urlPath"`
// CABundle is a PEM encoded CA bundle which will be used to validate
// the server certificate.
// +kubebuilder:validation:Optional
CABundle string `json:"caBundle" yaml:"caBundle"`
// Method is the HTTP request type (GET or POST).
// +kubebuilder:default=GET
Method Method `json:"requestType" yaml:"requestType"`
// Data specifies the POST data sent to the server.
// +kubebuilder:validation:Optional
Data []RequestData `json:"data" yaml:"data"`
}
// Method is a HTTP request type.
// +kubebuilder:validation:Enum=GET;POST
type Method string
// RequestData contains the HTTP POST data
type RequestData struct {
// Key is a unique identifier for the data value
Key string `json:"key" yaml:"key"`
// Value is the data value
Value *apiextensionsv1.JSON `json:"value" yaml:"value"`
}
// Condition defines variable-based conditional criteria for rule execution.
type Condition struct {
// Key is the context entry (using JMESPath) for conditional rule evaluation.

49
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -32,6 +32,11 @@ import (
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *APICall) DeepCopyInto(out *APICall) {
*out = *in
if in.Service != nil {
in, out := &in.Service, &out.Service
*out = new(ServiceCall)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APICall.
@ -393,7 +398,7 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
if in.APICall != nil {
in, out := &in.APICall, &out.APICall
*out = new(APICall)
**out = **in
(*in).DeepCopyInto(*out)
}
if in.ImageRegistry != nil {
in, out := &in.ImageRegistry, &out.ImageRegistry
@ -1075,6 +1080,26 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RequestData) DeepCopyInto(out *RequestData) {
*out = *in
if in.Value != nil {
in, out := &in.Value, &out.Value
*out = new(apiextensionsv1.JSON)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestData.
func (in *RequestData) DeepCopy() *RequestData {
if in == nil {
return nil
}
out := new(RequestData)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RequestInfo) DeepCopyInto(out *RequestInfo) {
*out = *in
@ -1285,6 +1310,28 @@ func (in *SecretReference) DeepCopy() *SecretReference {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceCall) DeepCopyInto(out *ServiceCall) {
*out = *in
if in.Data != nil {
in, out := &in.Data, &out.Data
*out = make([]RequestData, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceCall.
func (in *ServiceCall) DeepCopy() *ServiceCall {
if in == nil {
return nil
}
out := new(ServiceCall)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Spec) DeepCopyInto(out *Spec) {
*out = *in

1476
charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

9
charts/kyverno/templates/deployment.yaml
View file

@ -168,7 +168,16 @@ spec:
volumeMounts:
- mountPath: {{ .Values.tufRootMountPath }}
name: sigstore
- mountPath: /var/run/secrets/tokens
name: api-token
volumes:
- name: sigstore
emptyDir: {}
- name: api-token
projected:
sources:
- serviceAccountToken:
path: api-token
expirationSeconds: 600
audience: kyverno-extension
{{- end -}}

738
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -129,19 +129,63 @@ spec:
must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the Kubernetes
API server. The JSON data retrieved is stored in the
context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data returned
is stored in the context with the name for the context
entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response
returned from the API server. For example a JMESPath
returned from the server. For example a JMESPath
of "items | length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON web
service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle
which will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent
to the server.
items:
description: RequestData contains the HTTP POST
data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET
or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in
the HTTP GET request to the Kubernetes API server
@ -149,8 +193,6 @@ spec:
The format required is the same format used by the
`kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -1647,20 +1689,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -1669,8 +1757,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -1942,20 +2028,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -1964,8 +2096,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -3150,19 +3280,64 @@ spec:
APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the
Kubernetes API server. The JSON data retrieved is
stored in the context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data
returned is stored in the context with the name
for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
JSON response returned from the API server.
For example a JMESPath of "items | length(@)"
applied to the API server response to the URLPath
"/apis/apps/v1/deployments" will return the
total count of deployments across all namespaces.
JSON response returned from the server. For
example a JMESPath of "items | length(@)" applied
to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON
web service
properties:
caBundle:
description: CABundle is a PEM encoded CA
bundle which will be used to validate the
server certificate.
type: string
data:
description: Data specifies the POST data
sent to the server.
items:
description: RequestData contains the HTTP
POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type
(GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used
in the HTTP GET request to the Kubernetes API
@ -3170,8 +3345,6 @@ spec:
The format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -4736,21 +4909,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -4759,8 +4981,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap
@ -5044,21 +5264,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -5067,8 +5336,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap
@ -6445,19 +6712,63 @@ spec:
must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the Kubernetes
API server. The JSON data retrieved is stored in the
context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data returned
is stored in the context with the name for the context
entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response
returned from the API server. For example a JMESPath
returned from the server. For example a JMESPath
of "items | length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON web
service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle
which will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent
to the server.
items:
description: RequestData contains the HTTP POST
data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET
or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in
the HTTP GET request to the Kubernetes API server
@ -6465,8 +6776,6 @@ spec:
The format required is the same format used by the
`kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -7567,20 +7876,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -7589,8 +7944,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -8030,20 +8383,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -8052,8 +8451,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -9198,19 +9595,64 @@ spec:
APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the
Kubernetes API server. The JSON data retrieved is
stored in the context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data
returned is stored in the context with the name
for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
JSON response returned from the API server.
For example a JMESPath of "items | length(@)"
applied to the API server response to the URLPath
"/apis/apps/v1/deployments" will return the
total count of deployments across all namespaces.
JSON response returned from the server. For
example a JMESPath of "items | length(@)" applied
to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON
web service
properties:
caBundle:
description: CABundle is a PEM encoded CA
bundle which will be used to validate the
server certificate.
type: string
data:
description: Data specifies the POST data
sent to the server.
items:
description: RequestData contains the HTTP
POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type
(GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used
in the HTTP GET request to the Kubernetes API
@ -9218,8 +9660,6 @@ spec:
The format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -10784,21 +11224,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -10807,8 +11296,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap
@ -11092,21 +11579,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -11115,8 +11651,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap

738
config/crds/kyverno.io_policies.yaml
View file

@ -130,19 +130,63 @@ spec:
must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the Kubernetes
API server. The JSON data retrieved is stored in the
context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data returned
is stored in the context with the name for the context
entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response
returned from the API server. For example a JMESPath
returned from the server. For example a JMESPath
of "items | length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON web
service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle
which will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent
to the server.
items:
description: RequestData contains the HTTP POST
data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET
or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in
the HTTP GET request to the Kubernetes API server
@ -150,8 +194,6 @@ spec:
The format required is the same format used by the
`kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -1648,20 +1690,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -1670,8 +1758,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -1943,20 +2029,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -1965,8 +2097,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -3152,19 +3282,64 @@ spec:
APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the
Kubernetes API server. The JSON data retrieved is
stored in the context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data
returned is stored in the context with the name
for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
JSON response returned from the API server.
For example a JMESPath of "items | length(@)"
applied to the API server response to the URLPath
"/apis/apps/v1/deployments" will return the
total count of deployments across all namespaces.
JSON response returned from the server. For
example a JMESPath of "items | length(@)" applied
to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON
web service
properties:
caBundle:
description: CABundle is a PEM encoded CA
bundle which will be used to validate the
server certificate.
type: string
data:
description: Data specifies the POST data
sent to the server.
items:
description: RequestData contains the HTTP
POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type
(GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used
in the HTTP GET request to the Kubernetes API
@ -3172,8 +3347,6 @@ spec:
The format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -4738,21 +4911,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -4761,8 +4983,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap
@ -5046,21 +5266,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -5069,8 +5338,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap
@ -6448,19 +6715,63 @@ spec:
must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the Kubernetes
API server. The JSON data retrieved is stored in the
context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data returned
is stored in the context with the name for the context
entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response
returned from the API server. For example a JMESPath
returned from the server. For example a JMESPath
of "items | length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON web
service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle
which will be used to validate the server certificate.
type: string
data:
description: Data specifies the POST data sent
to the server.
items:
description: RequestData contains the HTTP POST
data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type (GET
or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used in
the HTTP GET request to the Kubernetes API server
@ -6468,8 +6779,6 @@ spec:
The format required is the same format used by the
`kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -7570,20 +7879,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -7592,8 +7947,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -8033,20 +8386,66 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON data
retrieved is stored in the context.
description: APICall is an HTTP request to the
Kubernetes API server, or other JSON web service.
The data returned is stored in the context
with the name for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON
Match Expression that can be used to transform
the JSON response returned from the API
server. For example a JMESPath of "items
| length(@)" applied to the API server
response to the URLPath "/apis/apps/v1/deployments"
the JSON response returned from the server.
For example a JMESPath of "items | length(@)"
applied to the API server response for
the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call to a
JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to validate
the server certificate.
type: string
data:
description: Data specifies the POST
data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data
value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request
type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service
URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to
be used in the HTTP GET request to the
@ -8055,8 +8454,6 @@ spec:
format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -9201,19 +9598,64 @@ spec:
APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request to the
Kubernetes API server. The JSON data retrieved is
stored in the context.
description: APICall is an HTTP request to the Kubernetes
API server, or other JSON web service. The data
returned is stored in the context with the name
for the context entry.
properties:
jmesPath:
description: JMESPath is an optional JSON Match
Expression that can be used to transform the
JSON response returned from the API server.
For example a JMESPath of "items | length(@)"
applied to the API server response to the URLPath
"/apis/apps/v1/deployments" will return the
total count of deployments across all namespaces.
JSON response returned from the server. For
example a JMESPath of "items | length(@)" applied
to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across
all namespaces.
type: string
service:
description: Service is an API call to a JSON
web service
properties:
caBundle:
description: CABundle is a PEM encoded CA
bundle which will be used to validate the
server certificate.
type: string
data:
description: Data specifies the POST data
sent to the server.
items:
description: RequestData contains the HTTP
POST data
properties:
key:
description: Key is a unique identifier
for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP request type
(GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web service URL.
The typical format is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path to be used
in the HTTP GET request to the Kubernetes API
@ -9221,8 +9663,6 @@ spec:
The format required is the same format used
by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap reference.
@ -10787,21 +11227,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -10810,8 +11299,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap
@ -11095,21 +11582,70 @@ spec:
reference or a APILookup must be provided.
properties:
apiCall:
description: APICall defines an HTTP request
to the Kubernetes API server. The JSON
data retrieved is stored in the context.
description: APICall is an HTTP request
to the Kubernetes API server, or other
JSON web service. The data returned is
stored in the context with the name for
the context entry.
properties:
jmesPath:
description: JMESPath is an optional
JSON Match Expression that can be
used to transform the JSON response
returned from the API server. For
example a JMESPath of "items | length(@)"
returned from the server. For example
a JMESPath of "items | length(@)"
applied to the API server response
to the URLPath "/apis/apps/v1/deployments"
for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments
across all namespaces.
type: string
service:
description: Service is an API call
to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded
CA bundle which will be used to
validate the server certificate.
type: string
data:
description: Data specifies the
POST data sent to the server.
items:
description: RequestData contains
the HTTP POST data
properties:
key:
description: Key is a unique
identifier for the data
value
type: string
value:
description: Value is the
data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
requestType:
default: GET
description: Method is the HTTP
request type (GET or POST).
enum:
- GET
- POST
type: string
urlPath:
description: URL is the JSON web
service URL. The typical format
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- requestType
- urlPath
type: object
urlPath:
description: URLPath is the URL path
to be used in the HTTP GET request
@ -11118,8 +11654,6 @@ spec:
The format required is the same format
used by the `kubectl get --raw` command.
type: string
required:
- urlPath
type: object
configMap:
description: ConfigMap is the ConfigMap

1485
config/install.yaml
View file

File diff suppressed because it is too large Load diff

31559
config/install_debug.yaml Normal file
View file

File diff suppressed because it is too large Load diff

148
docs/user/crd/index.html
View file

@ -621,10 +621,6 @@ Deprecated. Policy metrics are available via the metrics endpoint</p>
<a href="#kyverno.io/v1.ContextEntry">ContextEntry</a>)
</p>
<p>
<p>APICall defines an HTTP request to the Kubernetes API server. The JSON
data retrieved is stored in the context. An APICall contains a URLPath
used to perform the HTTP GET request and an optional JMESPath used to
transform the retrieved JSON data.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
@ -649,17 +645,29 @@ The format required is the same format used by the <code>kubectl get --raw</code
</tr>
<tr>
<td>
<code>service</code><br/>
<em>
<a href="#kyverno.io/v1.ServiceCall">
ServiceCall
</a>
</em>
</td>
<td>
<p>Service is an API call to a JSON web service</p>
</td>
</tr>
<tr>
<td>
<code>jmesPath</code><br/>
<em>
string
</em>
</td>
<td>
<em>(Optional)</em>
<p>JMESPath is an optional JSON Match Expression that can be used to
transform the JSON response returned from the API server. For example
transform the JSON response returned from the server. For example
a JMESPath of &ldquo;items | length(@)&rdquo; applied to the API server response
to the URLPath &ldquo;/apis/apps/v1/deployments&rdquo; will return the total count
for the URLPath &ldquo;/apis/apps/v1/deployments&rdquo; will return the total count
of deployments across all namespaces.</p>
</td>
</tr>
@ -1320,8 +1328,8 @@ APICall
</em>
</td>
<td>
<p>APICall defines an HTTP request to the Kubernetes API server. The JSON
data retrieved is stored in the context.</p>
<p>APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
The data returned is stored in the context with the name for the context entry.</p>
</td>
</tr>
<tr>
@ -2516,6 +2524,15 @@ Please specify under &ldquo;any&rdquo; or &ldquo;all&rdquo; instead.</p>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.Method">Method
(<code>string</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ServiceCall">ServiceCall</a>)
</p>
<p>
<p>Method is a HTTP request type.</p>
</p>
<h3 id="kyverno.io/v1.Mutation">Mutation
</h3>
<p>
@ -2820,6 +2837,50 @@ RuleCountStatus
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.RequestData">RequestData
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ServiceCall">ServiceCall</a>)
</p>
<p>
<p>RequestData contains the HTTP POST data</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>key</code><br/>
<em>
string
</em>
</td>
<td>
<p>Key is a unique identifier for the data value</p>
</td>
</tr>
<tr>
<td>
<code>value</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#json-v1-apiextensions">
Kubernetes apiextensions/v1.JSON
</a>
</em>
</td>
<td>
<p>Value is the data value</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.RequestInfo">RequestInfo
</h3>
<p>
@ -3399,6 +3460,75 @@ string
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ServiceCall">ServiceCall
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.APICall">APICall</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>urlPath</code><br/>
<em>
string
</em>
</td>
<td>
<p>URL is the JSON web service URL.
The typical format is <code>https://{service}.{namespace}:{port}/{path}</code>.</p>
</td>
</tr>
<tr>
<td>
<code>caBundle</code><br/>
<em>
string
</em>
</td>
<td>
<p>CABundle is a PEM encoded CA bundle which will be used to validate
the server certificate.</p>
</td>
</tr>
<tr>
<td>
<code>requestType</code><br/>
<em>
<a href="#kyverno.io/v1.Method">
Method
</a>
</em>
</td>
<td>
<p>Method is the HTTP request type (GET or POST).</p>
</td>
</tr>
<tr>
<td>
<code>data</code><br/>
<em>
<a href="#kyverno.io/v1.RequestData">
[]RequestData
</a>
</em>
</td>
<td>
<p>Data specifies the POST data sent to the server.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.Spec">Spec
</h3>
<p>

233
pkg/engine/apicall/apiCall.go Normal file
View file

@ -0,0 +1,233 @@
package apicall
import (
"bytes"
goctx "context"
"crypto/tls"
"crypto/x509"
"encoding/json"
"fmt"
"io"
"net/http"
"os"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/pkg/errors"
)
type apiCall struct {
log logr.Logger
entry kyvernov1.ContextEntry
ctx goctx.Context
jsonCtx context.Interface
client dclient.Interface
}
func New(ctx goctx.Context, entry kyvernov1.ContextEntry, jsonCtx context.Interface, client dclient.Interface, log logr.Logger) (*apiCall, error) {
if entry.APICall == nil {
return nil, fmt.Errorf("missing APICall in context entry %v", entry)
}
return &apiCall{
ctx: ctx,
entry: entry,
jsonCtx: jsonCtx,
client: client,
log: log,
}, nil
}
func (a *apiCall) Execute() ([]byte, error) {
call, err := variables.SubstituteAllInType(a.log, a.jsonCtx, a.entry.APICall)
if err != nil {
return nil, fmt.Errorf("failed to substitute variables in context entry %s %s: %v", a.entry.Name, a.entry.APICall.URLPath, err)
}
data, err := a.execute(call)
if err != nil {
return nil, err
}
result, err := a.transformAndStore(data)
if err != nil {
return nil, err
}
return result, nil
}
func (a *apiCall) execute(call *kyvernov1.APICall) ([]byte, error) {
if call.URLPath != "" {
return a.executeK8sAPICall(call.URLPath)
}
return a.executeServiceCall(call.Service)
}
func (a *apiCall) executeK8sAPICall(path string) ([]byte, error) {
jsonData, err := a.client.RawAbsPath(a.ctx, path)
if err != nil {
return nil, fmt.Errorf("failed to get resource with raw url\n: %s: %v", path, err)
}
a.log.V(4).Info("executed APICall", "name", a.entry.Name, "len", len(jsonData))
return jsonData, nil
}
func (a *apiCall) executeServiceCall(service *kyvernov1.ServiceCall) ([]byte, error) {
if service == nil {
return nil, fmt.Errorf("missing service for APICall %s", a.entry.Name)
}
client, err := a.buildHTTPClient(service)
if err != nil {
return nil, err
}
req, err := a.buildHTTPRequest(service)
if err != nil {
return nil, errors.Wrapf(err, "failed to build HTTP request for APICall %s", a.entry.Name)
}
resp, err := client.Do(req)
if err != nil {
return nil, errors.Wrapf(err, "failed to execute HTTP request for APICall %s", a.entry.Name)
}
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
return nil, fmt.Errorf("HTTP %d: %s", resp.StatusCode, resp.Status)
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, errors.Wrapf(err, "failed to read data from APICall %s", a.entry.Name)
}
a.log.Info("executed service APICall", "name", a.entry.Name, "len", len(body))
return body, nil
}
func (a *apiCall) buildHTTPRequest(service *kyvernov1.ServiceCall) (req *http.Request, err error) {
token := a.getToken()
defer func() {
if token != "" && req != nil {
req.Header.Add("Authorization", "Bearer "+token)
}
}()
if service.Method == "GET" {
req, err = http.NewRequest("GET", service.URL, nil)
return
}
if service.Method == "POST" {
data, dataErr := a.buildPostData(service.Data)
if dataErr != nil {
return nil, dataErr
}
req, err = http.NewRequest("POST", service.URL, data)
return
}
return nil, fmt.Errorf("invalid request type %s for APICall %s", service.Method, a.entry.Name)
}
func (a *apiCall) getToken() string {
b, err := os.ReadFile("/var/run/secrets/tokens/api-token")
if err != nil {
a.log.Info("failed to read token", "path", "/var/run/secrets/tokens/api-token")
return ""
}
return string(b)
}
func (a *apiCall) buildHTTPClient(service *kyvernov1.ServiceCall) (*http.Client, error) {
if service.CABundle == "" {
return http.DefaultClient, nil
}
caCertPool := x509.NewCertPool()
if ok := caCertPool.AppendCertsFromPEM([]byte(service.CABundle)); !ok {
return nil, fmt.Errorf("failed to parse PEM CA bundle for APICall %s", a.entry.Name)
}
return &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
MinVersion: tls.VersionTLS12,
},
},
}, nil
}
func (a *apiCall) buildPostData(data []kyvernov1.RequestData) (io.Reader, error) {
dataMap := make(map[string]interface{})
for _, d := range data {
dataMap[d.Key] = d.Value
}
buffer := new(bytes.Buffer)
if err := json.NewEncoder(buffer).Encode(dataMap); err != nil {
return nil, errors.Wrapf(err, "failed to encode HTTP POST data %v for APICall %s", dataMap, a.entry.Name)
}
return buffer, nil
}
func (a *apiCall) transformAndStore(jsonData []byte) ([]byte, error) {
if a.entry.APICall.JMESPath == "" {
err := a.jsonCtx.AddContextEntry(a.entry.Name, jsonData)
if err != nil {
return nil, errors.Wrapf(err, "failed to add resource data to context entry %s", a.entry.Name)
}
return jsonData, nil
}
path, err := variables.SubstituteAll(a.log, a.jsonCtx, a.entry.APICall.JMESPath)
if err != nil {
return nil, errors.Wrapf(err, "failed to substitute variables in context entry %s JMESPath %s", a.entry.Name, a.entry.APICall.JMESPath)
}
results, err := applyJMESPathJSON(path.(string), jsonData)
if err != nil {
return nil, errors.Wrapf(err, "failed to apply JMESPath %s for context entry %s", path, a.entry.Name)
}
contextData, err := json.Marshal(results)
if err != nil {
return nil, errors.Wrapf(err, "failed to marshall APICall data for context entry %s", a.entry.Name)
}
err = a.jsonCtx.AddContextEntry(a.entry.Name, contextData)
if err != nil {
return nil, errors.Wrapf(err, "failed to add APICall results for context entry %s", a.entry.Name)
}
a.log.V(4).Info("added context data", "name", a.entry.Name, "len", len(contextData))
return contextData, nil
}
func applyJMESPathJSON(jmesPath string, jsonData []byte) (interface{}, error) {
var data interface{}
err := json.Unmarshal(jsonData, &data)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal JSON: %s, error: %v", string(jsonData), err)
}
jp, err := jmespath.New(jmesPath)
if err != nil {
return nil, fmt.Errorf("failed to compile JMESPath: %s, error: %v", jmesPath, err)
}
return jp.Search(data)
}

146
pkg/engine/apicall/apiCall_test.go Normal file
View file

@ -0,0 +1,146 @@
package apicall
import (
"context"
"io"
"net/http"
"net/http/httptest"
"testing"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/logging"
"gotest.tools/assert"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
)
func buildTestServer(responseData []byte) *httptest.Server {
mux := http.NewServeMux()
mux.HandleFunc("/resource", func(w http.ResponseWriter, r *http.Request) {
if r.Method == "GET" {
w.Write(responseData)
return
}
if r.Method == "POST" {
defer r.Body.Close()
body, _ := io.ReadAll(r.Body)
w.Write(body)
}
})
return httptest.NewServer(mux)
}
func Test_serviceGetRequest(t *testing.T) {
serverResponse := []byte(`{ "day": "Sunday" }`)
s := buildTestServer(serverResponse)
defer s.Close()
entry := kyvernov1.ContextEntry{}
ctx := enginecontext.NewContext()
_, err := New(context.TODO(), entry, ctx, nil, logging.GlobalLogger())
assert.ErrorContains(t, err, "missing APICall")
entry.Name = "test"
entry.APICall = &kyvernov1.APICall{
Service: &kyvernov1.ServiceCall{
URL: s.URL,
},
}
call, err := New(context.TODO(), entry, ctx, nil, logging.GlobalLogger())
assert.NilError(t, err)
_, err = call.Execute()
assert.ErrorContains(t, err, "invalid request type")
entry.APICall.Service.Method = "GET"
call, err = New(context.TODO(), entry, ctx, nil, logging.GlobalLogger())
assert.NilError(t, err)
_, err = call.Execute()
assert.ErrorContains(t, err, "HTTP 404")
entry.APICall.Service.URL = s.URL + "/resource"
call, err = New(context.TODO(), entry, ctx, nil, logging.GlobalLogger())
assert.NilError(t, err)
data, err := call.Execute()
assert.NilError(t, err)
assert.Assert(t, data != nil, "nil data")
assert.Equal(t, string(serverResponse), string(data))
}
func Test_servicePostRequest(t *testing.T) {
serverResponse := []byte(`{ "day": "Monday" }`)
s := buildTestServer(serverResponse)
defer s.Close()
entry := kyvernov1.ContextEntry{
Name: "test",
APICall: &kyvernov1.APICall{
Service: &kyvernov1.ServiceCall{
URL: s.URL + "/resource",
Method: "POST",
},
},
}
ctx := enginecontext.NewContext()
call, err := New(context.TODO(), entry, ctx, nil, logging.GlobalLogger())
assert.NilError(t, err)
data, err := call.Execute()
assert.NilError(t, err)
assert.Equal(t, "{}\n", string(data))
imageData := `{
"containers": {
"tomcat": {
"reference": "https://ghcr.io/tomcat/tomcat:9",
"registry": "https://ghcr.io",
"path": "tomcat",
"name": "tomcat",
"tag": "9"
}
},
"initContainers": {
"vault": {
"reference": "https://ghcr.io/vault/vault:v3",
"registry": "https://ghcr.io",
"path": "vault",
"name": "vault",
"tag": "v3"
}
},
"ephemeralContainers": {
"vault": {
"reference": "https://ghcr.io/busybox/busybox:latest",
"registry": "https://ghcr.io",
"path": "busybox",
"name": "busybox",
"tag": "latest"
}
}
}`
err = ctx.AddContextEntry("images", []byte(imageData))
assert.NilError(t, err)
entry.APICall.Service.Data = []kyvernov1.RequestData{
{
Key: "images",
Value: &apiextensionsv1.JSON{
Raw: []byte("\"{{ images.[containers, initContainers, ephemeralContainers][].*.reference[] }}\""),
},
},
}
call, err = New(context.TODO(), entry, ctx, nil, logging.GlobalLogger())
assert.NilError(t, err)
data, err = call.Execute()
assert.NilError(t, err)
expectedResults := `{"images":["https://ghcr.io/tomcat/tomcat:9","https://ghcr.io/vault/vault:v3","https://ghcr.io/busybox/busybox:latest"]}`
assert.Equal(t, string(expectedResults)+"\n", string(data))
}

69
pkg/engine/jsonContext.go
View file

@ -8,9 +8,11 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
"github.com/kyverno/kyverno/pkg/engine/apicall"
jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/registryclient"
"github.com/pkg/errors"
)
// LoadContext - Fetches and adds external data to the Context.
@ -238,41 +240,15 @@ func fetchImageDataMap(ctx context.Context, rclient registryclient.Client, ref s
}
func loadAPIData(ctx context.Context, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx *PolicyContext) error {
jsonData, err := fetchAPIData(ctx, logger, entry, enginectx)
executor, err := apicall.New(ctx, entry, enginectx.JSONContext(), enginectx.Client(), logger)
if err != nil {
return err
return errors.Wrapf(err, "failed to initialize APICall")
}
if entry.APICall.JMESPath == "" {
err = enginectx.jsonContext.AddContextEntry(entry.Name, jsonData)
if err != nil {
return fmt.Errorf("failed to add resource data to context: contextEntry: %v, error: %v", entry, err)
}
return nil
if _, err := executor.Execute(); err != nil {
return errors.Wrapf(err, "failed to execute APICall")
}
path, err := variables.SubstituteAll(logger, enginectx.jsonContext, entry.APICall.JMESPath)
if err != nil {
return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.APICall.JMESPath, err)
}
results, err := applyJMESPathJSON(path.(string), jsonData)
if err != nil {
return err
}
contextData, err := json.Marshal(results)
if err != nil {
return fmt.Errorf("failed to marshall data %v for context entry %v: %v", contextData, entry, err)
}
err = enginectx.jsonContext.AddContextEntry(entry.Name, contextData)
if err != nil {
return fmt.Errorf("failed to add JMESPath (%s) results to context, error: %v", entry.APICall.JMESPath, err)
}
logger.V(4).Info("added APICall context entry", "len", len(contextData))
return nil
}
@ -285,39 +261,6 @@ func applyJMESPath(jmesPath string, data interface{}) (interface{}, error) {
return jp.Search(data)
}
func applyJMESPathJSON(jmesPath string, jsonData []byte) (interface{}, error) {
var data interface{}
err := json.Unmarshal(jsonData, &data)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal JSON: %s, error: %v", string(jsonData), err)
}
return applyJMESPath(jmesPath, data)
}
func fetchAPIData(ctx context.Context, log logr.Logger, entry kyvernov1.ContextEntry, enginectx *PolicyContext) ([]byte, error) {
if entry.APICall == nil {
return nil, fmt.Errorf("missing APICall in context entry %s %v", entry.Name, entry.APICall)
}
path, err := variables.SubstituteAll(log, enginectx.jsonContext, entry.APICall.URLPath)
if err != nil {
return nil, fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.APICall.URLPath, err)
}
pathStr := path.(string)
jsonData, err := getResource(ctx, enginectx, pathStr)
if err != nil {
return nil, fmt.Errorf("failed to get resource with raw url\n: %s: %v", pathStr, err)
}
return jsonData, nil
}
func getResource(ctx context.Context, enginectx *PolicyContext, p string) ([]byte, error) {
return enginectx.client.RawAbsPath(ctx, p)
}
func loadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx *PolicyContext) error {
data, err := fetchConfigMap(ctx, logger, entry, enginectx)
if err != nil {

4
pkg/engine/policyContext.go
View file

@ -126,6 +126,10 @@ func (c *PolicyContext) FindExceptions(rule string) ([]*kyvernov2alpha1.PolicyEx
return result, nil
}
func (c *PolicyContext) Client() dclient.Interface {
return c.client
}
// Mutators
func (c *PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext {

57
pkg/engine/variables/vars.go
View file

@ -84,9 +84,6 @@ func SubstituteAll(log logr.Logger, ctx context.EvalInterface, document interfac
}
func SubstituteAllInPreconditions(log logr.Logger, ctx context.EvalInterface, document interface{}) (interface{}, error) {
// We must convert all incoming conditions to JSON data i.e.
// string, []interface{}, map[string]interface{}
// we cannot use structs otherwise json traverse doesn't work
untypedDoc, err := DocumentToUntyped(document)
if err != nil {
return nil, err
@ -94,21 +91,42 @@ func SubstituteAllInPreconditions(log logr.Logger, ctx context.EvalInterface, do
return substituteAll(log, ctx, untypedDoc, newPreconditionsVariableResolver(log))
}
func SubstituteAllInRule(log logr.Logger, ctx context.EvalInterface, typedRule kyvernov1.Rule) (_ kyvernov1.Rule, err error) {
var rule interface{}
rule, err = DocumentToUntyped(typedRule)
func SubstituteAllInType[T any](log logr.Logger, ctx context.EvalInterface, t *T) (*T, error) {
untyped, err := DocumentToUntyped(t)
if err != nil {
return typedRule, err
return nil, err
}
rule, err = SubstituteAll(log, ctx, rule)
untypedResults, err := SubstituteAll(log, ctx, untyped)
if err != nil {
return typedRule, err
return nil, err
}
return UntypedToRule(rule)
jsonBytes, err := json.Marshal(untypedResults)
if err != nil {
return nil, err
}
var result T
err = json.Unmarshal(jsonBytes, &result)
if err != nil {
return nil, err
}
return &result, nil
}
func SubstituteAllInRule(log logr.Logger, ctx context.EvalInterface, rule kyvernov1.Rule) (_ kyvernov1.Rule, err error) {
result, err := SubstituteAllInType(log, ctx, &rule)
if err != nil {
return kyvernov1.Rule{}, err
}
return *result, nil
}
// DocumentToUntyped converts a typed object to JSON data i.e.
// string, []interface{}, map[string]interface{}
func DocumentToUntyped(doc interface{}) (interface{}, error) {
jsonDoc, err := json.Marshal(doc)
if err != nil {
@ -124,19 +142,19 @@ func DocumentToUntyped(doc interface{}) (interface{}, error) {
return untyped, nil
}
func UntypedToRule(untyped interface{}) (kyvernov1.Rule, error) {
func untypedToTyped[T any](untyped interface{}) (*T, error) {
jsonRule, err := json.Marshal(untyped)
if err != nil {
return kyvernov1.Rule{}, err
return nil, err
}
var rule kyvernov1.Rule
err = json.Unmarshal(jsonRule, &rule)
var t T
err = json.Unmarshal(jsonRule, &t)
if err != nil {
return kyvernov1.Rule{}, err
return nil, err
}
return rule, nil
return &t, nil
}
func SubstituteAllInConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyvernov1.AnyAllConditions) ([]kyvernov1.AnyAllConditions, error) {
@ -211,7 +229,12 @@ func SubstituteAllForceMutate(log logr.Logger, ctx context.Interface, typedRule
}
}
return UntypedToRule(rule)
result, err := untypedToTyped[kyvernov1.Rule](rule)
if err != nil {
return kyvernov1.Rule{}, err
}
return *result, nil
}
func substituteVars(log logr.Logger, ctx context.EvalInterface, rule interface{}, vr VariableResolver) (interface{}, error) {