mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

chore: move celexceptions to the new group (#12143)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2025-02-11 19:05:22 +02:00 committed by GitHub
parent a660088775
commit 7d5750a717
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
94 changed files with 3742 additions and 316 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
Makefile
View file

@ -517,6 +517,14 @@ codegen-crds-kyverno: $(CONTROLLER_GEN)
@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
.PHONY: codegen-crds-policies
codegen-crds-policies: ## Generate policies CRDs
codegen-crds-policies: $(PACKAGE_SHIM)
codegen-crds-policies: $(CONTROLLER_GEN)
@echo Generate policies crds... >&2
@rm -rf $(CRDS_PATH)/policies.kyverno.io && mkdir -p $(CRDS_PATH)/policies.kyverno.io
@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./api/policies.kyverno.io/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/policies.kyverno.io
.PHONY: codegen-crds-policyreport
codegen-crds-policyreport: ## Generate policy reports CRDs
codegen-crds-policyreport: $(PACKAGE_SHIM)
@ -542,7 +550,7 @@ codegen-crds-cli: $(CONTROLLER_GEN)
@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
.PHONY: codegen-crds-all
codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-crds-policies codegen-cli-crds ## Generate all CRDs
.PHONY: codegen-helm-docs
codegen-helm-docs: ## Generate helm docs
@ -586,14 +594,15 @@ codegen-cli-docs: $(CLI_BIN) ## Generate CLI docs
.PHONY: codegen-cli-crds
codegen-cli-crds: ## Copy generated CRDs to embed in the CLI
codegen-cli-crds: codegen-crds-kyverno
codegen-cli-crds: codegen-crds-policies
codegen-cli-crds: codegen-crds-cli
@echo Copy generated CRDs to embed in the CLI... >&2
@rm -rf cmd/cli/kubectl-kyverno/data/crds && mkdir -p cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_celpolicyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds
.PHONY: codegen-docs-all
@ -631,15 +640,16 @@ codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
@rm -rf ./charts/kyverno/charts/crds/templates/kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/kyverno.io
@rm -rf ./charts/kyverno/charts/crds/templates/reports.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/reports.kyverno.io
@rm -rf ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io && mkdir -p ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io
@rm -rf ./charts/kyverno/charts/crds/templates/policies.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/policies.kyverno.io
$(call generate_crd,kyverno.io_cleanuppolicies.yaml,kyverno,kyverno.io,kyverno,cleanuppolicies)
$(call generate_crd,kyverno.io_clustercleanuppolicies.yaml,kyverno,kyverno.io,kyverno,clustercleanuppolicies)
$(call generate_crd,kyverno.io_clusterpolicies.yaml,kyverno,kyverno.io,kyverno,clusterpolicies)
$(call generate_crd,kyverno.io_globalcontextentries.yaml,kyverno,kyverno.io,kyverno,globalcontextentries)
$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
$(call generate_crd,kyverno.io_celpolicyexceptions.yaml,kyverno,kyverno.io,kyverno,celpolicyexceptions)
$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)
$(call generate_crd,kyverno.io_validatingpolicies.yaml,kyverno,kyverno.io,kyverno,validatingpolicies)
$(call generate_crd,policies.kyverno.io_celpolicyexceptions.yaml,policies.kyverno.io,policies.kyverno.io,policies,celpolicyexceptions)
$(call generate_crd,policies.kyverno.io_validatingpolicies.yaml,policies.kyverno.io,policies.kyverno.io,policies,validatingpolicies)
$(call generate_crd,reports.kyverno.io_clusterephemeralreports.yaml,reports,reports.kyverno.io,reports,clusterephemeralreports)
$(call generate_crd,reports.kyverno.io_ephemeralreports.yaml,reports,reports.kyverno.io,reports,ephemeralreports)
$(call generate_crd,wgpolicyk8s.io_clusterpolicyreports.yaml,policyreport,wgpolicyk8s.io,wgpolicyk8s,clusterpolicyreports)

80
api/policies.kyverno.io/v1alpha1/policy_exception.go Normal file
View file

@ -0,0 +1,80 @@
package v1alpha1
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
)
// +genclient
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PolicyException declares resources to be excluded from specified policies.
type CELPolicyException struct {
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec CELPolicyExceptionSpec `json:"spec"`
}
func (p *CELPolicyException) GetKind() string {
return "CELPolicyException"
}
// Validate implements programmatic validation
func (p *CELPolicyException) Validate() (errs field.ErrorList) {
errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
return errs
}
// PolicyExceptionSpec stores policy exception spec
type CELPolicyExceptionSpec struct {
// PolicyRefs identifies the policies to which the exception is applied.
PolicyRefs []PolicyRef `json:"policyRefs"`
// MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.
// +optional
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
}
// Validate implements programmatic validation
func (p *CELPolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
if len(p.PolicyRefs) == 0 {
errs = append(errs, field.Invalid(path.Child("policyRefs"), p.PolicyRefs, "must specify at least one policy ref"))
} else {
for i, policyRef := range p.PolicyRefs {
errs = append(errs, policyRef.Validate(path.Child("policyRefs").Index(i))...)
}
}
return errs
}
type PolicyRef struct {
// Name is the name of the policy
Name string `json:"name"`
// Kind is the kind of the policy
Kind string `json:"kind"`
}
func (p *PolicyRef) Validate(path *field.Path) (errs field.ErrorList) {
if p.Name == "" {
errs = append(errs, field.Invalid(path.Child("name"), p.Name, "must specify policy name"))
}
if p.Kind == "" {
errs = append(errs, field.Invalid(path.Child("kind"), p.Kind, "must specify policy kind"))
}
return errs
}
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CELPolicyExceptionList is a list of Policy Exceptions
type CELPolicyExceptionList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []CELPolicyException `json:"items"`
}

18
api/policies.kyverno.io/v1alpha1/policy_interface.go Normal file
View file

@ -0,0 +1,18 @@
package v1alpha1
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// +kubebuilder:object:generate=false
type GenericPolicy interface {
metav1.Object
GetMatchConstraints() admissionregistrationv1.MatchResources
GetMatchConditions() []admissionregistrationv1.MatchCondition
GetFailurePolicy() admissionregistrationv1.FailurePolicyType
GetWebhookConfiguration() *WebhookConfiguration
GetVariables() []admissionregistrationv1.Variable
GetSpec() *ValidatingPolicySpec
GetStatus() *PolicyStatus
}

18
api/policies.kyverno.io/v1alpha1/policy_status.go
View file

@ -1,6 +1,7 @@
package v1alpha1
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -21,6 +22,23 @@ type PolicyStatus struct {
// +optional
Conditions []metav1.Condition `json:"conditions,omitempty"`
// +optional
Autogen AutogenStatus `json:"autogen"`
}
// AutogenStatus contains autogen status information.
type AutogenStatus struct {
// Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
Rules []AutogenRule `json:"rules,omitempty"`
}
type AutogenRule struct {
MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints,omitempty"`
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
Validations []admissionregistrationv1.Validation `json:"validations,omitempty"`
AuditAnnotation []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`
Variables []admissionregistrationv1.Variable `json:"variables,omitempty"`
}
func (status *PolicyStatus) SetReadyByCondition(c PolicyConditionType, s metav1.ConditionStatus, message string) {

4
api/policies.kyverno.io/v1alpha1/validating_policy.go
View file

@ -45,6 +45,10 @@ func (s *ValidatingPolicy) GetVariables() []admissionregistrationv1.Variable {
return s.Spec.Variables
}
func (s *ValidatingPolicy) GetSpec() *ValidatingPolicySpec {
return &s.Spec
}
func (s *ValidatingPolicy) GetStatus() *PolicyStatus {
return &s.Status
}

177
api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
View file

@ -22,21 +22,190 @@ limitations under the License.
package v1alpha1
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AutogenRule) DeepCopyInto(out *AutogenRule) {
*out = *in
if in.MatchConstraints != nil {
in, out := &in.MatchConstraints, &out.MatchConstraints
*out = new(v1.MatchResources)
(*in).DeepCopyInto(*out)
}
if in.MatchConditions != nil {
in, out := &in.MatchConditions, &out.MatchConditions
*out = make([]v1.MatchCondition, len(*in))
copy(*out, *in)
}
if in.Validations != nil {
in, out := &in.Validations, &out.Validations
*out = make([]v1.Validation, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.AuditAnnotation != nil {
in, out := &in.AuditAnnotation, &out.AuditAnnotation
*out = make([]v1.AuditAnnotation, len(*in))
copy(*out, *in)
}
if in.Variables != nil {
in, out := &in.Variables, &out.Variables
*out = make([]v1.Variable, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenRule.
func (in *AutogenRule) DeepCopy() *AutogenRule {
if in == nil {
return nil
}
out := new(AutogenRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus) {
*out = *in
if in.Rules != nil {
in, out := &in.Rules, &out.Rules
*out = make([]AutogenRule, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.
func (in *AutogenStatus) DeepCopy() *AutogenStatus {
if in == nil {
return nil
}
out := new(AutogenStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyException.
func (in *CELPolicyException) DeepCopy() *CELPolicyException {
if in == nil {
return nil
}
out := new(CELPolicyException)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CELPolicyException) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CELPolicyExceptionList) DeepCopyInto(out *CELPolicyExceptionList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]CELPolicyException, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyExceptionList.
func (in *CELPolicyExceptionList) DeepCopy() *CELPolicyExceptionList {
if in == nil {
return nil
}
out := new(CELPolicyExceptionList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *CELPolicyExceptionList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CELPolicyExceptionSpec) DeepCopyInto(out *CELPolicyExceptionSpec) {
*out = *in
if in.PolicyRefs != nil {
in, out := &in.PolicyRefs, &out.PolicyRefs
*out = make([]PolicyRef, len(*in))
copy(*out, *in)
}
if in.MatchConditions != nil {
in, out := &in.MatchConditions, &out.MatchConditions
*out = make([]v1.MatchCondition, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyExceptionSpec.
func (in *CELPolicyExceptionSpec) DeepCopy() *CELPolicyExceptionSpec {
if in == nil {
return nil
}
out := new(CELPolicyExceptionSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyRef) DeepCopyInto(out *PolicyRef) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRef.
func (in *PolicyRef) DeepCopy() *PolicyRef {
if in == nil {
return nil
}
out := new(PolicyRef)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]v1.Condition, len(*in))
*out = make([]metav1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
in.Autogen.DeepCopyInto(&out.Autogen)
return
}
@ -117,7 +286,7 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
in.ValidatingAdmissionPolicySpec.DeepCopyInto(&out.ValidatingAdmissionPolicySpec)
if in.ValidationAction != nil {
in, out := &in.ValidationAction, &out.ValidationAction
*out = make([]admissionregistrationv1.ValidationAction, len(*in))
*out = make([]v1.ValidationAction, len(*in))
copy(*out, *in)
}
if in.WebhookConfiguration != nil {

2
api/policies.kyverno.io/v1alpha1/zz_generated.register.go
View file

@ -58,6 +58,8 @@ func init() {
// Adds the list of known types to Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&CELPolicyException{},
&CELPolicyExceptionList{},
&ValidatingPolicy{},
&ValidatingPolicyList{},
)

2
charts/kyverno/README.md
View file

@ -258,6 +258,8 @@ The chart values are organised per component.
|-----|------|---------|-------------|
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.groups.kyverno | object | `{"celpolicyexceptions":true,"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` |
| crds.groups.policies.validatingpolicies | bool | `true` | |
| crds.groups.policies.celpolicyexceptions | bool | `true` | |
| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
| crds.annotations | object | `{}` | Additional CRDs annotations |

2
charts/kyverno/charts/crds/README.md
View file

@ -7,6 +7,8 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.policies.validatingpolicies | bool | `true` | |
| groups.policies.celpolicyexceptions | bool | `true` | |
| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |

8
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_celpolicyexceptions.yaml → charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
View file

@ -1,4 +1,4 @@
{{- if .Values.groups.kyverno.celpolicyexceptions }}
{{- if .Values.groups.policies.celpolicyexceptions }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -10,9 +10,9 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.1
name: celpolicyexceptions.kyverno.io
name: celpolicyexceptions.policies.kyverno.io
spec:
group: kyverno.io
group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
@ -20,7 +20,7 @@ spec:
singular: celpolicyexception
scope: Namespaced
versions:
- name: v2alpha1
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified

8
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_validatingpolicies.yaml → charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -1,4 +1,4 @@
{{- if .Values.groups.kyverno.validatingpolicies }}
{{- if .Values.groups.policies.validatingpolicies }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -10,9 +10,9 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.1
name: validatingpolicies.kyverno.io
name: validatingpolicies.policies.kyverno.io
spec:
group: kyverno.io
group: policies.kyverno.io
names:
categories:
- kyverno
@ -28,7 +28,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
name: v2alpha1
name: v1alpha1
schema:
openAPIV3Schema:
properties:

4
charts/kyverno/charts/crds/values.yaml
View file

@ -19,6 +19,10 @@ groups:
updaterequests: true
validatingpolicies: true
policies:
validatingpolicies: true
celpolicyexceptions: true
# -- Install CRDs in group `reports.kyverno.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
reports:

12
charts/kyverno/templates/admission-controller/clusterrole.yaml
View file

@ -73,6 +73,18 @@ rules:
- globalcontextentries
- globalcontextentries/status
- policyexceptions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- policies.kyverno.io
resources:
- validatingpolicies
- validatingpolicies/status
- celpolicyexceptions

12
charts/kyverno/templates/reports-controller/clusterrole.yaml
View file

@ -43,6 +43,18 @@ rules:
- policyexceptions
- policies
- clusterpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- policies.kyverno.io
resources:
- validatingpolicies
- validatingpolicies/status
verbs:

4
charts/kyverno/values.yaml
View file

@ -85,6 +85,10 @@ crds:
validatingpolicies: true
celpolicyexceptions: true
policies:
validatingpolicies: true
celpolicyexceptions: true
# -- Install CRDs in group `reports.kyverno.io`
reports:
clusterephemeralreports: true

8
cmd/cli/kubectl-kyverno/commands/apply/command.go
View file

@ -13,7 +13,7 @@ import (
"github.com/go-git/go-billy/v5/memfs"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception"
@ -314,7 +314,7 @@ func (c *ApplyCommandConfig) applyValidatingAdmissionPolicies(
}
func (c *ApplyCommandConfig) applyValidatingPolicies(
vps []kyvernov2alpha1.ValidatingPolicy,
vps []policiesv1alpha1.ValidatingPolicy,
resources []*unstructured.Unstructured,
namespaceProvider func(string) *corev1.Namespace,
_ *processor.ResultCounts,
@ -464,14 +464,14 @@ func (c *ApplyCommandConfig) loadPolicies() (
[]kyvernov1.PolicyInterface,
[]admissionregistrationv1.ValidatingAdmissionPolicy,
[]admissionregistrationv1.ValidatingAdmissionPolicyBinding,
[]kyvernov2alpha1.ValidatingPolicy,
[]policiesv1alpha1.ValidatingPolicy,
error,
) {
// load policies
var policies []kyvernov1.PolicyInterface
var vaps []admissionregistrationv1.ValidatingAdmissionPolicy
var vapBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding
var vps []kyvernov2alpha1.ValidatingPolicy
var vps []policiesv1alpha1.ValidatingPolicy
for _, path := range c.PolicyPaths {
isGit := source.IsGit(path)

6
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_celpolicyexceptions.yaml → cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_celpolicyexceptions.yaml
View file

@ -4,9 +4,9 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: celpolicyexceptions.kyverno.io
name: celpolicyexceptions.policies.kyverno.io
spec:
group: kyverno.io
group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
@ -14,7 +14,7 @@ spec:
singular: celpolicyexception
scope: Namespaced
versions:
- name: v2alpha1
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified

6
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_validatingpolicies.yaml → cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
View file

@ -4,9 +4,9 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: validatingpolicies.kyverno.io
name: validatingpolicies.policies.kyverno.io
spec:
group: kyverno.io
group: policies.kyverno.io
names:
categories:
- kyverno
@ -22,7 +22,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
name: v2alpha1
name: v1alpha1
schema:
openAPIV3Schema:
properties:

8
cmd/cli/kubectl-kyverno/policy/load.go
View file

@ -12,8 +12,8 @@ import (
"github.com/go-git/go-billy/v5"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/experimental"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/source"
@ -33,7 +33,7 @@ var (
clusterPolicyV2 = kyvernov2beta1.SchemeGroupVersion.WithKind("ClusterPolicy")
vapV1 = admissionregistrationv1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
vapBindingV1 = admissionregistrationv1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
vpV2alpha1 = kyvernov2alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy")
vpV2alpha1 = policiesv1alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy")
LegacyLoader = legacyLoader
KubectlValidateLoader = kubectlValidateLoader
defaultLoader = func(path string, bytes []byte) (*LoaderResults, error) {
@ -54,7 +54,7 @@ type LoaderResults struct {
Policies []kyvernov1.PolicyInterface
VAPs []admissionregistrationv1.ValidatingAdmissionPolicy
VAPBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding
ValidatingPolicies []kyvernov2alpha1.ValidatingPolicy
ValidatingPolicies []policiesv1alpha1.ValidatingPolicy
NonFatalErrors []LoaderError
}
@ -166,7 +166,7 @@ func kubectlValidateLoader(path string, content []byte) (*LoaderResults, error)
}
results.VAPBindings = append(results.VAPBindings, *typed)
case vpV2alpha1:
typed, err := convert.To[kyvernov2alpha1.ValidatingPolicy](untyped)
typed, err := convert.To[policiesv1alpha1.ValidatingPolicy](untyped)
if err != nil {
return nil, err
}

12
cmd/kyverno/main.go
View file

@ -10,7 +10,7 @@ import (
"time"
"github.com/go-logr/logr"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/cmd/internal"
"github.com/kyverno/kyverno/pkg/auth/checker"
"github.com/kyverno/kyverno/pkg/breaker"
@ -154,7 +154,7 @@ func createrLeaderControllers(
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
kyvernoInformer.Kyverno().V1().Policies(),
kyvernoInformer.Kyverno().V2alpha1().ValidatingPolicies(),
kyvernoInformer.Policies().V1alpha1().ValidatingPolicies(),
deploymentInformer,
caInformer,
kubeKyvernoInformer.Coordination().V1().Leases(),
@ -219,8 +219,8 @@ func createrLeaderControllers(
nil,
[]admissionregistrationv1.RuleWithOperations{{
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"kyverno.io"},
APIVersions: []string{"v2alpha1"},
APIGroups: []string{"policies.kyverno.io"},
APIVersions: []string{"v1alpha1"},
Resources: []string{"celpolicyexceptions"},
},
Operations: []admissionregistrationv1.OperationType{
@ -594,7 +594,7 @@ func main() {
{
// create a controller manager
scheme := kruntime.NewScheme()
if err := kyvernov2alpha1.Install(scheme); err != nil {
if err := policiesv1alpha1.Install(scheme); err != nil {
setup.Logger.Error(err, "failed to initialize scheme")
os.Exit(1)
}
@ -608,7 +608,7 @@ func main() {
// create compiler
compiler := celpolicy.NewCompiler()
// create provider
provider, err := celengine.NewKubeProvider(compiler, mgr, kyvernoInformer.Kyverno().V2alpha1().CELPolicyExceptions().Lister())
provider, err := celengine.NewKubeProvider(compiler, mgr, kyvernoInformer.Policies().V1alpha1().CELPolicyExceptions().Lister())
if err != nil {
setup.Logger.Error(err, "failed to create policy provider")
os.Exit(1)

8
cmd/reports-controller/main.go
View file

@ -76,13 +76,13 @@ func createReportControllers(
}
kyvernoV1 := kyvernoInformer.Kyverno().V1()
kyvernoV2 := kyvernoInformer.Kyverno().V2()
kyvernoV2alpha1 := kyvernoInformer.Kyverno().V2alpha1()
policiesV1alpha1 := kyvernoInformer.Policies().V1alpha1()
if backgroundScan || admissionReports {
resourceReportController := resourcereportcontroller.NewController(
client,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
kyvernoV2alpha1.ValidatingPolicies(),
policiesV1alpha1.ValidatingPolicies(),
vapInformer,
)
warmups = append(warmups, func(ctx context.Context) error {
@ -102,7 +102,7 @@ func createReportControllers(
metadataFactory,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
kyvernoV2alpha1.ValidatingPolicies(),
policiesV1alpha1.ValidatingPolicies(),
vapInformer,
),
aggregationWorkers,
@ -116,7 +116,7 @@ func createReportControllers(
metadataFactory,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
kyvernoV2alpha1.ValidatingPolicies(),
policiesV1alpha1.ValidatingPolicies(),
kyvernoV2.PolicyExceptions(),
vapInformer,
vapBindingInformer,

106
config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml Normal file
View file

@ -0,0 +1,106 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
name: celpolicyexceptions.policies.kyverno.io
spec:
group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
plural: celpolicyexceptions
singular: celpolicyexception
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
matchConditions:
description: MatchConditions is a list of CEL expressions that must
be met for a resource to be excluded.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
policyRefs:
description: PolicyRefs identifies the policies to which the exception
is applied.
items:
properties:
kind:
description: Kind is the kind of the policy
type: string
name:
description: Name is the name of the policy
type: string
required:
- kind
- name
type: object
type: array
required:
- policyRefs
type: object
required:
- spec
type: object
served: true
storage: true

1307
config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml Normal file
View file

File diff suppressed because it is too large Load diff

256
config/install-latest-testing.yaml
View file

@ -195,119 +195,6 @@ data:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno-crds
app.kubernetes.io/version: v0.0.0
helm.sh/chart: crds-v0.0.0
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: celpolicyexceptions.kyverno.io
spec:
group: kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
plural: celpolicyexceptions
singular: celpolicyexception
scope: Namespaced
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
matchConditions:
description: MatchConditions is a list of CEL expressions that must
be met for a resource to be excluded.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
policyRefs:
description: PolicyRefs identifies the policies to which the exception
is applied.
items:
properties:
kind:
description: Kind is the kind of the policy
type: string
name:
description: Name is the name of the policy
type: string
required:
- kind
- name
type: object
type: array
required:
- policyRefs
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds
@ -48537,9 +48424,122 @@ metadata:
helm.sh/chart: crds-v0.0.0
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: validatingpolicies.kyverno.io
name: celpolicyexceptions.policies.kyverno.io
spec:
group: kyverno.io
group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
plural: celpolicyexceptions
singular: celpolicyexception
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
matchConditions:
description: MatchConditions is a list of CEL expressions that must
be met for a resource to be excluded.
items:
description: MatchCondition represents a condition which must by
fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
'object' - The object from the incoming request. The value is null for DELETE requests.
'oldObject' - The existing object. The value is null for CREATE requests.
'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
request resource.
Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
Required.
type: string
name:
description: |-
Name is an identifier for this match condition, used for strategic merging of MatchConditions,
as well as providing an identifier for logging purposes. A good name should be descriptive of
the associated expression.
Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
Required.
type: string
required:
- expression
- name
type: object
type: array
policyRefs:
description: PolicyRefs identifies the policies to which the exception
is applied.
items:
properties:
kind:
description: Kind is the kind of the policy
type: string
name:
description: Name is the name of the policy
type: string
required:
- kind
- name
type: object
type: array
required:
- policyRefs
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno-crds
app.kubernetes.io/version: v0.0.0
helm.sh/chart: crds-v0.0.0
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
name: validatingpolicies.policies.kyverno.io
spec:
group: policies.kyverno.io
names:
categories:
- kyverno
@ -48555,7 +48555,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
name: v2alpha1
name: v1alpha1
schema:
openAPIV3Schema:
properties:
@ -51328,6 +51328,18 @@ rules:
- globalcontextentries
- globalcontextentries/status
- policyexceptions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- policies.kyverno.io
resources:
- validatingpolicies
- validatingpolicies/status
- celpolicyexceptions
@ -51872,6 +51884,18 @@ rules:
- policyexceptions
- policies
- clusterpolicies
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- policies.kyverno.io
resources:
- validatingpolicies
- validatingpolicies/status
verbs:

310
docs/user/crd/index.html
View file

@ -10656,9 +10656,102 @@ github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1.Any
</p>
Resource Types:
<ul><li>
<a href="#policies.kyverno.io/v1alpha1.CELPolicyException">CELPolicyException</a>
</li><li>
<a href="#policies.kyverno.io/v1alpha1.ValidatingPolicy">ValidatingPolicy</a>
</li></ul>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.CELPolicyException">CELPolicyException
</h3>
<p>
<p>PolicyException declares resources to be excluded from specified policies.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>apiVersion</code><br/>
string</td>
<td>
<code>
policies.kyverno.io/v1alpha1
</code>
</td>
</tr>
<tr>
<td>
<code>kind</code><br/>
string
</td>
<td><code>CELPolicyException</code></td>
</tr>
<tr>
<td>
<code>metadata</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
Kubernetes meta/v1.ObjectMeta
</a>
</em>
</td>
<td>
Refer to the Kubernetes API documentation for the fields of the
<code>metadata</code> field.
</td>
</tr>
<tr>
<td>
<code>spec</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">
CELPolicyExceptionSpec
</a>
</em>
</td>
<td>
<p>Spec declares policy exception behaviors.</p>
<br/>
<br/>
<table class="table table-striped">
<tr>
<td>
<code>policyRefs</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.PolicyRef">
[]PolicyRef
</a>
</em>
</td>
<td>
<p>PolicyRefs identifies the policies to which the exception is applied.</p>
</td>
</tr>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.MatchCondition
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.</p>
</td>
</tr>
</table>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.ValidatingPolicy">ValidatingPolicy
</h3>
<p>
@ -10778,10 +10871,214 @@ PolicyStatus
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.AutogenRule">AutogenRule
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.AutogenStatus">AutogenStatus</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>matchConstraints</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
Kubernetes admissionregistration/v1.MatchResources
</a>
</em>
</td>
<td>
</td>
</tr>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.MatchCondition
</a>
</em>
</td>
<td>
</td>
</tr>
<tr>
<td>
<code>validations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.Validation
</a>
</em>
</td>
<td>
</td>
</tr>
<tr>
<td>
<code>auditAnnotations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.AuditAnnotation
</a>
</em>
</td>
<td>
</td>
</tr>
<tr>
<td>
<code>variables</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.Variable
</a>
</em>
</td>
<td>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.AutogenStatus">AutogenStatus
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.PolicyStatus">PolicyStatus</a>)
</p>
<p>
<p>AutogenStatus contains autogen status information.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>rules</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.AutogenRule">
[]AutogenRule
</a>
</em>
</td>
<td>
<p>Rules is a list of Rule instances. It contains auto generated rules added for pod controllers</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.CELPolicyException">CELPolicyException</a>)
</p>
<p>
<p>PolicyExceptionSpec stores policy exception spec</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>policyRefs</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.PolicyRef">
[]PolicyRef
</a>
</em>
</td>
<td>
<p>PolicyRefs identifies the policies to which the exception is applied.</p>
</td>
</tr>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.MatchCondition
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.GenericPolicy">GenericPolicy
</h3>
<p>
</p>
<h3 id="policies.kyverno.io/v1alpha1.PolicyConditionType">PolicyConditionType
(<code>string</code> alias)</p></h3>
<p>
</p>
<h3 id="policies.kyverno.io/v1alpha1.PolicyRef">PolicyRef
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>name</code><br/>
<em>
string
</em>
</td>
<td>
<p>Name is the name of the policy</p>
</td>
</tr>
<tr>
<td>
<code>kind</code><br/>
<em>
string
</em>
</td>
<td>
<p>Kind is the kind of the policy</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.PolicyStatus">PolicyStatus
</h3>
<p>
@ -10824,6 +11121,19 @@ The conditions array, the reason and message fields contain more detail about th
<em>(Optional)</em>
</td>
</tr>
<tr>
<td>
<code>autogen</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.AutogenStatus">
AutogenStatus
</a>
</em>
</td>
<td>
<em>(Optional)</em>
</td>
</tr>
</tbody>
</table>
<hr />

12
pkg/cel/autogen/autogen.go
View file

@ -4,7 +4,7 @@ import (
"strings"
"github.com/kyverno/kyverno/api/kyverno"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"k8s.io/apimachinery/pkg/util/sets"
)
@ -17,7 +17,7 @@ var podControllers = sets.New("daemonsets", "deployments", "jobs", "statefulsets
// - Pod is not defined
//
// Otherwise it returns all pod controllers
func canAutoGen(spec *kyvernov2alpha1.ValidatingPolicySpec) (bool, sets.Set[string]) {
func canAutoGen(spec *policiesv1alpha1.ValidatingPolicySpec) (bool, sets.Set[string]) {
match := spec.MatchConstraints
if match.NamespaceSelector != nil {
if len(match.NamespaceSelector.MatchLabels) > 0 || len(match.NamespaceSelector.MatchExpressions) > 0 {
@ -45,8 +45,8 @@ func canAutoGen(spec *kyvernov2alpha1.ValidatingPolicySpec) (bool, sets.Set[stri
return true, podControllers
}
func generateRules(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) []kyvernov2alpha1.AutogenRule {
var genRules []kyvernov2alpha1.AutogenRule
func generateRules(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) []policiesv1alpha1.AutogenRule {
var genRules []policiesv1alpha1.AutogenRule
// strip cronjobs from controllers if exist
isRemoved, controllers := stripCronJob(controllers)
// generate rule for pod controllers
@ -82,10 +82,10 @@ func stripCronJob(controllers string) (bool, string) {
return isRemoved, strings.Join(newControllers, ",")
}
func ComputeRules(policy kyvernov2alpha1.GenericPolicy) []kyvernov2alpha1.AutogenRule {
func ComputeRules(policy policiesv1alpha1.GenericPolicy) []policiesv1alpha1.AutogenRule {
applyAutoGen, desiredControllers := canAutoGen(policy.GetSpec())
if !applyAutoGen {
return []kyvernov2alpha1.AutogenRule{}
return []policiesv1alpha1.AutogenRule{}
}
var actualControllers sets.Set[string]

14
pkg/cel/autogen/autogen_test.go
View file

@ -5,7 +5,7 @@ import (
"fmt"
"testing"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"gotest.tools/assert"
"k8s.io/apimachinery/pkg/util/sets"
)
@ -19,7 +19,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-name",
policy: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@ -66,7 +66,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-object-selector",
policy: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@ -115,7 +115,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-namespace-selector",
policy: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@ -164,7 +164,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-mixed-kinds-pod-podcontrollers",
policy: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@ -223,7 +223,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-kinds-pod-only",
policy: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@ -268,7 +268,7 @@ func Test_CanAutoGen(t *testing.T) {
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
var policy *kyvernov2alpha1.ValidatingPolicy
var policy *policiesv1alpha1.ValidatingPolicy
err := json.Unmarshal(test.policy, &policy)
assert.NilError(t, err)

10
pkg/cel/autogen/rule.go
View file

@ -6,11 +6,11 @@ import (
"slices"
"strings"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) (*kyvernov2alpha1.AutogenRule, error) {
func generateCronJobRule(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) (*policiesv1alpha1.AutogenRule, error) {
operations := spec.MatchConstraints.ResourceRules[0].Operations
// create a resource rule for the cronjob resource
matchConstraints := createMatchConstraints(controllers, operations)
@ -61,7 +61,7 @@ func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers
}
}
return &kyvernov2alpha1.AutogenRule{
return &policiesv1alpha1.AutogenRule{
MatchConstraints: matchConstraints,
MatchConditions: matchConditions,
Validations: validations,
@ -70,7 +70,7 @@ func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers
}, nil
}
func generateRuleForControllers(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) (*kyvernov2alpha1.AutogenRule, error) {
func generateRuleForControllers(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) (*policiesv1alpha1.AutogenRule, error) {
operations := spec.MatchConstraints.ResourceRules[0].Operations
// create a resource rule for pod controllers
matchConstraints := createMatchConstraints(controllers, operations)
@ -119,7 +119,7 @@ func generateRuleForControllers(spec *kyvernov2alpha1.ValidatingPolicySpec, cont
}
}
return &kyvernov2alpha1.AutogenRule{
return &policiesv1alpha1.AutogenRule{
MatchConstraints: matchConstraints,
MatchConditions: matchConditions,
Validations: validations,

22
pkg/cel/autogen/rule_test.go
View file

@ -5,7 +5,7 @@ import (
"reflect"
"testing"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"gotest.tools/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
@ -15,7 +15,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
name string
controllers string
policySpec []byte
generatedRule kyvernov2alpha1.AutogenRule
generatedRule policiesv1alpha1.AutogenRule
}{
{
name: "autogen rule for deployments",
@ -46,7 +46,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
}
]
}`),
generatedRule: kyvernov2alpha1.AutogenRule{
generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@ -100,7 +100,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
}
]
}`),
generatedRule: kyvernov2alpha1.AutogenRule{
generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@ -160,7 +160,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
}
]
}`),
generatedRule: kyvernov2alpha1.AutogenRule{
generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@ -195,7 +195,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
var spec *kyvernov2alpha1.ValidatingPolicySpec
var spec *policiesv1alpha1.ValidatingPolicySpec
err := json.Unmarshal(test.policySpec, &spec)
assert.NilError(t, err)
@ -212,7 +212,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
func TestGenerateCronJobRule(t *testing.T) {
tests := []struct {
policySpec []byte
generatedRule kyvernov2alpha1.AutogenRule
generatedRule policiesv1alpha1.AutogenRule
}{
{
policySpec: []byte(`{
@ -241,7 +241,7 @@ func TestGenerateCronJobRule(t *testing.T) {
}
]
}`),
generatedRule: kyvernov2alpha1.AutogenRule{
generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@ -299,7 +299,7 @@ func TestGenerateCronJobRule(t *testing.T) {
}
]
}`),
generatedRule: kyvernov2alpha1.AutogenRule{
generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@ -364,7 +364,7 @@ func TestGenerateCronJobRule(t *testing.T) {
}
]
}`),
generatedRule: kyvernov2alpha1.AutogenRule{
generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@ -398,7 +398,7 @@ func TestGenerateCronJobRule(t *testing.T) {
},
}
for _, tt := range tests {
var spec *kyvernov2alpha1.ValidatingPolicySpec
var spec *policiesv1alpha1.ValidatingPolicySpec
err := json.Unmarshal(tt.policySpec, &spec)
assert.NilError(t, err)

4
pkg/cel/engine/engine.go
View file

@ -4,7 +4,7 @@ import (
"context"
"fmt"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
contextlib "github.com/kyverno/kyverno/pkg/cel/libs/context"
"github.com/kyverno/kyverno/pkg/cel/matching"
"github.com/kyverno/kyverno/pkg/cel/utils"
@ -79,7 +79,7 @@ type EngineResponse struct {
type PolicyResponse struct {
Actions sets.Set[admissionregistrationv1.ValidationAction]
Policy kyvernov2alpha1.ValidatingPolicy
Policy policiesv1alpha1.ValidatingPolicy
Rules []engineapi.RuleResponse
}

30
pkg/cel/engine/provider.go
View file

@ -5,9 +5,9 @@ import (
"fmt"
"sync"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/cel/policy"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"golang.org/x/exp/maps"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apimachinery/pkg/api/errors"
@ -23,7 +23,7 @@ import (
type CompiledPolicy struct {
Actions sets.Set[admissionregistrationv1.ValidationAction]
Policy kyvernov2alpha1.ValidatingPolicy
Policy policiesv1alpha1.ValidatingPolicy
CompiledPolicy policy.CompiledPolicy
}
@ -37,7 +37,7 @@ func (f ProviderFunc) CompiledPolicies(ctx context.Context) ([]CompiledPolicy, e
return f(ctx)
}
func NewProvider(compiler policy.Compiler, policies ...kyvernov2alpha1.ValidatingPolicy) (ProviderFunc, error) {
func NewProvider(compiler policy.Compiler, policies ...policiesv1alpha1.ValidatingPolicy) (ProviderFunc, error) {
compiled := make([]CompiledPolicy, 0, len(policies))
for _, vp := range policies {
policy, err := compiler.Compile(&vp, nil)
@ -63,18 +63,18 @@ func NewProvider(compiler policy.Compiler, policies ...kyvernov2alpha1.Validatin
func NewKubeProvider(
compiler policy.Compiler,
mgr ctrl.Manager,
polexLister kyvernov2alpha1listers.CELPolicyExceptionLister,
polexLister policiesv1alpha1listers.CELPolicyExceptionLister,
) (Provider, error) {
r := newPolicyReconciler(compiler, mgr.GetClient(), polexLister)
err := ctrl.NewControllerManagedBy(mgr).
For(&kyvernov2alpha1.ValidatingPolicy{}).
Watches(&kyvernov2alpha1.CELPolicyException{}, &handler.Funcs{
For(&policiesv1alpha1.ValidatingPolicy{}).
Watches(&policiesv1alpha1.CELPolicyException{}, &handler.Funcs{
CreateFunc: func(
ctx context.Context,
tce event.TypedCreateEvent[client.Object],
trli workqueue.TypedRateLimitingInterface[reconcile.Request],
) {
polex := tce.Object.(*kyvernov2alpha1.CELPolicyException)
polex := tce.Object.(*policiesv1alpha1.CELPolicyException)
for _, ref := range polex.Spec.PolicyRefs {
trli.Add(reconcile.Request{
NamespacedName: client.ObjectKey{
@ -88,7 +88,7 @@ func NewKubeProvider(
tue event.TypedUpdateEvent[client.Object],
trli workqueue.TypedRateLimitingInterface[reconcile.Request],
) {
polex := tue.ObjectNew.(*kyvernov2alpha1.CELPolicyException)
polex := tue.ObjectNew.(*policiesv1alpha1.CELPolicyException)
for _, ref := range polex.Spec.PolicyRefs {
trli.Add(reconcile.Request{
NamespacedName: client.ObjectKey{
@ -102,7 +102,7 @@ func NewKubeProvider(
tde event.TypedDeleteEvent[client.Object],
trli workqueue.TypedRateLimitingInterface[reconcile.Request],
) {
polex := tde.Object.(*kyvernov2alpha1.CELPolicyException)
polex := tde.Object.(*policiesv1alpha1.CELPolicyException)
for _, ref := range polex.Spec.PolicyRefs {
trli.Add(reconcile.Request{
NamespacedName: client.ObjectKey{
@ -124,13 +124,13 @@ type policyReconciler struct {
compiler policy.Compiler
lock *sync.RWMutex
policies map[string]CompiledPolicy
polexLister kyvernov2alpha1listers.CELPolicyExceptionLister
polexLister policiesv1alpha1listers.CELPolicyExceptionLister
}
func newPolicyReconciler(
compiler policy.Compiler,
client client.Client,
polexLister kyvernov2alpha1listers.CELPolicyExceptionLister,
polexLister policiesv1alpha1listers.CELPolicyExceptionLister,
) *policyReconciler {
return &policyReconciler{
client: client,
@ -142,7 +142,7 @@ func newPolicyReconciler(
}
func (r *policyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
var policy kyvernov2alpha1.ValidatingPolicy
var policy policiesv1alpha1.ValidatingPolicy
err := r.client.Get(ctx, req.NamespacedName, &policy)
if errors.IsNotFound(err) {
r.lock.Lock()
@ -184,12 +184,12 @@ func (r *policyReconciler) CompiledPolicies(ctx context.Context) ([]CompiledPoli
return maps.Values(r.policies), nil
}
func (r *policyReconciler) ListExceptions(policyName string) ([]kyvernov2alpha1.CELPolicyException, error) {
func (r *policyReconciler) ListExceptions(policyName string) ([]policiesv1alpha1.CELPolicyException, error) {
polexList, err := r.polexLister.List(labels.Everything())
if err != nil {
return nil, err
}
var exceptions []kyvernov2alpha1.CELPolicyException
var exceptions []policiesv1alpha1.CELPolicyException
for _, polex := range polexList {
for _, ref := range polex.Spec.PolicyRefs {
if ref.Name == policyName {

6
pkg/cel/policy/compiler.go
View file

@ -5,7 +5,7 @@ import (
"github.com/google/cel-go/cel"
"github.com/google/cel-go/common/types"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
engine "github.com/kyverno/kyverno/pkg/cel"
"github.com/kyverno/kyverno/pkg/cel/libs/context"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@ -23,7 +23,7 @@ const (
)
type Compiler interface {
Compile(*kyvernov2alpha1.ValidatingPolicy, []kyvernov2alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList)
Compile(*policiesv1alpha1.ValidatingPolicy, []policiesv1alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList)
}
func NewCompiler() Compiler {
@ -32,7 +32,7 @@ func NewCompiler() Compiler {
type compiler struct{}
func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy, exceptions []kyvernov2alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList) {
func (c *compiler) Compile(policy *policiesv1alpha1.ValidatingPolicy, exceptions []policiesv1alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList) {
var allErrs field.ErrorList
base, err := engine.NewEnv()
if err != nil {

16
pkg/cel/policy/compiler_test.go
View file

@ -3,7 +3,7 @@ package policy
import (
"testing"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/stretchr/testify/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -12,19 +12,19 @@ import (
func Test_compiler_Compile(t *testing.T) {
tests := []struct {
name string
policy *kyvernov2alpha1.ValidatingPolicy
policy *policiesv1alpha1.ValidatingPolicy
wantErr bool
}{{
name: "simple",
policy: &kyvernov2alpha1.ValidatingPolicy{
policy: &policiesv1alpha1.ValidatingPolicy{
TypeMeta: metav1.TypeMeta{
APIVersion: kyvernov2alpha1.GroupVersion.String(),
APIVersion: policiesv1alpha1.GroupVersion.String(),
Kind: "ValidatingPolicy",
},
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: kyvernov2alpha1.ValidatingPolicySpec{
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
Variables: []admissionregistrationv1.Variable{{
Name: "environment",
@ -38,15 +38,15 @@ func Test_compiler_Compile(t *testing.T) {
},
}, {
name: "with configmap",
policy: &kyvernov2alpha1.ValidatingPolicy{
policy: &policiesv1alpha1.ValidatingPolicy{
TypeMeta: metav1.TypeMeta{
APIVersion: kyvernov2alpha1.GroupVersion.String(),
APIVersion: policiesv1alpha1.GroupVersion.String(),
Kind: "ValidatingPolicy",
},
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
Spec: kyvernov2alpha1.ValidatingPolicySpec{
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
Variables: []admissionregistrationv1.Variable{{
Name: "cm",

87
pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenrule.go Normal file
View file

@ -0,0 +1,87 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
import (
v1 "k8s.io/api/admissionregistration/v1"
)
// AutogenRuleApplyConfiguration represents an declarative configuration of the AutogenRule type for use
// with apply.
type AutogenRuleApplyConfiguration struct {
MatchConstraints *v1.MatchResources `json:"matchConstraints,omitempty"`
MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
Validations []v1.Validation `json:"validations,omitempty"`
AuditAnnotation []v1.AuditAnnotation `json:"auditAnnotations,omitempty"`
Variables []v1.Variable `json:"variables,omitempty"`
}
// AutogenRuleApplyConfiguration constructs an declarative configuration of the AutogenRule type for use with
// apply.
func AutogenRule() *AutogenRuleApplyConfiguration {
return &AutogenRuleApplyConfiguration{}
}
// WithMatchConstraints sets the MatchConstraints field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the MatchConstraints field is set to the value of the last call.
func (b *AutogenRuleApplyConfiguration) WithMatchConstraints(value v1.MatchResources) *AutogenRuleApplyConfiguration {
b.MatchConstraints = &value
return b
}
// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the MatchConditions field.
func (b *AutogenRuleApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *AutogenRuleApplyConfiguration {
for i := range values {
b.MatchConditions = append(b.MatchConditions, values[i])
}
return b
}
// WithValidations adds the given value to the Validations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Validations field.
func (b *AutogenRuleApplyConfiguration) WithValidations(values ...v1.Validation) *AutogenRuleApplyConfiguration {
for i := range values {
b.Validations = append(b.Validations, values[i])
}
return b
}
// WithAuditAnnotation adds the given value to the AuditAnnotation field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the AuditAnnotation field.
func (b *AutogenRuleApplyConfiguration) WithAuditAnnotation(values ...v1.AuditAnnotation) *AutogenRuleApplyConfiguration {
for i := range values {
b.AuditAnnotation = append(b.AuditAnnotation, values[i])
}
return b
}
// WithVariables adds the given value to the Variables field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Variables field.
func (b *AutogenRuleApplyConfiguration) WithVariables(values ...v1.Variable) *AutogenRuleApplyConfiguration {
for i := range values {
b.Variables = append(b.Variables, values[i])
}
return b
}

44
pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenstatus.go Normal file
View file

@ -0,0 +1,44 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
// AutogenStatusApplyConfiguration represents an declarative configuration of the AutogenStatus type for use
// with apply.
type AutogenStatusApplyConfiguration struct {
Rules []AutogenRuleApplyConfiguration `json:"rules,omitempty"`
}
// AutogenStatusApplyConfiguration constructs an declarative configuration of the AutogenStatus type for use with
// apply.
func AutogenStatus() *AutogenStatusApplyConfiguration {
return &AutogenStatusApplyConfiguration{}
}
// WithRules adds the given value to the Rules field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Rules field.
func (b *AutogenStatusApplyConfiguration) WithRules(values ...*AutogenRuleApplyConfiguration) *AutogenStatusApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithRules")
}
b.Rules = append(b.Rules, *values[i])
}
return b
}

210
pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexception.go Normal file
View file

@ -0,0 +1,210 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
v1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// CELPolicyExceptionApplyConfiguration represents an declarative configuration of the CELPolicyException type for use
// with apply.
type CELPolicyExceptionApplyConfiguration struct {
v1.TypeMetaApplyConfiguration `json:",omitempty,inline"`
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *CELPolicyExceptionSpecApplyConfiguration `json:"spec,omitempty"`
}
// CELPolicyException constructs an declarative configuration of the CELPolicyException type for use with
// apply.
func CELPolicyException(name, namespace string) *CELPolicyExceptionApplyConfiguration {
b := &CELPolicyExceptionApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("CELPolicyException")
b.WithAPIVersion("policies.kyverno.io/v1alpha1")
return b
}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithKind(value string) *CELPolicyExceptionApplyConfiguration {
b.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithAPIVersion(value string) *CELPolicyExceptionApplyConfiguration {
b.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithName(value string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithGenerateName(value string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithNamespace(value string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithUID(value types.UID) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithResourceVersion(value string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithGeneration(value int64) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *CELPolicyExceptionApplyConfiguration) WithLabels(entries map[string]string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *CELPolicyExceptionApplyConfiguration) WithAnnotations(entries map[string]string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.Annotations == nil && len(entries) > 0 {
b.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *CELPolicyExceptionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.OwnerReferences = append(b.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *CELPolicyExceptionApplyConfiguration) WithFinalizers(values ...string) *CELPolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.Finalizers = append(b.Finalizers, values[i])
}
return b
}
func (b *CELPolicyExceptionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *CELPolicyExceptionApplyConfiguration) WithSpec(value *CELPolicyExceptionSpecApplyConfiguration) *CELPolicyExceptionApplyConfiguration {
b.Spec = value
return b
}

59
pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexceptionspec.go Normal file
View file

@ -0,0 +1,59 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
import (
v1 "k8s.io/api/admissionregistration/v1"
)
// CELPolicyExceptionSpecApplyConfiguration represents an declarative configuration of the CELPolicyExceptionSpec type for use
// with apply.
type CELPolicyExceptionSpecApplyConfiguration struct {
PolicyRefs []PolicyRefApplyConfiguration `json:"policyRefs,omitempty"`
MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
}
// CELPolicyExceptionSpecApplyConfiguration constructs an declarative configuration of the CELPolicyExceptionSpec type for use with
// apply.
func CELPolicyExceptionSpec() *CELPolicyExceptionSpecApplyConfiguration {
return &CELPolicyExceptionSpecApplyConfiguration{}
}
// WithPolicyRefs adds the given value to the PolicyRefs field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the PolicyRefs field.
func (b *CELPolicyExceptionSpecApplyConfiguration) WithPolicyRefs(values ...*PolicyRefApplyConfiguration) *CELPolicyExceptionSpecApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithPolicyRefs")
}
b.PolicyRefs = append(b.PolicyRefs, *values[i])
}
return b
}
// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the MatchConditions field.
func (b *CELPolicyExceptionSpecApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *CELPolicyExceptionSpecApplyConfiguration {
for i := range values {
b.MatchConditions = append(b.MatchConditions, values[i])
}
return b
}

48
pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policyref.go Normal file
View file

@ -0,0 +1,48 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1alpha1
// PolicyRefApplyConfiguration represents an declarative configuration of the PolicyRef type for use
// with apply.
type PolicyRefApplyConfiguration struct {
Name *string `json:"name,omitempty"`
Kind *string `json:"kind,omitempty"`
}
// PolicyRefApplyConfiguration constructs an declarative configuration of the PolicyRef type for use with
// apply.
func PolicyRef() *PolicyRefApplyConfiguration {
return &PolicyRefApplyConfiguration{}
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *PolicyRefApplyConfiguration) WithName(value string) *PolicyRefApplyConfiguration {
b.Name = &value
return b
}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *PolicyRefApplyConfiguration) WithKind(value string) *PolicyRefApplyConfiguration {
b.Kind = &value
return b
}

13
pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policystatus.go
View file

@ -25,8 +25,9 @@ import (
// PolicyStatusApplyConfiguration represents an declarative configuration of the PolicyStatus type for use
// with apply.
type PolicyStatusApplyConfiguration struct {
Ready *bool `json:"ready,omitempty"`
Conditions []v1.Condition `json:"conditions,omitempty"`
Ready *bool `json:"ready,omitempty"`
Conditions []v1.Condition `json:"conditions,omitempty"`
Autogen *AutogenStatusApplyConfiguration `json:"autogen,omitempty"`
}
// PolicyStatusApplyConfiguration constructs an declarative configuration of the PolicyStatus type for use with
@ -52,3 +53,11 @@ func (b *PolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition)
}
return b
}
// WithAutogen sets the Autogen field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Autogen field is set to the value of the last call.
func (b *PolicyStatusApplyConfiguration) WithAutogen(value *AutogenStatusApplyConfiguration) *PolicyStatusApplyConfiguration {
b.Autogen = value
return b
}

10
pkg/client/applyconfigurations/utils.go
View file

@ -273,6 +273,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov2beta1.ValidationApplyConfiguration{}
// Group=policies.kyverno.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithKind("AutogenRule"):
return &policieskyvernoiov1alpha1.AutogenRuleApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("AutogenStatus"):
return &policieskyvernoiov1alpha1.AutogenStatusApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("CELPolicyException"):
return &policieskyvernoiov1alpha1.CELPolicyExceptionApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("CELPolicyExceptionSpec"):
return &policieskyvernoiov1alpha1.CELPolicyExceptionSpecApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("PolicyRef"):
return &policieskyvernoiov1alpha1.PolicyRefApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("PolicyStatus"):
return &policieskyvernoiov1alpha1.PolicyStatusApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy"):

178
pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/celpolicyexception.go Normal file
View file

@ -0,0 +1,178 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
"time"
v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// CELPolicyExceptionsGetter has a method to return a CELPolicyExceptionInterface.
// A group's client should implement this interface.
type CELPolicyExceptionsGetter interface {
CELPolicyExceptions(namespace string) CELPolicyExceptionInterface
}
// CELPolicyExceptionInterface has methods to work with CELPolicyException resources.
type CELPolicyExceptionInterface interface {
Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (*v1alpha1.CELPolicyException, error)
Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (*v1alpha1.CELPolicyException, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CELPolicyException, error)
List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CELPolicyExceptionList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error)
CELPolicyExceptionExpansion
}
// cELPolicyExceptions implements CELPolicyExceptionInterface
type cELPolicyExceptions struct {
client rest.Interface
ns string
}
// newCELPolicyExceptions returns a CELPolicyExceptions
func newCELPolicyExceptions(c *PoliciesV1alpha1Client, namespace string) *cELPolicyExceptions {
return &cELPolicyExceptions{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the cELPolicyException, and returns the corresponding cELPolicyException object, and an error if there is any.
func (c *cELPolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CELPolicyException, err error) {
result = &v1alpha1.CELPolicyException{}
err = c.client.Get().
Namespace(c.ns).
Resource("celpolicyexceptions").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of CELPolicyExceptions that match those selectors.
func (c *cELPolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CELPolicyExceptionList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v1alpha1.CELPolicyExceptionList{}
err = c.client.Get().
Namespace(c.ns).
Resource("celpolicyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested cELPolicyExceptions.
func (c *cELPolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("celpolicyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a cELPolicyException and creates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
func (c *cELPolicyExceptions) Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (result *v1alpha1.CELPolicyException, err error) {
result = &v1alpha1.CELPolicyException{}
err = c.client.Post().
Namespace(c.ns).
Resource("celpolicyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Body(cELPolicyException).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a cELPolicyException and updates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
func (c *cELPolicyExceptions) Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (result *v1alpha1.CELPolicyException, err error) {
result = &v1alpha1.CELPolicyException{}
err = c.client.Put().
Namespace(c.ns).
Resource("celpolicyexceptions").
Name(cELPolicyException.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(cELPolicyException).
Do(ctx).
Into(result)
return
}
// Delete takes name of the cELPolicyException and deletes it. Returns an error if one occurs.
func (c *cELPolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("celpolicyexceptions").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *cELPolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("celpolicyexceptions").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched cELPolicyException.
func (c *cELPolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error) {
result = &v1alpha1.CELPolicyException{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("celpolicyexceptions").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

129
pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_celpolicyexception.go Normal file
View file

@ -0,0 +1,129 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakeCELPolicyExceptions implements CELPolicyExceptionInterface
type FakeCELPolicyExceptions struct {
Fake *FakePoliciesV1alpha1
ns string
}
var celpolicyexceptionsResource = v1alpha1.SchemeGroupVersion.WithResource("celpolicyexceptions")
var celpolicyexceptionsKind = v1alpha1.SchemeGroupVersion.WithKind("CELPolicyException")
// Get takes name of the cELPolicyException, and returns the corresponding cELPolicyException object, and an error if there is any.
func (c *FakeCELPolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CELPolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(celpolicyexceptionsResource, c.ns, name), &v1alpha1.CELPolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.CELPolicyException), err
}
// List takes label and field selectors, and returns the list of CELPolicyExceptions that match those selectors.
func (c *FakeCELPolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CELPolicyExceptionList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(celpolicyexceptionsResource, celpolicyexceptionsKind, c.ns, opts), &v1alpha1.CELPolicyExceptionList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v1alpha1.CELPolicyExceptionList{ListMeta: obj.(*v1alpha1.CELPolicyExceptionList).ListMeta}
for _, item := range obj.(*v1alpha1.CELPolicyExceptionList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested cELPolicyExceptions.
func (c *FakeCELPolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(celpolicyexceptionsResource, c.ns, opts))
}
// Create takes the representation of a cELPolicyException and creates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
func (c *FakeCELPolicyExceptions) Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (result *v1alpha1.CELPolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(celpolicyexceptionsResource, c.ns, cELPolicyException), &v1alpha1.CELPolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.CELPolicyException), err
}
// Update takes the representation of a cELPolicyException and updates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
func (c *FakeCELPolicyExceptions) Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (result *v1alpha1.CELPolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(celpolicyexceptionsResource, c.ns, cELPolicyException), &v1alpha1.CELPolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.CELPolicyException), err
}
// Delete takes name of the cELPolicyException and deletes it. Returns an error if one occurs.
func (c *FakeCELPolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(celpolicyexceptionsResource, c.ns, name, opts), &v1alpha1.CELPolicyException{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakeCELPolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(celpolicyexceptionsResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v1alpha1.CELPolicyExceptionList{})
return err
}
// Patch applies the patch and returns the patched cELPolicyException.
func (c *FakeCELPolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(celpolicyexceptionsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CELPolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v1alpha1.CELPolicyException), err
}

4
pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_policies.kyverno.io_client.go
View file

@ -28,6 +28,10 @@ type FakePoliciesV1alpha1 struct {
*testing.Fake
}
func (c *FakePoliciesV1alpha1) CELPolicyExceptions(namespace string) v1alpha1.CELPolicyExceptionInterface {
return &FakeCELPolicyExceptions{c, namespace}
}
func (c *FakePoliciesV1alpha1) ValidatingPolicies() v1alpha1.ValidatingPolicyInterface {
return &FakeValidatingPolicies{c}
}

2
pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/generated_expansion.go
View file

@ -18,4 +18,6 @@ limitations under the License.
package v1alpha1
type CELPolicyExceptionExpansion interface{}
type ValidatingPolicyExpansion interface{}

5
pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/policies.kyverno.io_client.go
View file

@ -28,6 +28,7 @@ import (
type PoliciesV1alpha1Interface interface {
RESTClient() rest.Interface
CELPolicyExceptionsGetter
ValidatingPoliciesGetter
}
@ -36,6 +37,10 @@ type PoliciesV1alpha1Client struct {
restClient rest.Interface
}
func (c *PoliciesV1alpha1Client) CELPolicyExceptions(namespace string) CELPolicyExceptionInterface {
return newCELPolicyExceptions(c, namespace)
}
func (c *PoliciesV1alpha1Client) ValidatingPolicies() ValidatingPolicyInterface {
return newValidatingPolicies(c)
}

2
pkg/client/informers/externalversions/generic.go
View file

@ -82,6 +82,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().ValidatingPolicies().Informer()}, nil
// Group=policies.kyverno.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithResource("celpolicyexceptions"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policies().V1alpha1().CELPolicyExceptions().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("validatingpolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policies().V1alpha1().ValidatingPolicies().Informer()}, nil

90
pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/celpolicyexception.go Normal file
View file

@ -0,0 +1,90 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v1alpha1
import (
"context"
time "time"
policieskyvernoiov1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
v1alpha1 "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// CELPolicyExceptionInformer provides access to a shared informer and lister for
// CELPolicyExceptions.
type CELPolicyExceptionInformer interface {
Informer() cache.SharedIndexInformer
Lister() v1alpha1.CELPolicyExceptionLister
}
type cELPolicyExceptionInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewCELPolicyExceptionInformer constructs a new informer for CELPolicyException type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewCELPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredCELPolicyExceptionInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredCELPolicyExceptionInformer constructs a new informer for CELPolicyException type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredCELPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.PoliciesV1alpha1().CELPolicyExceptions(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.PoliciesV1alpha1().CELPolicyExceptions(namespace).Watch(context.TODO(), options)
},
},
&policieskyvernoiov1alpha1.CELPolicyException{},
resyncPeriod,
indexers,
)
}
func (f *cELPolicyExceptionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredCELPolicyExceptionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *cELPolicyExceptionInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&policieskyvernoiov1alpha1.CELPolicyException{}, f.defaultInformer)
}
func (f *cELPolicyExceptionInformer) Lister() v1alpha1.CELPolicyExceptionLister {
return v1alpha1.NewCELPolicyExceptionLister(f.Informer().GetIndexer())
}

7
pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/interface.go
View file

@ -24,6 +24,8 @@ import (
// Interface provides access to all the informers in this group version.
type Interface interface {
// CELPolicyExceptions returns a CELPolicyExceptionInformer.
CELPolicyExceptions() CELPolicyExceptionInformer
// ValidatingPolicies returns a ValidatingPolicyInformer.
ValidatingPolicies() ValidatingPolicyInformer
}
@ -39,6 +41,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// CELPolicyExceptions returns a CELPolicyExceptionInformer.
func (v *version) CELPolicyExceptions() CELPolicyExceptionInformer {
return &cELPolicyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
// ValidatingPolicies returns a ValidatingPolicyInformer.
func (v *version) ValidatingPolicies() ValidatingPolicyInformer {
return &validatingPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}

99
pkg/client/listers/policies.kyverno.io/v1alpha1/celpolicyexception.go Normal file
View file

@ -0,0 +1,99 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v1alpha1
import (
v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// CELPolicyExceptionLister helps list CELPolicyExceptions.
// All objects returned here must be treated as read-only.
type CELPolicyExceptionLister interface {
// List lists all CELPolicyExceptions in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error)
// CELPolicyExceptions returns an object that can list and get CELPolicyExceptions.
CELPolicyExceptions(namespace string) CELPolicyExceptionNamespaceLister
CELPolicyExceptionListerExpansion
}
// cELPolicyExceptionLister implements the CELPolicyExceptionLister interface.
type cELPolicyExceptionLister struct {
indexer cache.Indexer
}
// NewCELPolicyExceptionLister returns a new CELPolicyExceptionLister.
func NewCELPolicyExceptionLister(indexer cache.Indexer) CELPolicyExceptionLister {
return &cELPolicyExceptionLister{indexer: indexer}
}
// List lists all CELPolicyExceptions in the indexer.
func (s *cELPolicyExceptionLister) List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.CELPolicyException))
})
return ret, err
}
// CELPolicyExceptions returns an object that can list and get CELPolicyExceptions.
func (s *cELPolicyExceptionLister) CELPolicyExceptions(namespace string) CELPolicyExceptionNamespaceLister {
return cELPolicyExceptionNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// CELPolicyExceptionNamespaceLister helps list and get CELPolicyExceptions.
// All objects returned here must be treated as read-only.
type CELPolicyExceptionNamespaceLister interface {
// List lists all CELPolicyExceptions in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error)
// Get retrieves the CELPolicyException from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v1alpha1.CELPolicyException, error)
CELPolicyExceptionNamespaceListerExpansion
}
// cELPolicyExceptionNamespaceLister implements the CELPolicyExceptionNamespaceLister
// interface.
type cELPolicyExceptionNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all CELPolicyExceptions in the indexer for a given namespace.
func (s cELPolicyExceptionNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v1alpha1.CELPolicyException))
})
return ret, err
}
// Get retrieves the CELPolicyException from the indexer for a given namespace and name.
func (s cELPolicyExceptionNamespaceLister) Get(name string) (*v1alpha1.CELPolicyException, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v1alpha1.Resource("celpolicyexception"), name)
}
return obj.(*v1alpha1.CELPolicyException), nil
}

8
pkg/client/listers/policies.kyverno.io/v1alpha1/expansion_generated.go
View file

@ -18,6 +18,14 @@ limitations under the License.
package v1alpha1
// CELPolicyExceptionListerExpansion allows custom methods to be added to
// CELPolicyExceptionLister.
type CELPolicyExceptionListerExpansion interface{}
// CELPolicyExceptionNamespaceListerExpansion allows custom methods to be added to
// CELPolicyExceptionNamespaceLister.
type CELPolicyExceptionNamespaceListerExpansion interface{}
// ValidatingPolicyListerExpansion allows custom methods to be added to
// ValidatingPolicyLister.
type ValidatingPolicyListerExpansion interface{}

337
pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions/resource.generated.go Normal file
View file

@ -0,0 +1,337 @@
package resource
import (
context "context"
"fmt"
"time"
"github.com/go-logr/logr"
github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/tracing"
"go.opentelemetry.io/otel/trace"
"go.uber.org/multierr"
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
)
func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
return &withLogging{inner, logger}
}
func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
return &withMetrics{inner, recorder}
}
func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
return &withTracing{inner, client, kind}
}
type withLogging struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
logger logr.Logger
}
func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Create")
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Create failed", "duration", time.Since(start))
} else {
logger.Info("Create done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
start := time.Now()
logger := c.logger.WithValues("operation", "Delete")
ret0 := c.inner.Delete(arg0, arg1, arg2)
if err := multierr.Combine(ret0); err != nil {
logger.Error(err, "Delete failed", "duration", time.Since(start))
} else {
logger.Info("Delete done", "duration", time.Since(start))
}
return ret0
}
func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
start := time.Now()
logger := c.logger.WithValues("operation", "DeleteCollection")
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
if err := multierr.Combine(ret0); err != nil {
logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
} else {
logger.Info("DeleteCollection done", "duration", time.Since(start))
}
return ret0
}
func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Get")
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Get failed", "duration", time.Since(start))
} else {
logger.Info("Get done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "List")
ret0, ret1 := c.inner.List(arg0, arg1)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "List failed", "duration", time.Since(start))
} else {
logger.Info("List done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Patch")
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Patch failed", "duration", time.Since(start))
} else {
logger.Info("Patch done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Update")
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Update failed", "duration", time.Since(start))
} else {
logger.Info("Update done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Watch")
ret0, ret1 := c.inner.Watch(arg0, arg1)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Watch failed", "duration", time.Since(start))
} else {
logger.Info("Watch done", "duration", time.Since(start))
}
return ret0, ret1
}
type withMetrics struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
recorder metrics.Recorder
}
func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "create")
return c.inner.Create(arg0, arg1, arg2)
}
func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
defer c.recorder.RecordWithContext(arg0, "delete")
return c.inner.Delete(arg0, arg1, arg2)
}
func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
defer c.recorder.RecordWithContext(arg0, "delete_collection")
return c.inner.DeleteCollection(arg0, arg1, arg2)
}
func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "get")
return c.inner.Get(arg0, arg1, arg2)
}
func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
defer c.recorder.RecordWithContext(arg0, "list")
return c.inner.List(arg0, arg1)
}
func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "patch")
return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
}
func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "update")
return c.inner.Update(arg0, arg1, arg2)
}
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
defer c.recorder.RecordWithContext(arg0, "watch")
return c.inner.Watch(arg0, arg1)
}
type withTracing struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
client string
kind string
}
func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Create"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Delete"),
),
)
defer span.End()
}
ret0 := c.inner.Delete(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret0)
}
return ret0
}
func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("DeleteCollection"),
),
)
defer span.End()
}
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret0)
}
return ret0
}
func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Get"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("List"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.List(arg0, arg1)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Patch"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Update"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Watch"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Watch(arg0, arg1)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}

11
pkg/clients/kyverno/policiesv1alpha1/client.generated.go
View file

@ -3,6 +3,7 @@ package client
import (
"github.com/go-logr/logr"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1"
celpolicyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions"
validatingpolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/policiesv1alpha1/validatingpolicies"
"github.com/kyverno/kyverno/pkg/metrics"
"k8s.io/client-go/rest"
@ -29,6 +30,10 @@ type withMetrics struct {
func (c *withMetrics) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
func (c *withMetrics) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "CELPolicyException", c.clientType)
return celpolicyexceptions.WithMetrics(c.inner.CELPolicyExceptions(namespace), recorder)
}
func (c *withMetrics) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingPolicy", c.clientType)
return validatingpolicies.WithMetrics(c.inner.ValidatingPolicies(), recorder)
@ -42,6 +47,9 @@ type withTracing struct {
func (c *withTracing) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
func (c *withTracing) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
return celpolicyexceptions.WithTracing(c.inner.CELPolicyExceptions(namespace), c.client, "CELPolicyException")
}
func (c *withTracing) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
return validatingpolicies.WithTracing(c.inner.ValidatingPolicies(), c.client, "ValidatingPolicy")
}
@ -54,6 +62,9 @@ type withLogging struct {
func (c *withLogging) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
func (c *withLogging) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
return celpolicyexceptions.WithLogging(c.inner.CELPolicyExceptions(namespace), c.logger.WithValues("resource", "CELPolicyExceptions").WithValues("namespace", namespace))
}
func (c *withLogging) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
return validatingpolicies.WithLogging(c.inner.ValidatingPolicies(), c.logger.WithValues("resource", "ValidatingPolicies"))
}

8
pkg/controllers/report/aggregate/controller.go
View file

@ -12,9 +12,9 @@ import (
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/controllers"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@ -52,7 +52,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
vpolLister policiesv1alpha1listers.ValidatingPolicyLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
ephrLister cache.GenericLister
cephrLister cache.GenericLister
@ -73,7 +73,7 @@ func NewController(
metadataFactory metadatainformers.SharedInformerFactory,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
) controllers.Controller {
ephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("ephemeralreports"))

16
pkg/controllers/report/background/controller.go
View file

@ -8,17 +8,17 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
"github.com/kyverno/kyverno/pkg/breaker"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/controllers"
@ -63,7 +63,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
vpolLister policiesv1alpha1listers.ValidatingPolicyLister
polexLister kyvernov2listers.PolicyExceptionLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
vapBindingLister admissionregistrationv1listers.ValidatingAdmissionPolicyBindingLister
@ -94,7 +94,7 @@ func NewController(
metadataFactory metadatainformers.SharedInformerFactory,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
polexInformer kyvernov2informers.PolicyExceptionInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
vapBindingInformer admissionregistrationv1informers.ValidatingAdmissionPolicyBindingInformer,
@ -208,17 +208,17 @@ func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
c.enqueueResources()
}
func (c *controller) addVP(obj *kyvernov2alpha1.ValidatingPolicy) {
func (c *controller) addVP(obj *policiesv1alpha1.ValidatingPolicy) {
c.enqueueResources()
}
func (c *controller) updateVP(old, obj *kyvernov2alpha1.ValidatingPolicy) {
func (c *controller) updateVP(old, obj *policiesv1alpha1.ValidatingPolicy) {
if old.GetResourceVersion() != obj.GetResourceVersion() {
c.enqueueResources()
}
}
func (c *controller) deleteVP(obj *kyvernov2alpha1.ValidatingPolicy) {
func (c *controller) deleteVP(obj *policiesv1alpha1.ValidatingPolicy) {
c.enqueueResources()
}

8
pkg/controllers/report/resource/controller.go
View file

@ -10,9 +10,9 @@ import (
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/admissionpolicy"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/controllers"
"github.com/kyverno/kyverno/pkg/controllers/report/utils"
@ -81,7 +81,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
vpolLister policiesv1alpha1listers.ValidatingPolicyLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
// queue
@ -96,7 +96,7 @@ func NewController(
client dclient.Interface,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
) Controller {
c := controller{

8
pkg/controllers/report/utils/utils.go
View file

@ -4,12 +4,12 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
"github.com/kyverno/kyverno/pkg/autogen"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@ -151,8 +151,8 @@ func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrati
return bindings, nil
}
func FetchValidatingPolicies(vpolLister kyvernov2alpha1listers.ValidatingPolicyLister) ([]kyvernov2alpha1.ValidatingPolicy, error) {
var policies []kyvernov2alpha1.ValidatingPolicy
func FetchValidatingPolicies(vpolLister policiesv1alpha1listers.ValidatingPolicyLister) ([]policiesv1alpha1.ValidatingPolicy, error) {
var policies []policiesv1alpha1.ValidatingPolicy
if pols, err := vpolLister.List(labels.Everything()); err != nil {
return nil, err
} else {

25
pkg/controllers/webhook/controller.go
View file

@ -11,14 +11,17 @@ import (
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/ext/wildcard"
"github.com/kyverno/kyverno/pkg/autogen"
vpolautogen "github.com/kyverno/kyverno/pkg/cel/autogen"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/controllers"
@ -100,7 +103,7 @@ type controller struct {
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
cpolLister kyvernov1listers.ClusterPolicyLister
polLister kyvernov1listers.PolicyLister
vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
vpolLister policiesv1alpha1listers.ValidatingPolicyLister
deploymentLister appsv1listers.DeploymentLister
secretLister corev1listers.SecretLister
leaseLister coordinationv1listers.LeaseLister
@ -143,7 +146,7 @@ func NewController(
vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
polInformer kyvernov1informers.PolicyInformer,
vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
deploymentInformer appsv1informers.DeploymentInformer,
secretInformer corev1informers.SecretInformer,
leaseInformer coordinationv1informers.LeaseInformer,
@ -382,7 +385,7 @@ func (c *controller) recordPolicyState(webhookConfigurationName string, policies
}
}
func (c *controller) recordValidatingPolicyState(validatingpolicies ...kyvernov2alpha1.GenericPolicy) {
func (c *controller) recordValidatingPolicyState(validatingpolicies ...policiesv1alpha1.GenericPolicy) {
c.vpolState = make(map[string]bool)
for _, policy := range validatingpolicies {
c.vpolState[policy.GetName()] = true
@ -661,9 +664,9 @@ func (c *controller) updateValidatingPolicyStatuses(ctx context.Context) error {
return err
}
updateStatusFunc := func(vpol kyvernov2alpha1.GenericPolicy) error {
updateStatusFunc := func(vpol policiesv1alpha1.GenericPolicy) error {
status := vpol.GetStatus()
status.SetReadyByCondition(kyvernov2alpha1.PolicyConditionTypeWebhookConfigured, metav1.ConditionTrue, "Webhook configured")
status.SetReadyByCondition(policiesv1alpha1.PolicyConditionTypeWebhookConfigured, metav1.ConditionTrue, "Webhook configured")
status.Autogen.Rules = nil
rules := vpolautogen.ComputeRules(vpol)
status.Autogen.Rules = append(status.Autogen.Rules, rules...)
@ -677,12 +680,12 @@ func (c *controller) updateValidatingPolicyStatuses(ctx context.Context) error {
}
err := controllerutils.UpdateStatus(
ctx,
vpol.(*kyvernov2alpha1.ValidatingPolicy),
c.kyvernoClient.KyvernoV2alpha1().ValidatingPolicies(),
func(vpol *kyvernov2alpha1.ValidatingPolicy) error {
vpol.(*policiesv1alpha1.ValidatingPolicy),
c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies(),
func(vpol *policiesv1alpha1.ValidatingPolicy) error {
return updateStatusFunc(vpol)
},
func(a *kyvernov2alpha1.ValidatingPolicy, b *kyvernov2alpha1.ValidatingPolicy) bool {
func(a *policiesv1alpha1.ValidatingPolicy, b *policiesv1alpha1.ValidatingPolicy) bool {
return datautils.DeepEqual(a.Status, b.Status)
},
)
@ -1136,13 +1139,13 @@ func (c *controller) getAllPolicies() ([]kyvernov1.PolicyInterface, error) {
return policies, nil
}
func (c *controller) getValidatingPolicies() ([]kyvernov2alpha1.GenericPolicy, error) {
func (c *controller) getValidatingPolicies() ([]policiesv1alpha1.GenericPolicy, error) {
validatingpolicies, err := c.vpolLister.List(labels.Everything())
if err != nil {
return nil, err
}
vpols := make([]kyvernov2alpha1.GenericPolicy, 0)
vpols := make([]policiesv1alpha1.GenericPolicy, 0)
for _, vpol := range validatingpolicies {
vpols = append(vpols, vpol)
}

6
pkg/controllers/webhook/validatingpolicy.go
View file

@ -1,14 +1,14 @@
package webhook
import (
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/cel/autogen"
"github.com/kyverno/kyverno/pkg/config"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/utils/ptr"
)
func buildWebhookRules(cfg config.Configuration, server string, servicePort int32, caBundle []byte, vpols []kyvernov2alpha1.GenericPolicy) (webhooks []admissionregistrationv1.ValidatingWebhook) {
func buildWebhookRules(cfg config.Configuration, server string, servicePort int32, caBundle []byte, vpols []policiesv1alpha1.GenericPolicy) (webhooks []admissionregistrationv1.ValidatingWebhook) {
var (
webhookIgnoreList []admissionregistrationv1.ValidatingWebhook
webhookFailList []admissionregistrationv1.ValidatingWebhook
@ -49,7 +49,7 @@ func buildWebhookRules(cfg config.Configuration, server string, servicePort int3
webhook.Rules = append(webhook.Rules, match.RuleWithOperations)
}
for _, rule := range autogen.ComputeRules(vpol.(*kyvernov2alpha1.ValidatingPolicy)) {
for _, rule := range autogen.ComputeRules(vpol.(*policiesv1alpha1.ValidatingPolicy)) {
for _, match := range rule.MatchConstraints.ResourceRules {
webhook.Rules = append(webhook.Rules, match.RuleWithOperations)
}

26
pkg/controllers/webhook/validatingpolicy_test.go
View file

@ -3,7 +3,7 @@ package webhook
import (
"testing"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/config"
"github.com/stretchr/testify/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@ -14,14 +14,14 @@ import (
func TestBuildWebhookRules(t *testing.T) {
tests := []struct {
name string
vpols []*kyvernov2alpha1.ValidatingPolicy
vpols []*policiesv1alpha1.ValidatingPolicy
expectedWebhooks []admissionregistrationv1.ValidatingWebhook
}{
{
name: "Single Ignore Policy",
vpols: []*kyvernov2alpha1.ValidatingPolicy{
vpols: []*policiesv1alpha1.ValidatingPolicy{
{
Spec: kyvernov2alpha1.ValidatingPolicySpec{
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
MatchConstraints: &admissionregistrationv1.MatchResources{
@ -63,9 +63,9 @@ func TestBuildWebhookRules(t *testing.T) {
},
{
name: "Single Fail Policy",
vpols: []*kyvernov2alpha1.ValidatingPolicy{
vpols: []*policiesv1alpha1.ValidatingPolicy{
{
Spec: kyvernov2alpha1.ValidatingPolicySpec{
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Fail),
MatchConstraints: &admissionregistrationv1.MatchResources{
@ -107,13 +107,13 @@ func TestBuildWebhookRules(t *testing.T) {
},
{
name: "Fine-Grained Ignore Policy",
vpols: []*kyvernov2alpha1.ValidatingPolicy{
vpols: []*policiesv1alpha1.ValidatingPolicy{
{
ObjectMeta: metav1.ObjectMeta{
Name: "test-fine-grained-ignore",
},
Spec: kyvernov2alpha1.ValidatingPolicySpec{
WebhookConfiguration: &kyvernov2alpha1.WebhookConfiguration{
Spec: policiesv1alpha1.ValidatingPolicySpec{
WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
TimeoutSeconds: ptr.To(int32(30)),
},
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
@ -161,13 +161,13 @@ func TestBuildWebhookRules(t *testing.T) {
},
{
name: "Fine-Grained Fail Policy",
vpols: []*kyvernov2alpha1.ValidatingPolicy{
vpols: []*policiesv1alpha1.ValidatingPolicy{
{
ObjectMeta: metav1.ObjectMeta{
Name: "test-fine-grained-fail",
},
Spec: kyvernov2alpha1.ValidatingPolicySpec{
WebhookConfiguration: &kyvernov2alpha1.WebhookConfiguration{
Spec: policiesv1alpha1.ValidatingPolicySpec{
WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
TimeoutSeconds: ptr.To(int32(20)),
},
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
@ -229,7 +229,7 @@ func TestBuildWebhookRules(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var vpols []kyvernov2alpha1.GenericPolicy
var vpols []policiesv1alpha1.GenericPolicy
for _, vpol := range tt.vpols {
vpols = append(vpols, vpol)
}

12
pkg/engine/api/policy.go
View file

@ -2,7 +2,7 @@ package api
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -25,7 +25,7 @@ type GenericPolicy interface {
// AsValidatingAdmissionPolicy returns the validating admission policy
AsValidatingAdmissionPolicy() *admissionregistrationv1.ValidatingAdmissionPolicy
// AsValidatingPolicy returns the validating policy
AsValidatingPolicy() *kyvernov2alpha1.ValidatingPolicy
AsValidatingPolicy() *policiesv1alpha1.ValidatingPolicy
}
type genericPolicy struct {
@ -33,7 +33,7 @@ type genericPolicy struct {
PolicyInterface kyvernov1.PolicyInterface
ValidatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy
MutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy
ValidatingPolicy *kyvernov2alpha1.ValidatingPolicy
ValidatingPolicy *policiesv1alpha1.ValidatingPolicy
}
func (p *genericPolicy) AsObject() any {
@ -48,7 +48,7 @@ func (p *genericPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1.V
return p.ValidatingAdmissionPolicy
}
func (p *genericPolicy) AsValidatingPolicy() *kyvernov2alpha1.ValidatingPolicy {
func (p *genericPolicy) AsValidatingPolicy() *policiesv1alpha1.ValidatingPolicy {
return p.ValidatingPolicy
}
@ -61,7 +61,7 @@ func (p *genericPolicy) GetAPIVersion() string {
case p.MutatingAdmissionPolicy != nil:
return admissionregistrationv1alpha1.SchemeGroupVersion.String()
case p.ValidatingPolicy != nil:
return kyvernov2alpha1.GroupVersion.String()
return policiesv1alpha1.GroupVersion.String()
}
return ""
}
@ -109,7 +109,7 @@ func NewMutatingAdmissionPolicy(pol *admissionregistrationv1alpha1.MutatingAdmis
}
}
func NewValidatingPolicy(pol *kyvernov2alpha1.ValidatingPolicy) GenericPolicy {
func NewValidatingPolicy(pol *policiesv1alpha1.ValidatingPolicy) GenericPolicy {
return &genericPolicy{
Object: pol,
ValidatingPolicy: pol,

10
pkg/utils/admission/celexception.go
View file

@ -1,21 +1,21 @@
package admission
import (
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/util/json"
)
func UnmarshalCELPolicyException(raw []byte) (*kyvernov2alpha1.CELPolicyException, error) {
var exception *kyvernov2alpha1.CELPolicyException
func UnmarshalCELPolicyException(raw []byte) (*policiesv1alpha1.CELPolicyException, error) {
var exception *policiesv1alpha1.CELPolicyException
if err := json.Unmarshal(raw, &exception); err != nil {
return nil, err
}
return exception, nil
}
func GetCELPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2alpha1.CELPolicyException, *kyvernov2alpha1.CELPolicyException, error) {
var empty *kyvernov2alpha1.CELPolicyException
func GetCELPolicyExceptions(request admissionv1.AdmissionRequest) (*policiesv1alpha1.CELPolicyException, *policiesv1alpha1.CELPolicyException, error) {
var empty *policiesv1alpha1.CELPolicyException
exception, err := UnmarshalCELPolicyException(request.Object.Raw)
if err != nil {
return exception, empty, err

6
pkg/utils/admission/celexception_test.go
View file

@ -6,7 +6,7 @@ import (
"k8s.io/apimachinery/pkg/util/json"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
)
@ -56,7 +56,7 @@ func Test_UnmarshalCELPolicyException(t *testing.T) {
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
var exception *kyvernov2alpha1.CELPolicyException
var exception *policiesv1alpha1.CELPolicyException
json.Unmarshal(test.raw, &exception)
if !reflect.DeepEqual(result, exception) {
t.Errorf("Expected %+v, got %+v", exception, result)
@ -155,7 +155,7 @@ func TestGetCELPolicyExceptions(t *testing.T) {
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
p1, p2, _ := GetCELPolicyExceptions(test.args.request)
var empty *kyvernov2alpha1.CELPolicyException
var empty *policiesv1alpha1.CELPolicyException
expectedP1, err := UnmarshalCELPolicyException(test.args.request.Object.Raw)
if err != nil {
expectedP2 := empty

10
pkg/utils/yaml/loadpolicy.go
View file

@ -4,7 +4,7 @@ import (
"fmt"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
extyaml "github.com/kyverno/kyverno/ext/yaml"
log "github.com/kyverno/kyverno/pkg/logging"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@ -18,7 +18,7 @@ func GetPolicy(bytes []byte) (
policies []kyvernov1.PolicyInterface,
validatingAdmissionPolicies []admissionregistrationv1.ValidatingAdmissionPolicy,
validatingAdmissionPolicyBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding,
validatingPolicies []kyvernov2alpha1.ValidatingPolicy,
validatingPolicies []policiesv1alpha1.ValidatingPolicy,
err error,
) {
documents, err := extyaml.SplitDocuments(bytes)
@ -84,7 +84,7 @@ func parse(obj unstructured.Unstructured) (
*admissionregistrationv1.ValidatingAdmissionPolicy,
*admissionregistrationv1.ValidatingAdmissionPolicyBinding,
kyvernov1.PolicyInterface,
*kyvernov2alpha1.ValidatingPolicy,
*policiesv1alpha1.ValidatingPolicy,
error,
) {
switch obj.GetKind() {
@ -159,8 +159,8 @@ func parseClusterPolicy(obj unstructured.Unstructured) (*kyvernov1.ClusterPolicy
return &out, nil
}
func parseValidatingPolicy(obj unstructured.Unstructured) (*kyvernov2alpha1.ValidatingPolicy, error) {
var out kyvernov2alpha1.ValidatingPolicy
func parseValidatingPolicy(obj unstructured.Unstructured) (*policiesv1alpha1.ValidatingPolicy, error) {
var out policiesv1alpha1.ValidatingPolicy
if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(obj.Object, &out, true); err != nil {
return nil, fmt.Errorf("failed to decode policy: %v", err)
}

8
pkg/validation/exception/validate_test.go
View file

@ -71,7 +71,7 @@ func Test_Validate(t *testing.T) {
Namespace: "kyverno",
},
resource: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
@ -102,7 +102,7 @@ func Test_Validate(t *testing.T) {
Namespace: "kyverno",
},
resource: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
@ -133,7 +133,7 @@ func Test_Validate(t *testing.T) {
Namespace: "delta",
},
resource: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
@ -164,7 +164,7 @@ func Test_Validate(t *testing.T) {
Namespace: "*",
},
resource: []byte(`{
"apiVersion": "kyverno.io/v2alpha1",
"apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",

2
test/cli/test-validating-policy/check-deployment-labels/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/cli/test-validating-policy/check-deployments-replica/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-replicas

2
test/cli/test-validating-policy/disallow-host-path/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-host-path

2
test/conformance/chainsaw/cel-policy-exceptions/empty-policy-ref/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: CELPolicyException
metadata:
name: pod-security-exception

2
test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: CELPolicyException
metadata:
name: pod-security-exception

2
test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/none/check-autogen.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/none/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/check-autogen.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation

2
test/conformance/chainsaw/validating-policies/context/configmap/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/context/image-data/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/report/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/validation-actions/audit/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/validation-actions/deny/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/validation-actions/none/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/validation-actions/warn/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/validation-rules/accept/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/validation-rules/reject/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/multiple/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels

2
test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/single/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels