diff --git a/Makefile b/Makefile
index 7882fb90fe..c71f0adcd8 100644
--- a/Makefile
+++ b/Makefile
@@ -517,6 +517,14 @@ codegen-crds-kyverno: $(CONTROLLER_GEN)
@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./api/kyverno/v1/... paths=./api/kyverno/v1beta1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
+.PHONY: codegen-crds-policies
+codegen-crds-policies: ## Generate policies CRDs
+codegen-crds-policies: $(PACKAGE_SHIM)
+codegen-crds-policies: $(CONTROLLER_GEN)
+ @echo Generate policies crds... >&2
+ @rm -rf $(CRDS_PATH)/policies.kyverno.io && mkdir -p $(CRDS_PATH)/policies.kyverno.io
+ @GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./api/policies.kyverno.io/v1alpha1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/policies.kyverno.io
+
.PHONY: codegen-crds-policyreport
codegen-crds-policyreport: ## Generate policy reports CRDs
codegen-crds-policyreport: $(PACKAGE_SHIM)
@@ -542,7 +550,7 @@ codegen-crds-cli: $(CONTROLLER_GEN)
@GOPATH=$(GOPATH_SHIM) $(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
.PHONY: codegen-crds-all
-codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
+codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-crds-policies codegen-cli-crds ## Generate all CRDs
.PHONY: codegen-helm-docs
codegen-helm-docs: ## Generate helm docs
@@ -586,14 +594,15 @@ codegen-cli-docs: $(CLI_BIN) ## Generate CLI docs
.PHONY: codegen-cli-crds
codegen-cli-crds: ## Copy generated CRDs to embed in the CLI
codegen-cli-crds: codegen-crds-kyverno
+codegen-cli-crds: codegen-crds-policies
codegen-cli-crds: codegen-crds-cli
@echo Copy generated CRDs to embed in the CLI... >&2
@rm -rf cmd/cli/kubectl-kyverno/data/crds && mkdir -p cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp config/crds/kyverno/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
- @cp config/crds/kyverno/kyverno.io_celpolicyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
- @cp config/crds/kyverno/kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
+ @cp config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
+ @cp config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
@cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds
.PHONY: codegen-docs-all
@@ -631,15 +640,16 @@ codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
@rm -rf ./charts/kyverno/charts/crds/templates/kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/kyverno.io
@rm -rf ./charts/kyverno/charts/crds/templates/reports.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/reports.kyverno.io
@rm -rf ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io && mkdir -p ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io
+ @rm -rf ./charts/kyverno/charts/crds/templates/policies.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/policies.kyverno.io
$(call generate_crd,kyverno.io_cleanuppolicies.yaml,kyverno,kyverno.io,kyverno,cleanuppolicies)
$(call generate_crd,kyverno.io_clustercleanuppolicies.yaml,kyverno,kyverno.io,kyverno,clustercleanuppolicies)
$(call generate_crd,kyverno.io_clusterpolicies.yaml,kyverno,kyverno.io,kyverno,clusterpolicies)
$(call generate_crd,kyverno.io_globalcontextentries.yaml,kyverno,kyverno.io,kyverno,globalcontextentries)
$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
- $(call generate_crd,kyverno.io_celpolicyexceptions.yaml,kyverno,kyverno.io,kyverno,celpolicyexceptions)
$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)
- $(call generate_crd,kyverno.io_validatingpolicies.yaml,kyverno,kyverno.io,kyverno,validatingpolicies)
+ $(call generate_crd,policies.kyverno.io_celpolicyexceptions.yaml,policies.kyverno.io,policies.kyverno.io,policies,celpolicyexceptions)
+ $(call generate_crd,policies.kyverno.io_validatingpolicies.yaml,policies.kyverno.io,policies.kyverno.io,policies,validatingpolicies)
$(call generate_crd,reports.kyverno.io_clusterephemeralreports.yaml,reports,reports.kyverno.io,reports,clusterephemeralreports)
$(call generate_crd,reports.kyverno.io_ephemeralreports.yaml,reports,reports.kyverno.io,reports,ephemeralreports)
$(call generate_crd,wgpolicyk8s.io_clusterpolicyreports.yaml,policyreport,wgpolicyk8s.io,wgpolicyk8s,clusterpolicyreports)
diff --git a/api/policies.kyverno.io/v1alpha1/policy_exception.go b/api/policies.kyverno.io/v1alpha1/policy_exception.go
new file mode 100644
index 0000000000..1c794937c0
--- /dev/null
+++ b/api/policies.kyverno.io/v1alpha1/policy_exception.go
@@ -0,0 +1,80 @@
+package v1alpha1
+
+import (
+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PolicyException declares resources to be excluded from specified policies.
+type CELPolicyException struct {
+ metav1.TypeMeta `json:",inline,omitempty"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Spec declares policy exception behaviors.
+ Spec CELPolicyExceptionSpec `json:"spec"`
+}
+
+func (p *CELPolicyException) GetKind() string {
+ return "CELPolicyException"
+}
+
+// Validate implements programmatic validation
+func (p *CELPolicyException) Validate() (errs field.ErrorList) {
+ errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
+ return errs
+}
+
+// PolicyExceptionSpec stores policy exception spec
+type CELPolicyExceptionSpec struct {
+ // PolicyRefs identifies the policies to which the exception is applied.
+ PolicyRefs []PolicyRef `json:"policyRefs"`
+
+ // MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.
+ // +optional
+ MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (p *CELPolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
+ if len(p.PolicyRefs) == 0 {
+ errs = append(errs, field.Invalid(path.Child("policyRefs"), p.PolicyRefs, "must specify at least one policy ref"))
+ } else {
+ for i, policyRef := range p.PolicyRefs {
+ errs = append(errs, policyRef.Validate(path.Child("policyRefs").Index(i))...)
+ }
+ }
+ return errs
+}
+
+type PolicyRef struct {
+ // Name is the name of the policy
+ Name string `json:"name"`
+
+ // Kind is the kind of the policy
+ Kind string `json:"kind"`
+}
+
+func (p *PolicyRef) Validate(path *field.Path) (errs field.ErrorList) {
+ if p.Name == "" {
+ errs = append(errs, field.Invalid(path.Child("name"), p.Name, "must specify policy name"))
+ }
+ if p.Kind == "" {
+ errs = append(errs, field.Invalid(path.Child("kind"), p.Kind, "must specify policy kind"))
+ }
+ return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CELPolicyExceptionList is a list of Policy Exceptions
+type CELPolicyExceptionList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+ Items []CELPolicyException `json:"items"`
+}
diff --git a/api/policies.kyverno.io/v1alpha1/policy_interface.go b/api/policies.kyverno.io/v1alpha1/policy_interface.go
new file mode 100644
index 0000000000..da782730a5
--- /dev/null
+++ b/api/policies.kyverno.io/v1alpha1/policy_interface.go
@@ -0,0 +1,18 @@
+package v1alpha1
+
+import (
+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:generate=false
+type GenericPolicy interface {
+ metav1.Object
+ GetMatchConstraints() admissionregistrationv1.MatchResources
+ GetMatchConditions() []admissionregistrationv1.MatchCondition
+ GetFailurePolicy() admissionregistrationv1.FailurePolicyType
+ GetWebhookConfiguration() *WebhookConfiguration
+ GetVariables() []admissionregistrationv1.Variable
+ GetSpec() *ValidatingPolicySpec
+ GetStatus() *PolicyStatus
+}
diff --git a/api/policies.kyverno.io/v1alpha1/policy_status.go b/api/policies.kyverno.io/v1alpha1/policy_status.go
index e8d7cebfc3..96a3c4b8b5 100644
--- a/api/policies.kyverno.io/v1alpha1/policy_status.go
+++ b/api/policies.kyverno.io/v1alpha1/policy_status.go
@@ -1,6 +1,7 @@
package v1alpha1
import (
+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@@ -21,6 +22,23 @@ type PolicyStatus struct {
// +optional
Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+ // +optional
+ Autogen AutogenStatus `json:"autogen"`
+}
+
+// AutogenStatus contains autogen status information.
+type AutogenStatus struct {
+ // Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
+ Rules []AutogenRule `json:"rules,omitempty"`
+}
+
+type AutogenRule struct {
+ MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints,omitempty"`
+ MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
+ Validations []admissionregistrationv1.Validation `json:"validations,omitempty"`
+ AuditAnnotation []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+ Variables []admissionregistrationv1.Variable `json:"variables,omitempty"`
}
func (status *PolicyStatus) SetReadyByCondition(c PolicyConditionType, s metav1.ConditionStatus, message string) {
diff --git a/api/policies.kyverno.io/v1alpha1/validating_policy.go b/api/policies.kyverno.io/v1alpha1/validating_policy.go
index db2f181ebd..161119c624 100644
--- a/api/policies.kyverno.io/v1alpha1/validating_policy.go
+++ b/api/policies.kyverno.io/v1alpha1/validating_policy.go
@@ -45,6 +45,10 @@ func (s *ValidatingPolicy) GetVariables() []admissionregistrationv1.Variable {
return s.Spec.Variables
}
+func (s *ValidatingPolicy) GetSpec() *ValidatingPolicySpec {
+ return &s.Spec
+}
+
func (s *ValidatingPolicy) GetStatus() *PolicyStatus {
return &s.Status
}
diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
index c41c26518e..b5e96421f8 100644
--- a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
+++ b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
@@ -22,21 +22,190 @@ limitations under the License.
package v1alpha1
import (
- admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
- v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ v1 "k8s.io/api/admissionregistration/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutogenRule) DeepCopyInto(out *AutogenRule) {
+ *out = *in
+ if in.MatchConstraints != nil {
+ in, out := &in.MatchConstraints, &out.MatchConstraints
+ *out = new(v1.MatchResources)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.MatchConditions != nil {
+ in, out := &in.MatchConditions, &out.MatchConditions
+ *out = make([]v1.MatchCondition, len(*in))
+ copy(*out, *in)
+ }
+ if in.Validations != nil {
+ in, out := &in.Validations, &out.Validations
+ *out = make([]v1.Validation, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.AuditAnnotation != nil {
+ in, out := &in.AuditAnnotation, &out.AuditAnnotation
+ *out = make([]v1.AuditAnnotation, len(*in))
+ copy(*out, *in)
+ }
+ if in.Variables != nil {
+ in, out := &in.Variables, &out.Variables
+ *out = make([]v1.Variable, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenRule.
+func (in *AutogenRule) DeepCopy() *AutogenRule {
+ if in == nil {
+ return nil
+ }
+ out := new(AutogenRule)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus) {
+ *out = *in
+ if in.Rules != nil {
+ in, out := &in.Rules, &out.Rules
+ *out = make([]AutogenRule, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.
+func (in *AutogenStatus) DeepCopy() *AutogenStatus {
+ if in == nil {
+ return nil
+ }
+ out := new(AutogenStatus)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyException.
+func (in *CELPolicyException) DeepCopy() *CELPolicyException {
+ if in == nil {
+ return nil
+ }
+ out := new(CELPolicyException)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CELPolicyException) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CELPolicyExceptionList) DeepCopyInto(out *CELPolicyExceptionList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]CELPolicyException, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyExceptionList.
+func (in *CELPolicyExceptionList) DeepCopy() *CELPolicyExceptionList {
+ if in == nil {
+ return nil
+ }
+ out := new(CELPolicyExceptionList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CELPolicyExceptionList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CELPolicyExceptionSpec) DeepCopyInto(out *CELPolicyExceptionSpec) {
+ *out = *in
+ if in.PolicyRefs != nil {
+ in, out := &in.PolicyRefs, &out.PolicyRefs
+ *out = make([]PolicyRef, len(*in))
+ copy(*out, *in)
+ }
+ if in.MatchConditions != nil {
+ in, out := &in.MatchConditions, &out.MatchConditions
+ *out = make([]v1.MatchCondition, len(*in))
+ copy(*out, *in)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CELPolicyExceptionSpec.
+func (in *CELPolicyExceptionSpec) DeepCopy() *CELPolicyExceptionSpec {
+ if in == nil {
+ return nil
+ }
+ out := new(CELPolicyExceptionSpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRef) DeepCopyInto(out *PolicyRef) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRef.
+func (in *PolicyRef) DeepCopy() *PolicyRef {
+ if in == nil {
+ return nil
+ }
+ out := new(PolicyRef)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) {
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
+ *out = make([]metav1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
+ in.Autogen.DeepCopyInto(&out.Autogen)
return
}
@@ -117,7 +286,7 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
in.ValidatingAdmissionPolicySpec.DeepCopyInto(&out.ValidatingAdmissionPolicySpec)
if in.ValidationAction != nil {
in, out := &in.ValidationAction, &out.ValidationAction
- *out = make([]admissionregistrationv1.ValidationAction, len(*in))
+ *out = make([]v1.ValidationAction, len(*in))
copy(*out, *in)
}
if in.WebhookConfiguration != nil {
diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.register.go b/api/policies.kyverno.io/v1alpha1/zz_generated.register.go
index b28fc0cf01..1ab53c5583 100644
--- a/api/policies.kyverno.io/v1alpha1/zz_generated.register.go
+++ b/api/policies.kyverno.io/v1alpha1/zz_generated.register.go
@@ -58,6 +58,8 @@ func init() {
// Adds the list of known types to Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
+ &CELPolicyException{},
+ &CELPolicyExceptionList{},
&ValidatingPolicy{},
&ValidatingPolicyList{},
)
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 2cd67b2eed..c30478e68f 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -258,6 +258,8 @@ The chart values are organised per component.
|-----|------|---------|-------------|
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.groups.kyverno | object | `{"celpolicyexceptions":true,"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | Install CRDs in group `kyverno.io` |
+| crds.groups.policies.validatingpolicies | bool | `true` | |
+| crds.groups.policies.celpolicyexceptions | bool | `true` | |
| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
| crds.annotations | object | `{}` | Additional CRDs annotations |
diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md
index 24cc4ffad5..c1cc01de8f 100644
--- a/charts/kyverno/charts/crds/README.md
+++ b/charts/kyverno/charts/crds/README.md
@@ -7,6 +7,8 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true,"validatingpolicies":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.policies.validatingpolicies | bool | `true` | |
+| groups.policies.celpolicyexceptions | bool | `true` | |
| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_celpolicyexceptions.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
similarity index 97%
rename from charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_celpolicyexceptions.yaml
rename to charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
index 8287aedd9e..7057b93256 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_celpolicyexceptions.yaml
+++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.groups.kyverno.celpolicyexceptions }}
+{{- if .Values.groups.policies.celpolicyexceptions }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -10,9 +10,9 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.1
- name: celpolicyexceptions.kyverno.io
+ name: celpolicyexceptions.policies.kyverno.io
spec:
- group: kyverno.io
+ group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
@@ -20,7 +20,7 @@ spec:
singular: celpolicyexception
scope: Namespaced
versions:
- - name: v2alpha1
+ - name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
similarity index 99%
rename from charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_validatingpolicies.yaml
rename to charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index 9dadbbf812..d39dc36279 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_validatingpolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.groups.kyverno.validatingpolicies }}
+{{- if .Values.groups.policies.validatingpolicies }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -10,9 +10,9 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.1
- name: validatingpolicies.kyverno.io
+ name: validatingpolicies.policies.kyverno.io
spec:
- group: kyverno.io
+ group: policies.kyverno.io
names:
categories:
- kyverno
@@ -28,7 +28,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- name: v2alpha1
+ name: v1alpha1
schema:
openAPIV3Schema:
properties:
diff --git a/charts/kyverno/charts/crds/values.yaml b/charts/kyverno/charts/crds/values.yaml
index e918593818..7500529ab2 100644
--- a/charts/kyverno/charts/crds/values.yaml
+++ b/charts/kyverno/charts/crds/values.yaml
@@ -19,6 +19,10 @@ groups:
updaterequests: true
validatingpolicies: true
+ policies:
+ validatingpolicies: true
+ celpolicyexceptions: true
+
# -- Install CRDs in group `reports.kyverno.io`
# -- This field can be overwritten by setting crds.labels in the parent chart
reports:
diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml
index d2a58c0fd6..808c790292 100644
--- a/charts/kyverno/templates/admission-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@@ -73,6 +73,18 @@ rules:
- globalcontextentries
- globalcontextentries/status
- policyexceptions
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+ - apiGroups:
+ - policies.kyverno.io
+ resources:
- validatingpolicies
- validatingpolicies/status
- celpolicyexceptions
diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml
index fb441b49c9..cd0728a564 100644
--- a/charts/kyverno/templates/reports-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml
@@ -43,6 +43,18 @@ rules:
- policyexceptions
- policies
- clusterpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+ - apiGroups:
+ - policies.kyverno.io
+ resources:
- validatingpolicies
- validatingpolicies/status
verbs:
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index dd677cb2b8..fe46c0da4c 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -85,6 +85,10 @@ crds:
validatingpolicies: true
celpolicyexceptions: true
+ policies:
+ validatingpolicies: true
+ celpolicyexceptions: true
+
# -- Install CRDs in group `reports.kyverno.io`
reports:
clusterephemeralreports: true
diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command.go b/cmd/cli/kubectl-kyverno/commands/apply/command.go
index 7002b5fac5..bee893538b 100644
--- a/cmd/cli/kubectl-kyverno/commands/apply/command.go
+++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go
@@ -13,7 +13,7 @@ import (
"github.com/go-git/go-billy/v5/memfs"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception"
@@ -314,7 +314,7 @@ func (c *ApplyCommandConfig) applyValidatingAdmissionPolicies(
}
func (c *ApplyCommandConfig) applyValidatingPolicies(
- vps []kyvernov2alpha1.ValidatingPolicy,
+ vps []policiesv1alpha1.ValidatingPolicy,
resources []*unstructured.Unstructured,
namespaceProvider func(string) *corev1.Namespace,
_ *processor.ResultCounts,
@@ -464,14 +464,14 @@ func (c *ApplyCommandConfig) loadPolicies() (
[]kyvernov1.PolicyInterface,
[]admissionregistrationv1.ValidatingAdmissionPolicy,
[]admissionregistrationv1.ValidatingAdmissionPolicyBinding,
- []kyvernov2alpha1.ValidatingPolicy,
+ []policiesv1alpha1.ValidatingPolicy,
error,
) {
// load policies
var policies []kyvernov1.PolicyInterface
var vaps []admissionregistrationv1.ValidatingAdmissionPolicy
var vapBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding
- var vps []kyvernov2alpha1.ValidatingPolicy
+ var vps []policiesv1alpha1.ValidatingPolicy
for _, path := range c.PolicyPaths {
isGit := source.IsGit(path)
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_celpolicyexceptions.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_celpolicyexceptions.yaml
similarity index 98%
rename from cmd/cli/kubectl-kyverno/data/crds/kyverno.io_celpolicyexceptions.yaml
rename to cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_celpolicyexceptions.yaml
index 0f349139a8..e8864c494d 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_celpolicyexceptions.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_celpolicyexceptions.yaml
@@ -4,9 +4,9 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
- name: celpolicyexceptions.kyverno.io
+ name: celpolicyexceptions.policies.kyverno.io
spec:
- group: kyverno.io
+ group: policies.kyverno.io
names:
kind: CELPolicyException
listKind: CELPolicyExceptionList
@@ -14,7 +14,7 @@ spec:
singular: celpolicyexception
scope: Namespaced
versions:
- - name: v2alpha1
+ - name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
similarity index 99%
rename from cmd/cli/kubectl-kyverno/data/crds/kyverno.io_validatingpolicies.yaml
rename to cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
index a454cdd887..76322e28ef 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_validatingpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
@@ -4,9 +4,9 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
- name: validatingpolicies.kyverno.io
+ name: validatingpolicies.policies.kyverno.io
spec:
- group: kyverno.io
+ group: policies.kyverno.io
names:
categories:
- kyverno
@@ -22,7 +22,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- name: v2alpha1
+ name: v1alpha1
schema:
openAPIV3Schema:
properties:
diff --git a/cmd/cli/kubectl-kyverno/policy/load.go b/cmd/cli/kubectl-kyverno/policy/load.go
index 1bab9b0c74..1113360ea1 100644
--- a/cmd/cli/kubectl-kyverno/policy/load.go
+++ b/cmd/cli/kubectl-kyverno/policy/load.go
@@ -12,8 +12,8 @@ import (
"github.com/go-git/go-billy/v5"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/experimental"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/source"
@@ -33,7 +33,7 @@ var (
clusterPolicyV2 = kyvernov2beta1.SchemeGroupVersion.WithKind("ClusterPolicy")
vapV1 = admissionregistrationv1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
vapBindingV1 = admissionregistrationv1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
- vpV2alpha1 = kyvernov2alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy")
+ vpV2alpha1 = policiesv1alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy")
LegacyLoader = legacyLoader
KubectlValidateLoader = kubectlValidateLoader
defaultLoader = func(path string, bytes []byte) (*LoaderResults, error) {
@@ -54,7 +54,7 @@ type LoaderResults struct {
Policies []kyvernov1.PolicyInterface
VAPs []admissionregistrationv1.ValidatingAdmissionPolicy
VAPBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding
- ValidatingPolicies []kyvernov2alpha1.ValidatingPolicy
+ ValidatingPolicies []policiesv1alpha1.ValidatingPolicy
NonFatalErrors []LoaderError
}
@@ -166,7 +166,7 @@ func kubectlValidateLoader(path string, content []byte) (*LoaderResults, error)
}
results.VAPBindings = append(results.VAPBindings, *typed)
case vpV2alpha1:
- typed, err := convert.To[kyvernov2alpha1.ValidatingPolicy](untyped)
+ typed, err := convert.To[policiesv1alpha1.ValidatingPolicy](untyped)
if err != nil {
return nil, err
}
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 076afa4125..bc43816b0f 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -10,7 +10,7 @@ import (
"time"
"github.com/go-logr/logr"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/cmd/internal"
"github.com/kyverno/kyverno/pkg/auth/checker"
"github.com/kyverno/kyverno/pkg/breaker"
@@ -154,7 +154,7 @@ func createrLeaderControllers(
kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
kyvernoInformer.Kyverno().V1().Policies(),
- kyvernoInformer.Kyverno().V2alpha1().ValidatingPolicies(),
+ kyvernoInformer.Policies().V1alpha1().ValidatingPolicies(),
deploymentInformer,
caInformer,
kubeKyvernoInformer.Coordination().V1().Leases(),
@@ -219,8 +219,8 @@ func createrLeaderControllers(
nil,
[]admissionregistrationv1.RuleWithOperations{{
Rule: admissionregistrationv1.Rule{
- APIGroups: []string{"kyverno.io"},
- APIVersions: []string{"v2alpha1"},
+ APIGroups: []string{"policies.kyverno.io"},
+ APIVersions: []string{"v1alpha1"},
Resources: []string{"celpolicyexceptions"},
},
Operations: []admissionregistrationv1.OperationType{
@@ -594,7 +594,7 @@ func main() {
{
// create a controller manager
scheme := kruntime.NewScheme()
- if err := kyvernov2alpha1.Install(scheme); err != nil {
+ if err := policiesv1alpha1.Install(scheme); err != nil {
setup.Logger.Error(err, "failed to initialize scheme")
os.Exit(1)
}
@@ -608,7 +608,7 @@ func main() {
// create compiler
compiler := celpolicy.NewCompiler()
// create provider
- provider, err := celengine.NewKubeProvider(compiler, mgr, kyvernoInformer.Kyverno().V2alpha1().CELPolicyExceptions().Lister())
+ provider, err := celengine.NewKubeProvider(compiler, mgr, kyvernoInformer.Policies().V1alpha1().CELPolicyExceptions().Lister())
if err != nil {
setup.Logger.Error(err, "failed to create policy provider")
os.Exit(1)
diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go
index b561e26d8b..527f5c03ea 100644
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@@ -76,13 +76,13 @@ func createReportControllers(
}
kyvernoV1 := kyvernoInformer.Kyverno().V1()
kyvernoV2 := kyvernoInformer.Kyverno().V2()
- kyvernoV2alpha1 := kyvernoInformer.Kyverno().V2alpha1()
+ policiesV1alpha1 := kyvernoInformer.Policies().V1alpha1()
if backgroundScan || admissionReports {
resourceReportController := resourcereportcontroller.NewController(
client,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
- kyvernoV2alpha1.ValidatingPolicies(),
+ policiesV1alpha1.ValidatingPolicies(),
vapInformer,
)
warmups = append(warmups, func(ctx context.Context) error {
@@ -102,7 +102,7 @@ func createReportControllers(
metadataFactory,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
- kyvernoV2alpha1.ValidatingPolicies(),
+ policiesV1alpha1.ValidatingPolicies(),
vapInformer,
),
aggregationWorkers,
@@ -116,7 +116,7 @@ func createReportControllers(
metadataFactory,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
- kyvernoV2alpha1.ValidatingPolicies(),
+ policiesV1alpha1.ValidatingPolicies(),
kyvernoV2.PolicyExceptions(),
vapInformer,
vapBindingInformer,
diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
new file mode 100644
index 0000000000..e8864c494d
--- /dev/null
+++ b/config/crds/policies.kyverno.io/policies.kyverno.io_celpolicyexceptions.yaml
@@ -0,0 +1,106 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ name: celpolicyexceptions.policies.kyverno.io
+spec:
+ group: policies.kyverno.io
+ names:
+ kind: CELPolicyException
+ listKind: CELPolicyExceptionList
+ plural: celpolicyexceptions
+ singular: celpolicyexception
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: PolicyException declares resources to be excluded from specified
+ policies.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy exception behaviors.
+ properties:
+ matchConditions:
+ description: MatchConditions is a list of CEL expressions that must
+ be met for a resource to be excluded.
+ items:
+ description: MatchCondition represents a condition which must by
+ fulfilled for a request to be sent to a webhook.
+ properties:
+ expression:
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Required.
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+ Required.
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
+ policyRefs:
+ description: PolicyRefs identifies the policies to which the exception
+ is applied.
+ items:
+ properties:
+ kind:
+ description: Kind is the kind of the policy
+ type: string
+ name:
+ description: Name is the name of the policy
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - policyRefs
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
new file mode 100644
index 0000000000..76322e28ef
--- /dev/null
+++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -0,0 +1,1307 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: (devel)
+ name: validatingpolicies.policies.kyverno.io
+spec:
+ group: policies.kyverno.io
+ names:
+ categories:
+ - kyverno
+ kind: ValidatingPolicy
+ listKind: ValidatingPolicyList
+ plural: validatingpolicies
+ shortNames:
+ - vpol
+ singular: validatingpolicy
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ValidatingPolicySpec is the specification of the desired
+ behavior of the ValidatingPolicy.
+ properties:
+ auditAnnotations:
+ description: |-
+ auditAnnotations contains CEL expressions which are used to produce audit
+ annotations for the audit event of the API request.
+ validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
+ required.
+ items:
+ description: AuditAnnotation describes how to produce an audit annotation
+ for an API request.
+ properties:
+ key:
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+ Required.
+ type: string
+ valueExpression:
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+ Required.
+ type: string
+ required:
+ - key
+ - valueExpression
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ failurePolicy:
+ description: |-
+ failurePolicy defines how to handle failures for the admission policy. Failures can
+ occur from CEL expression parse errors, type check errors, runtime errors and invalid
+ or mis-configured policy definitions or bindings.
+
+ A policy is invalid if spec.paramKind refers to a non-existent Kind.
+ A binding is invalid if spec.paramRef.name refers to a non-existent resource.
+
+ failurePolicy does not define how validations that evaluate to false are handled.
+
+ When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
+ define how failures are enforced.
+
+ Allowed values are Ignore or Fail. Defaults to Fail.
+ type: string
+ matchConditions:
+ description: |-
+ MatchConditions is a list of conditions that must be met for a request to be validated.
+ Match conditions filter requests that have already been matched by the rules,
+ namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
+ There are a maximum of 64 match conditions allowed.
+
+ If a parameter object is provided, it can be accessed via the `params` handle in the same
+ manner as validation expressions.
+
+ The exact matching logic is (in order):
+ 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
+ 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
+ 3. If any matchCondition evaluates to an error (but none are FALSE):
+ - If failurePolicy=Fail, reject the request
+ - If failurePolicy=Ignore, the policy is skipped
+ items:
+ description: MatchCondition represents a condition which must by
+ fulfilled for a request to be sent to a webhook.
+ properties:
+ expression:
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Required.
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+ Required.
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ matchConstraints:
+ description: |-
+ MatchConstraints specifies what resources this policy is designed to validate.
+ The AdmissionPolicy cares about a request if it matches _all_ Constraints.
+ However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
+ ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
+ Required.
+ properties:
+ excludeResourceRules:
+ description: |-
+ ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+ The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+ items:
+ description: NamedRuleWithOperations is a tuple of Operations
+ and Resources with ResourceNames.
+ properties:
+ apiGroups:
+ description: |-
+ APIGroups is the API groups the resources belong to. '*' is all groups.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ apiVersions:
+ description: |-
+ APIVersions is the API versions the resources belong to. '*' is all versions.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ operations:
+ description: |-
+ Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+ for all of those operations and any future admission operations that are added.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ description: OperationType specifies an operation for
+ a request.
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resourceNames:
+ description: ResourceNames is an optional white list of
+ names that the rule applies to. An empty set means that
+ everything is allowed.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Resources is a list of resources this rule applies to.
+
+ For example:
+ 'pods' means pods.
+ 'pods/log' means the log subresource of pods.
+ '*' means all resources, but not subresources.
+ 'pods/*' means all subresources of pods.
+ '*/scale' means all scale subresources.
+ '*/*' means all resources and their subresources.
+
+ If wildcard is present, the validation rule will ensure resources do not
+ overlap with each other.
+
+ Depending on the enclosing object, subresources might not be allowed.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ scope:
+ description: |-
+ scope specifies the scope of this rule.
+ Valid values are "Cluster", "Namespaced", and "*"
+ "Cluster" means that only cluster-scoped resources will match this rule.
+ Namespace API objects are cluster-scoped.
+ "Namespaced" means that only namespaced resources will match this rule.
+ "*" means that there are no scope restrictions.
+ Subresources match the scope of their parent resource.
+ Default is "*".
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ matchPolicy:
+ description: |-
+ matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+ Allowed values are "Exact" or "Equivalent".
+
+ - Exact: match a request only if it exactly matches a specified rule.
+ For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+ but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+ a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+
+ - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+ For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+ and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+ a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+
+ Defaults to "Equivalent"
+ type: string
+ namespaceSelector:
+ description: |-
+ NamespaceSelector decides whether to run the admission control policy on an object based
+ on whether the namespace for that object matches the selector. If the
+ object itself is a namespace, the matching is performed on
+ object.metadata.labels. If the object is another cluster scoped resource,
+ it never skips the policy.
+
+ For example, to run the webhook on any objects whose namespace is not
+ associated with "runlevel" of "0" or "1"; you will set the selector as
+ follows:
+ "namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "runlevel",
+ "operator": "NotIn",
+ "values": [
+ "0",
+ "1"
+ ]
+ }
+ ]
+ }
+
+ If instead you want to only run the policy on any objects whose
+ namespace is associated with the "environment" of "prod" or "staging";
+ you will set the selector as follows:
+ "namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "environment",
+ "operator": "In",
+ "values": [
+ "prod",
+ "staging"
+ ]
+ }
+ ]
+ }
+
+ See
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ for more examples of label selectors.
+
+ Default to the empty LabelSelector, which matches everything.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ objectSelector:
+ description: |-
+ ObjectSelector decides whether to run the validation based on if the
+ object has matching labels. objectSelector is evaluated against both
+ the oldObject and newObject that would be sent to the cel validation, and
+ is considered to match if either object matches the selector. A null
+ object (oldObject in the case of create, or newObject in the case of
+ delete) or an object that cannot have labels (like a
+ DeploymentRollback or a PodProxyOptions object) is not considered to
+ match.
+ Use the object selector only if the webhook is opt-in, because end
+ users may skip the admission webhook by setting the labels.
+ Default to the empty LabelSelector, which matches everything.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceRules:
+ description: |-
+ ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+ The policy cares about an operation if it matches _any_ Rule.
+ items:
+ description: NamedRuleWithOperations is a tuple of Operations
+ and Resources with ResourceNames.
+ properties:
+ apiGroups:
+ description: |-
+ APIGroups is the API groups the resources belong to. '*' is all groups.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ apiVersions:
+ description: |-
+ APIVersions is the API versions the resources belong to. '*' is all versions.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ operations:
+ description: |-
+ Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+ for all of those operations and any future admission operations that are added.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ description: OperationType specifies an operation for
+ a request.
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resourceNames:
+ description: ResourceNames is an optional white list of
+ names that the rule applies to. An empty set means that
+ everything is allowed.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Resources is a list of resources this rule applies to.
+
+ For example:
+ 'pods' means pods.
+ 'pods/log' means the log subresource of pods.
+ '*' means all resources, but not subresources.
+ 'pods/*' means all subresources of pods.
+ '*/scale' means all scale subresources.
+ '*/*' means all resources and their subresources.
+
+ If wildcard is present, the validation rule will ensure resources do not
+ overlap with each other.
+
+ Depending on the enclosing object, subresources might not be allowed.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ scope:
+ description: |-
+ scope specifies the scope of this rule.
+ Valid values are "Cluster", "Namespaced", and "*"
+ "Cluster" means that only cluster-scoped resources will match this rule.
+ Namespace API objects are cluster-scoped.
+ "Namespaced" means that only namespaced resources will match this rule.
+ "*" means that there are no scope restrictions.
+ Subresources match the scope of their parent resource.
+ Default is "*".
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ paramKind:
+ description: |-
+ ParamKind specifies the kind of resources used to parameterize this policy.
+ If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
+ If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
+ If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion is the API group version the resources belong to.
+ In format of "group/version".
+ Required.
+ type: string
+ kind:
+ description: |-
+ Kind is the API kind the resources belong to.
+ Required.
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ validationActions:
+ description: |-
+ ValidationAction specifies the action to be taken when the matched resource violates the policy.
+ Required.
+ items:
+ description: ValidationAction specifies a policy enforcement action.
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ validations:
+ description: |-
+ Validations contain CEL expressions which is used to apply the validation.
+ Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
+ required.
+ items:
+ description: Validation specifies the CEL expression which is used
+ to apply the validation.
+ properties:
+ expression:
+ description: "Expression represents the expression which will
+ be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the API request/response,
+ organized into CEL variables as well as some other useful
+ variables:\n\n- 'object' - The object from the incoming request.
+ The value is null for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE requests.\n-
+ 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by the policy binding
+ being evaluated. Only populated if the policy has a ParamKind.\n-
+ 'namespaceObject' - The namespace object that the incoming
+ object belongs to. The value is null for cluster-scoped resources.\n-
+ 'variables' - Map of composited variables, from its name to
+ its lazily evaluated value.\n For example, a variable named
+ 'foo' can be accessed as 'variables.foo'.\n- 'authorizer'
+ - A CEL Authorizer. May be used to perform authorization checks
+ for the principal (user or service account) of the request.\n
+ \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed
+ from the 'authorizer' and configured with the\n request resource.\n\nThe
+ `apiVersion`, `kind`, `metadata.name` and `metadata.generateName`
+ are always accessible from the root of the\nobject. No other
+ metadata properties are accessible.\n\nOnly property names
+ of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible
+ property names are escaped according to the following rules
+ when accessed in the expression:\n- '__' escapes to '__underscores__'\n-
+ '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/'
+ escapes to '__slash__'\n- Property names that exactly match
+ a CEL RESERVED keyword escape to '__{keyword}__'. The keywords
+ are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\",
+ \"const\", \"continue\", \"else\", \"for\", \"function\",
+ \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\",
+ \"return\".\nExamples:\n - Expression accessing a property
+ named \"namespace\": {\"Expression\": \"object.__namespace__
+ > 0\"}\n - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression
+ accessing a property named \"redact__d\": {\"Expression\":
+ \"object.redact__underscores__d > 0\"}\n\nEquality on arrays
+ with list type of 'set' or 'map' ignores element order, i.e.
+ [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type
+ use the semantics of the list type:\n - 'set': `X + Y` performs
+ a union where the array positions of all elements in `X` are
+ preserved and\n non-intersecting elements in `Y` are appended,
+ retaining their partial order.\n - 'map': `X + Y` performs
+ a merge where the array positions of all keys in `X` are preserved
+ but the values\n are overwritten by values in `Y` when
+ the key sets of `X` and `Y` intersect. Elements in `Y` with\n
+ \ non-intersecting keys are appended, retaining their partial
+ order.\nRequired."
+ type: string
+ message:
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
+ type: string
+ messageExpression:
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
+ type: string
+ reason:
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
+ type: string
+ required:
+ - expression
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ variables:
+ description: |-
+ Variables contain definitions of variables that can be used in composition of other expressions.
+ Each variable is defined as a named CEL expression.
+ The variables defined here will be available under `variables` in other expressions of the policy
+ except MatchConditions because MatchConditions are evaluated before the rest of the policy.
+
+ The expression of a variable can refer to other variables defined earlier in the list but not those after.
+ Thus, Variables must be sorted by the order of first appearance and acyclic.
+ items:
+ description: Variable is the definition of a variable that is used
+ for composition. A variable is defined as a named expression.
+ properties:
+ expression:
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+ type: string
+ name:
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ webhookConfiguration:
+ description: WebhookConfiguration defines the configuration for the
+ webhook.
+ properties:
+ timeoutSeconds:
+ description: |-
+ TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+ After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+ based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+ format: int32
+ type: integer
+ type: object
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ autogen:
+ description: AutogenStatus contains autogen status information.
+ properties:
+ rules:
+ description: Rules is a list of Rule instances. It contains auto
+ generated rules added for pod controllers
+ items:
+ properties:
+ auditAnnotations:
+ items:
+ description: AuditAnnotation describes how to produce
+ an audit annotation for an API request.
+ properties:
+ key:
+ description: |-
+ key specifies the audit annotation key. The audit annotation keys of
+ a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+ name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+ The key is combined with the resource name of the
+ ValidatingAdmissionPolicy to construct an audit annotation key:
+ "{ValidatingAdmissionPolicy name}/{key}".
+
+ If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+ and the same audit annotation key, the annotation key will be identical.
+ In this case, the first annotation written with the key will be included
+ in the audit event and all subsequent annotations with the same key
+ will be discarded.
+
+ Required.
+ type: string
+ valueExpression:
+ description: |-
+ valueExpression represents the expression which is evaluated by CEL to
+ produce an audit annotation value. The expression must evaluate to either
+ a string or null value. If the expression evaluates to a string, the
+ audit annotation is included with the string value. If the expression
+ evaluates to null or empty string the audit annotation will be omitted.
+ The valueExpression may be no longer than 5kb in length.
+ If the result of the valueExpression is more than 10kb in length, it
+ will be truncated to 10kb.
+
+ If multiple ValidatingAdmissionPolicyBinding resources match an
+ API request, then the valueExpression will be evaluated for
+ each binding. All unique values produced by the valueExpressions
+ will be joined together in a comma-separated list.
+
+ Required.
+ type: string
+ required:
+ - key
+ - valueExpression
+ type: object
+ type: array
+ matchConditions:
+ items:
+ description: MatchCondition represents a condition which
+ must by fulfilled for a request to be sent to a webhook.
+ properties:
+ expression:
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Required.
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+ Required.
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
+ matchConstraints:
+ description: |-
+ MatchResources decides whether to run the admission control policy on an object based
+ on whether it meets the match criteria.
+ The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+ properties:
+ excludeResourceRules:
+ description: |-
+ ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.
+ The exclude rules take precedence over include rules (if a resource matches both, it is excluded)
+ items:
+ description: NamedRuleWithOperations is a tuple of
+ Operations and Resources with ResourceNames.
+ properties:
+ apiGroups:
+ description: |-
+ APIGroups is the API groups the resources belong to. '*' is all groups.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ apiVersions:
+ description: |-
+ APIVersions is the API versions the resources belong to. '*' is all versions.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ operations:
+ description: |-
+ Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+ for all of those operations and any future admission operations that are added.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ description: OperationType specifies an operation
+ for a request.
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resourceNames:
+ description: ResourceNames is an optional white
+ list of names that the rule applies to. An
+ empty set means that everything is allowed.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Resources is a list of resources this rule applies to.
+
+ For example:
+ 'pods' means pods.
+ 'pods/log' means the log subresource of pods.
+ '*' means all resources, but not subresources.
+ 'pods/*' means all subresources of pods.
+ '*/scale' means all scale subresources.
+ '*/*' means all resources and their subresources.
+
+ If wildcard is present, the validation rule will ensure resources do not
+ overlap with each other.
+
+ Depending on the enclosing object, subresources might not be allowed.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ scope:
+ description: |-
+ scope specifies the scope of this rule.
+ Valid values are "Cluster", "Namespaced", and "*"
+ "Cluster" means that only cluster-scoped resources will match this rule.
+ Namespace API objects are cluster-scoped.
+ "Namespaced" means that only namespaced resources will match this rule.
+ "*" means that there are no scope restrictions.
+ Subresources match the scope of their parent resource.
+ Default is "*".
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ matchPolicy:
+ description: |-
+ matchPolicy defines how the "MatchResources" list is used to match incoming requests.
+ Allowed values are "Exact" or "Equivalent".
+
+ - Exact: match a request only if it exactly matches a specified rule.
+ For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+ but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+ a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.
+
+ - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
+ For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
+ and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
+ a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.
+
+ Defaults to "Equivalent"
+ type: string
+ namespaceSelector:
+ description: |-
+ NamespaceSelector decides whether to run the admission control policy on an object based
+ on whether the namespace for that object matches the selector. If the
+ object itself is a namespace, the matching is performed on
+ object.metadata.labels. If the object is another cluster scoped resource,
+ it never skips the policy.
+
+ For example, to run the webhook on any objects whose namespace is not
+ associated with "runlevel" of "0" or "1"; you will set the selector as
+ follows:
+ "namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "runlevel",
+ "operator": "NotIn",
+ "values": [
+ "0",
+ "1"
+ ]
+ }
+ ]
+ }
+
+ If instead you want to only run the policy on any objects whose
+ namespace is associated with the "environment" of "prod" or "staging";
+ you will set the selector as follows:
+ "namespaceSelector": {
+ "matchExpressions": [
+ {
+ "key": "environment",
+ "operator": "In",
+ "values": [
+ "prod",
+ "staging"
+ ]
+ }
+ ]
+ }
+
+ See
+ https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ for more examples of label selectors.
+
+ Default to the empty LabelSelector, which matches everything.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ objectSelector:
+ description: |-
+ ObjectSelector decides whether to run the validation based on if the
+ object has matching labels. objectSelector is evaluated against both
+ the oldObject and newObject that would be sent to the cel validation, and
+ is considered to match if either object matches the selector. A null
+ object (oldObject in the case of create, or newObject in the case of
+ delete) or an object that cannot have labels (like a
+ DeploymentRollback or a PodProxyOptions object) is not considered to
+ match.
+ Use the object selector only if the webhook is opt-in, because end
+ users may skip the admission webhook by setting the labels.
+ Default to the empty LabelSelector, which matches everything.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceRules:
+ description: |-
+ ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.
+ The policy cares about an operation if it matches _any_ Rule.
+ items:
+ description: NamedRuleWithOperations is a tuple of
+ Operations and Resources with ResourceNames.
+ properties:
+ apiGroups:
+ description: |-
+ APIGroups is the API groups the resources belong to. '*' is all groups.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ apiVersions:
+ description: |-
+ APIVersions is the API versions the resources belong to. '*' is all versions.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ operations:
+ description: |-
+ Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *
+ for all of those operations and any future admission operations that are added.
+ If '*' is present, the length of the slice must be one.
+ Required.
+ items:
+ description: OperationType specifies an operation
+ for a request.
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resourceNames:
+ description: ResourceNames is an optional white
+ list of names that the rule applies to. An
+ empty set means that everything is allowed.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Resources is a list of resources this rule applies to.
+
+ For example:
+ 'pods' means pods.
+ 'pods/log' means the log subresource of pods.
+ '*' means all resources, but not subresources.
+ 'pods/*' means all subresources of pods.
+ '*/scale' means all scale subresources.
+ '*/*' means all resources and their subresources.
+
+ If wildcard is present, the validation rule will ensure resources do not
+ overlap with each other.
+
+ Depending on the enclosing object, subresources might not be allowed.
+ Required.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ scope:
+ description: |-
+ scope specifies the scope of this rule.
+ Valid values are "Cluster", "Namespaced", and "*"
+ "Cluster" means that only cluster-scoped resources will match this rule.
+ Namespace API objects are cluster-scoped.
+ "Namespaced" means that only namespaced resources will match this rule.
+ "*" means that there are no scope restrictions.
+ Subresources match the scope of their parent resource.
+ Default is "*".
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ validations:
+ items:
+ description: Validation specifies the CEL expression which
+ is used to apply the validation.
+ properties:
+ expression:
+ description: "Expression represents the expression
+ which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+ expressions have access to the contents of the API
+ request/response, organized into CEL variables as
+ well as some other useful variables:\n\n- 'object'
+ - The object from the incoming request. The value
+ is null for DELETE requests.\n- 'oldObject' - The
+ existing object. The value is null for CREATE requests.\n-
+ 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+ 'params' - Parameter resource referred to by the
+ policy binding being evaluated. Only populated if
+ the policy has a ParamKind.\n- 'namespaceObject'
+ - The namespace object that the incoming object
+ belongs to. The value is null for cluster-scoped
+ resources.\n- 'variables' - Map of composited variables,
+ from its name to its lazily evaluated value.\n For
+ example, a variable named 'foo' can be accessed
+ as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer.
+ May be used to perform authorization checks for
+ the principal (user or service account) of the request.\n
+ \ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+ 'authorizer.requestResource' - A CEL ResourceCheck
+ constructed from the 'authorizer' and configured
+ with the\n request resource.\n\nThe `apiVersion`,
+ `kind`, `metadata.name` and `metadata.generateName`
+ are always accessible from the root of the\nobject.
+ No other metadata properties are accessible.\n\nOnly
+ property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+ are accessible.\nAccessible property names are escaped
+ according to the following rules when accessed in
+ the expression:\n- '__' escapes to '__underscores__'\n-
+ '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n-
+ '/' escapes to '__slash__'\n- Property names that
+ exactly match a CEL RESERVED keyword escape to '__{keyword}__'.
+ The keywords are:\n\t \"true\", \"false\", \"null\",
+ \"in\", \"as\", \"break\", \"const\", \"continue\",
+ \"else\", \"for\", \"function\", \"if\",\n\t \"import\",
+ \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n
+ \ - Expression accessing a property named \"namespace\":
+ {\"Expression\": \"object.__namespace__ > 0\"}\n
+ \ - Expression accessing a property named \"x-prop\":
+ {\"Expression\": \"object.x__dash__prop > 0\"}\n
+ \ - Expression accessing a property named \"redact__d\":
+ {\"Expression\": \"object.redact__underscores__d
+ > 0\"}\n\nEquality on arrays with list type of 'set'
+ or 'map' ignores element order, i.e. [1, 2] == [2,
+ 1].\nConcatenation on arrays with x-kubernetes-list-type
+ use the semantics of the list type:\n - 'set':
+ `X + Y` performs a union where the array positions
+ of all elements in `X` are preserved and\n non-intersecting
+ elements in `Y` are appended, retaining their partial
+ order.\n - 'map': `X + Y` performs a merge where
+ the array positions of all keys in `X` are preserved
+ but the values\n are overwritten by values in
+ `Y` when the key sets of `X` and `Y` intersect.
+ Elements in `Y` with\n non-intersecting keys
+ are appended, retaining their partial order.\nRequired."
+ type: string
+ message:
+ description: |-
+ Message represents the message displayed when validation fails. The message is required if the Expression contains
+ line breaks. The message must not contain line breaks.
+ If unset, the message is "failed rule: {Rule}".
+ e.g. "must be a URL with the host matching spec.host"
+ If the Expression contains line breaks. Message is required.
+ The message must not contain line breaks.
+ If unset, the message is "failed Expression: {Expression}".
+ type: string
+ messageExpression:
+ description: |-
+ messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+ Since messageExpression is used as a failure message, it must evaluate to a string.
+ If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+ If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+ as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+ that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+ the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+ messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+ Example:
+ "object.x must be less than max ("+string(params.max)+")"
+ type: string
+ reason:
+ description: |-
+ Reason represents a machine-readable description of why this validation failed.
+ If this is the first validation in the list to fail, this reason, as well as the
+ corresponding HTTP response code, are used in the
+ HTTP response to the client.
+ The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+ If not set, StatusReasonInvalid is used in the response to the client.
+ type: string
+ required:
+ - expression
+ type: object
+ type: array
+ variables:
+ items:
+ description: Variable is the definition of a variable
+ that is used for composition. A variable is defined
+ as a named expression.
+ properties:
+ expression:
+ description: |-
+ Expression is the expression that will be evaluated as the value of the variable.
+ The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+ type: string
+ name:
+ description: |-
+ Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+ The variable can be accessed in other expressions through `variables`
+ For example, if name is "foo", the variable will be available as `variables.foo`
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ conditions:
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ ready:
+ description: |-
+ The ready of a policy is a high-level summary of where the policy is in its lifecycle.
+ The conditions array, the reason and message fields contain more detail about the policy's status.
+ type: boolean
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 6e421f6718..d8553c43c3 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -195,119 +195,6 @@ data:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
-metadata:
- labels:
- app.kubernetes.io/component: crds
- app.kubernetes.io/instance: kyverno
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: kyverno-crds
- app.kubernetes.io/version: v0.0.0
- helm.sh/chart: crds-v0.0.0
- annotations:
- controller-gen.kubebuilder.io/version: v0.16.1
- name: celpolicyexceptions.kyverno.io
-spec:
- group: kyverno.io
- names:
- kind: CELPolicyException
- listKind: CELPolicyExceptionList
- plural: celpolicyexceptions
- singular: celpolicyexception
- scope: Namespaced
- versions:
- - name: v2alpha1
- schema:
- openAPIV3Schema:
- description: PolicyException declares resources to be excluded from specified
- policies.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec declares policy exception behaviors.
- properties:
- matchConditions:
- description: MatchConditions is a list of CEL expressions that must
- be met for a resource to be excluded.
- items:
- description: MatchCondition represents a condition which must by
- fulfilled for a request to be sent to a webhook.
- properties:
- expression:
- description: |-
- Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
- CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
-
- 'object' - The object from the incoming request. The value is null for DELETE requests.
- 'oldObject' - The existing object. The value is null for CREATE requests.
- 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
- See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
- request resource.
- Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
-
- Required.
- type: string
- name:
- description: |-
- Name is an identifier for this match condition, used for strategic merging of MatchConditions,
- as well as providing an identifier for logging purposes. A good name should be descriptive of
- the associated expression.
- Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
- must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
- '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
- optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
-
- Required.
- type: string
- required:
- - expression
- - name
- type: object
- type: array
- policyRefs:
- description: PolicyRefs identifies the policies to which the exception
- is applied.
- items:
- properties:
- kind:
- description: Kind is the kind of the policy
- type: string
- name:
- description: Name is the name of the policy
- type: string
- required:
- - kind
- - name
- type: object
- type: array
- required:
- - policyRefs
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds
@@ -48537,9 +48424,122 @@ metadata:
helm.sh/chart: crds-v0.0.0
annotations:
controller-gen.kubebuilder.io/version: v0.16.1
- name: validatingpolicies.kyverno.io
+ name: celpolicyexceptions.policies.kyverno.io
spec:
- group: kyverno.io
+ group: policies.kyverno.io
+ names:
+ kind: CELPolicyException
+ listKind: CELPolicyExceptionList
+ plural: celpolicyexceptions
+ singular: celpolicyexception
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: PolicyException declares resources to be excluded from specified
+ policies.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy exception behaviors.
+ properties:
+ matchConditions:
+ description: MatchConditions is a list of CEL expressions that must
+ be met for a resource to be excluded.
+ items:
+ description: MatchCondition represents a condition which must by
+ fulfilled for a request to be sent to a webhook.
+ properties:
+ expression:
+ description: |-
+ Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+ CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+ 'object' - The object from the incoming request. The value is null for DELETE requests.
+ 'oldObject' - The existing object. The value is null for CREATE requests.
+ 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+ 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+ See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+ 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+ request resource.
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Required.
+ type: string
+ name:
+ description: |-
+ Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+ as well as providing an identifier for logging purposes. A good name should be descriptive of
+ the associated expression.
+ Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+ must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or
+ '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+ optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+ Required.
+ type: string
+ required:
+ - expression
+ - name
+ type: object
+ type: array
+ policyRefs:
+ description: PolicyRefs identifies the policies to which the exception
+ is applied.
+ items:
+ properties:
+ kind:
+ description: Kind is the kind of the policy
+ type: string
+ name:
+ description: Name is the name of the policy
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ type: array
+ required:
+ - policyRefs
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ app.kubernetes.io/component: crds
+ app.kubernetes.io/instance: kyverno
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: kyverno-crds
+ app.kubernetes.io/version: v0.0.0
+ helm.sh/chart: crds-v0.0.0
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: validatingpolicies.policies.kyverno.io
+spec:
+ group: policies.kyverno.io
names:
categories:
- kyverno
@@ -48555,7 +48555,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- name: v2alpha1
+ name: v1alpha1
schema:
openAPIV3Schema:
properties:
@@ -51328,6 +51328,18 @@ rules:
- globalcontextentries
- globalcontextentries/status
- policyexceptions
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+ - apiGroups:
+ - policies.kyverno.io
+ resources:
- validatingpolicies
- validatingpolicies/status
- celpolicyexceptions
@@ -51872,6 +51884,18 @@ rules:
- policyexceptions
- policies
- clusterpolicies
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - deletecollection
+ - apiGroups:
+ - policies.kyverno.io
+ resources:
- validatingpolicies
- validatingpolicies/status
verbs:
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index 44f900035e..bc3ba9e607 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -10656,9 +10656,102 @@ github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1.Any
Resource Types:
+CELPolicyException
+
+
+
PolicyException declares resources to be excluded from specified policies.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+apiVersion
+string |
+
+
+policies.kyverno.io/v1alpha1
+
+ |
+
+
+
+kind
+string
+ |
+CELPolicyException |
+
+
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+
+
+spec
+
+
+CELPolicyExceptionSpec
+
+
+ |
+
+ Spec declares policy exception behaviors.
+
+
+
+ |
+
+
+
+
ValidatingPolicy
@@ -10778,10 +10871,214 @@ PolicyStatus
+AutogenRule
+
+
+(Appears on:
+AutogenStatus)
+
+
+
+
+
+AutogenStatus
+
+
+(Appears on:
+PolicyStatus)
+
+
+
AutogenStatus contains autogen status information.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+rules
+
+
+[]AutogenRule
+
+
+ |
+
+ Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
+ |
+
+
+
+
+CELPolicyExceptionSpec
+
+
+(Appears on:
+CELPolicyException)
+
+
+
PolicyExceptionSpec stores policy exception spec
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+policyRefs
+
+
+[]PolicyRef
+
+
+ |
+
+ PolicyRefs identifies the policies to which the exception is applied.
+ |
+
+
+
+matchConditions
+
+
+[]Kubernetes admissionregistration/v1.MatchCondition
+
+
+ |
+
+(Optional)
+ MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.
+ |
+
+
+
+
+GenericPolicy
+
+
+
PolicyConditionType
(string alias)
+PolicyRef
+
+
+(Appears on:
+CELPolicyExceptionSpec)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+name
+
+string
+
+ |
+
+ Name is the name of the policy
+ |
+
+
+
+kind
+
+string
+
+ |
+
+ Kind is the kind of the policy
+ |
+
+
+
+
PolicyStatus
@@ -10824,6 +11121,19 @@ The conditions array, the reason and message fields contain more detail about th
(Optional)
+
+
+autogen
+
+
+AutogenStatus
+
+
+ |
+
+(Optional)
+ |
+
diff --git a/pkg/cel/autogen/autogen.go b/pkg/cel/autogen/autogen.go
index 62cf818093..efc0c0fd70 100644
--- a/pkg/cel/autogen/autogen.go
+++ b/pkg/cel/autogen/autogen.go
@@ -4,7 +4,7 @@ import (
"strings"
"github.com/kyverno/kyverno/api/kyverno"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"k8s.io/apimachinery/pkg/util/sets"
)
@@ -17,7 +17,7 @@ var podControllers = sets.New("daemonsets", "deployments", "jobs", "statefulsets
// - Pod is not defined
//
// Otherwise it returns all pod controllers
-func canAutoGen(spec *kyvernov2alpha1.ValidatingPolicySpec) (bool, sets.Set[string]) {
+func canAutoGen(spec *policiesv1alpha1.ValidatingPolicySpec) (bool, sets.Set[string]) {
match := spec.MatchConstraints
if match.NamespaceSelector != nil {
if len(match.NamespaceSelector.MatchLabels) > 0 || len(match.NamespaceSelector.MatchExpressions) > 0 {
@@ -45,8 +45,8 @@ func canAutoGen(spec *kyvernov2alpha1.ValidatingPolicySpec) (bool, sets.Set[stri
return true, podControllers
}
-func generateRules(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) []kyvernov2alpha1.AutogenRule {
- var genRules []kyvernov2alpha1.AutogenRule
+func generateRules(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) []policiesv1alpha1.AutogenRule {
+ var genRules []policiesv1alpha1.AutogenRule
// strip cronjobs from controllers if exist
isRemoved, controllers := stripCronJob(controllers)
// generate rule for pod controllers
@@ -82,10 +82,10 @@ func stripCronJob(controllers string) (bool, string) {
return isRemoved, strings.Join(newControllers, ",")
}
-func ComputeRules(policy kyvernov2alpha1.GenericPolicy) []kyvernov2alpha1.AutogenRule {
+func ComputeRules(policy policiesv1alpha1.GenericPolicy) []policiesv1alpha1.AutogenRule {
applyAutoGen, desiredControllers := canAutoGen(policy.GetSpec())
if !applyAutoGen {
- return []kyvernov2alpha1.AutogenRule{}
+ return []policiesv1alpha1.AutogenRule{}
}
var actualControllers sets.Set[string]
diff --git a/pkg/cel/autogen/autogen_test.go b/pkg/cel/autogen/autogen_test.go
index 0eec9a8200..45f937cc27 100644
--- a/pkg/cel/autogen/autogen_test.go
+++ b/pkg/cel/autogen/autogen_test.go
@@ -5,7 +5,7 @@ import (
"fmt"
"testing"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"gotest.tools/assert"
"k8s.io/apimachinery/pkg/util/sets"
)
@@ -19,7 +19,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-name",
policy: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@@ -66,7 +66,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-object-selector",
policy: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@@ -115,7 +115,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-namespace-selector",
policy: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@@ -164,7 +164,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-mixed-kinds-pod-podcontrollers",
policy: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@@ -223,7 +223,7 @@ func Test_CanAutoGen(t *testing.T) {
{
name: "policy-with-match-kinds-pod-only",
policy: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "ValidatingPolicy",
"metadata": {
"name": "chech-labels"
@@ -268,7 +268,7 @@ func Test_CanAutoGen(t *testing.T) {
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
- var policy *kyvernov2alpha1.ValidatingPolicy
+ var policy *policiesv1alpha1.ValidatingPolicy
err := json.Unmarshal(test.policy, &policy)
assert.NilError(t, err)
diff --git a/pkg/cel/autogen/rule.go b/pkg/cel/autogen/rule.go
index bbeecfd124..4b5033f4f5 100644
--- a/pkg/cel/autogen/rule.go
+++ b/pkg/cel/autogen/rule.go
@@ -6,11 +6,11 @@ import (
"slices"
"strings"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
-func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) (*kyvernov2alpha1.AutogenRule, error) {
+func generateCronJobRule(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) (*policiesv1alpha1.AutogenRule, error) {
operations := spec.MatchConstraints.ResourceRules[0].Operations
// create a resource rule for the cronjob resource
matchConstraints := createMatchConstraints(controllers, operations)
@@ -61,7 +61,7 @@ func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers
}
}
- return &kyvernov2alpha1.AutogenRule{
+ return &policiesv1alpha1.AutogenRule{
MatchConstraints: matchConstraints,
MatchConditions: matchConditions,
Validations: validations,
@@ -70,7 +70,7 @@ func generateCronJobRule(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers
}, nil
}
-func generateRuleForControllers(spec *kyvernov2alpha1.ValidatingPolicySpec, controllers string) (*kyvernov2alpha1.AutogenRule, error) {
+func generateRuleForControllers(spec *policiesv1alpha1.ValidatingPolicySpec, controllers string) (*policiesv1alpha1.AutogenRule, error) {
operations := spec.MatchConstraints.ResourceRules[0].Operations
// create a resource rule for pod controllers
matchConstraints := createMatchConstraints(controllers, operations)
@@ -119,7 +119,7 @@ func generateRuleForControllers(spec *kyvernov2alpha1.ValidatingPolicySpec, cont
}
}
- return &kyvernov2alpha1.AutogenRule{
+ return &policiesv1alpha1.AutogenRule{
MatchConstraints: matchConstraints,
MatchConditions: matchConditions,
Validations: validations,
diff --git a/pkg/cel/autogen/rule_test.go b/pkg/cel/autogen/rule_test.go
index 4b3a068547..9058f9ff80 100644
--- a/pkg/cel/autogen/rule_test.go
+++ b/pkg/cel/autogen/rule_test.go
@@ -5,7 +5,7 @@ import (
"reflect"
"testing"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"gotest.tools/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
@@ -15,7 +15,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
name string
controllers string
policySpec []byte
- generatedRule kyvernov2alpha1.AutogenRule
+ generatedRule policiesv1alpha1.AutogenRule
}{
{
name: "autogen rule for deployments",
@@ -46,7 +46,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
}
]
}`),
- generatedRule: kyvernov2alpha1.AutogenRule{
+ generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@@ -100,7 +100,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
}
]
}`),
- generatedRule: kyvernov2alpha1.AutogenRule{
+ generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@@ -160,7 +160,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
}
]
}`),
- generatedRule: kyvernov2alpha1.AutogenRule{
+ generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@@ -195,7 +195,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
- var spec *kyvernov2alpha1.ValidatingPolicySpec
+ var spec *policiesv1alpha1.ValidatingPolicySpec
err := json.Unmarshal(test.policySpec, &spec)
assert.NilError(t, err)
@@ -212,7 +212,7 @@ func TestGenerateRuleForControllers(t *testing.T) {
func TestGenerateCronJobRule(t *testing.T) {
tests := []struct {
policySpec []byte
- generatedRule kyvernov2alpha1.AutogenRule
+ generatedRule policiesv1alpha1.AutogenRule
}{
{
policySpec: []byte(`{
@@ -241,7 +241,7 @@ func TestGenerateCronJobRule(t *testing.T) {
}
]
}`),
- generatedRule: kyvernov2alpha1.AutogenRule{
+ generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@@ -299,7 +299,7 @@ func TestGenerateCronJobRule(t *testing.T) {
}
]
}`),
- generatedRule: kyvernov2alpha1.AutogenRule{
+ generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@@ -364,7 +364,7 @@ func TestGenerateCronJobRule(t *testing.T) {
}
]
}`),
- generatedRule: kyvernov2alpha1.AutogenRule{
+ generatedRule: policiesv1alpha1.AutogenRule{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
@@ -398,7 +398,7 @@ func TestGenerateCronJobRule(t *testing.T) {
},
}
for _, tt := range tests {
- var spec *kyvernov2alpha1.ValidatingPolicySpec
+ var spec *policiesv1alpha1.ValidatingPolicySpec
err := json.Unmarshal(tt.policySpec, &spec)
assert.NilError(t, err)
diff --git a/pkg/cel/engine/engine.go b/pkg/cel/engine/engine.go
index 09618a6f37..487cf7b999 100644
--- a/pkg/cel/engine/engine.go
+++ b/pkg/cel/engine/engine.go
@@ -4,7 +4,7 @@ import (
"context"
"fmt"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
contextlib "github.com/kyverno/kyverno/pkg/cel/libs/context"
"github.com/kyverno/kyverno/pkg/cel/matching"
"github.com/kyverno/kyverno/pkg/cel/utils"
@@ -79,7 +79,7 @@ type EngineResponse struct {
type PolicyResponse struct {
Actions sets.Set[admissionregistrationv1.ValidationAction]
- Policy kyvernov2alpha1.ValidatingPolicy
+ Policy policiesv1alpha1.ValidatingPolicy
Rules []engineapi.RuleResponse
}
diff --git a/pkg/cel/engine/provider.go b/pkg/cel/engine/provider.go
index 8f68a2fa4b..ca3768fe3b 100644
--- a/pkg/cel/engine/provider.go
+++ b/pkg/cel/engine/provider.go
@@ -5,9 +5,9 @@ import (
"fmt"
"sync"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/cel/policy"
- kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"golang.org/x/exp/maps"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apimachinery/pkg/api/errors"
@@ -23,7 +23,7 @@ import (
type CompiledPolicy struct {
Actions sets.Set[admissionregistrationv1.ValidationAction]
- Policy kyvernov2alpha1.ValidatingPolicy
+ Policy policiesv1alpha1.ValidatingPolicy
CompiledPolicy policy.CompiledPolicy
}
@@ -37,7 +37,7 @@ func (f ProviderFunc) CompiledPolicies(ctx context.Context) ([]CompiledPolicy, e
return f(ctx)
}
-func NewProvider(compiler policy.Compiler, policies ...kyvernov2alpha1.ValidatingPolicy) (ProviderFunc, error) {
+func NewProvider(compiler policy.Compiler, policies ...policiesv1alpha1.ValidatingPolicy) (ProviderFunc, error) {
compiled := make([]CompiledPolicy, 0, len(policies))
for _, vp := range policies {
policy, err := compiler.Compile(&vp, nil)
@@ -63,18 +63,18 @@ func NewProvider(compiler policy.Compiler, policies ...kyvernov2alpha1.Validatin
func NewKubeProvider(
compiler policy.Compiler,
mgr ctrl.Manager,
- polexLister kyvernov2alpha1listers.CELPolicyExceptionLister,
+ polexLister policiesv1alpha1listers.CELPolicyExceptionLister,
) (Provider, error) {
r := newPolicyReconciler(compiler, mgr.GetClient(), polexLister)
err := ctrl.NewControllerManagedBy(mgr).
- For(&kyvernov2alpha1.ValidatingPolicy{}).
- Watches(&kyvernov2alpha1.CELPolicyException{}, &handler.Funcs{
+ For(&policiesv1alpha1.ValidatingPolicy{}).
+ Watches(&policiesv1alpha1.CELPolicyException{}, &handler.Funcs{
CreateFunc: func(
ctx context.Context,
tce event.TypedCreateEvent[client.Object],
trli workqueue.TypedRateLimitingInterface[reconcile.Request],
) {
- polex := tce.Object.(*kyvernov2alpha1.CELPolicyException)
+ polex := tce.Object.(*policiesv1alpha1.CELPolicyException)
for _, ref := range polex.Spec.PolicyRefs {
trli.Add(reconcile.Request{
NamespacedName: client.ObjectKey{
@@ -88,7 +88,7 @@ func NewKubeProvider(
tue event.TypedUpdateEvent[client.Object],
trli workqueue.TypedRateLimitingInterface[reconcile.Request],
) {
- polex := tue.ObjectNew.(*kyvernov2alpha1.CELPolicyException)
+ polex := tue.ObjectNew.(*policiesv1alpha1.CELPolicyException)
for _, ref := range polex.Spec.PolicyRefs {
trli.Add(reconcile.Request{
NamespacedName: client.ObjectKey{
@@ -102,7 +102,7 @@ func NewKubeProvider(
tde event.TypedDeleteEvent[client.Object],
trli workqueue.TypedRateLimitingInterface[reconcile.Request],
) {
- polex := tde.Object.(*kyvernov2alpha1.CELPolicyException)
+ polex := tde.Object.(*policiesv1alpha1.CELPolicyException)
for _, ref := range polex.Spec.PolicyRefs {
trli.Add(reconcile.Request{
NamespacedName: client.ObjectKey{
@@ -124,13 +124,13 @@ type policyReconciler struct {
compiler policy.Compiler
lock *sync.RWMutex
policies map[string]CompiledPolicy
- polexLister kyvernov2alpha1listers.CELPolicyExceptionLister
+ polexLister policiesv1alpha1listers.CELPolicyExceptionLister
}
func newPolicyReconciler(
compiler policy.Compiler,
client client.Client,
- polexLister kyvernov2alpha1listers.CELPolicyExceptionLister,
+ polexLister policiesv1alpha1listers.CELPolicyExceptionLister,
) *policyReconciler {
return &policyReconciler{
client: client,
@@ -142,7 +142,7 @@ func newPolicyReconciler(
}
func (r *policyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
- var policy kyvernov2alpha1.ValidatingPolicy
+ var policy policiesv1alpha1.ValidatingPolicy
err := r.client.Get(ctx, req.NamespacedName, &policy)
if errors.IsNotFound(err) {
r.lock.Lock()
@@ -184,12 +184,12 @@ func (r *policyReconciler) CompiledPolicies(ctx context.Context) ([]CompiledPoli
return maps.Values(r.policies), nil
}
-func (r *policyReconciler) ListExceptions(policyName string) ([]kyvernov2alpha1.CELPolicyException, error) {
+func (r *policyReconciler) ListExceptions(policyName string) ([]policiesv1alpha1.CELPolicyException, error) {
polexList, err := r.polexLister.List(labels.Everything())
if err != nil {
return nil, err
}
- var exceptions []kyvernov2alpha1.CELPolicyException
+ var exceptions []policiesv1alpha1.CELPolicyException
for _, polex := range polexList {
for _, ref := range polex.Spec.PolicyRefs {
if ref.Name == policyName {
diff --git a/pkg/cel/policy/compiler.go b/pkg/cel/policy/compiler.go
index d574d8c2ec..2536aa9442 100644
--- a/pkg/cel/policy/compiler.go
+++ b/pkg/cel/policy/compiler.go
@@ -5,7 +5,7 @@ import (
"github.com/google/cel-go/cel"
"github.com/google/cel-go/common/types"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
engine "github.com/kyverno/kyverno/pkg/cel"
"github.com/kyverno/kyverno/pkg/cel/libs/context"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -23,7 +23,7 @@ const (
)
type Compiler interface {
- Compile(*kyvernov2alpha1.ValidatingPolicy, []kyvernov2alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList)
+ Compile(*policiesv1alpha1.ValidatingPolicy, []policiesv1alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList)
}
func NewCompiler() Compiler {
@@ -32,7 +32,7 @@ func NewCompiler() Compiler {
type compiler struct{}
-func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy, exceptions []kyvernov2alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList) {
+func (c *compiler) Compile(policy *policiesv1alpha1.ValidatingPolicy, exceptions []policiesv1alpha1.CELPolicyException) (CompiledPolicy, field.ErrorList) {
var allErrs field.ErrorList
base, err := engine.NewEnv()
if err != nil {
diff --git a/pkg/cel/policy/compiler_test.go b/pkg/cel/policy/compiler_test.go
index a76a5ee685..be6b98e1c0 100644
--- a/pkg/cel/policy/compiler_test.go
+++ b/pkg/cel/policy/compiler_test.go
@@ -3,7 +3,7 @@ package policy
import (
"testing"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/stretchr/testify/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -12,19 +12,19 @@ import (
func Test_compiler_Compile(t *testing.T) {
tests := []struct {
name string
- policy *kyvernov2alpha1.ValidatingPolicy
+ policy *policiesv1alpha1.ValidatingPolicy
wantErr bool
}{{
name: "simple",
- policy: &kyvernov2alpha1.ValidatingPolicy{
+ policy: &policiesv1alpha1.ValidatingPolicy{
TypeMeta: metav1.TypeMeta{
- APIVersion: kyvernov2alpha1.GroupVersion.String(),
+ APIVersion: policiesv1alpha1.GroupVersion.String(),
Kind: "ValidatingPolicy",
},
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
- Spec: kyvernov2alpha1.ValidatingPolicySpec{
+ Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
Variables: []admissionregistrationv1.Variable{{
Name: "environment",
@@ -38,15 +38,15 @@ func Test_compiler_Compile(t *testing.T) {
},
}, {
name: "with configmap",
- policy: &kyvernov2alpha1.ValidatingPolicy{
+ policy: &policiesv1alpha1.ValidatingPolicy{
TypeMeta: metav1.TypeMeta{
- APIVersion: kyvernov2alpha1.GroupVersion.String(),
+ APIVersion: policiesv1alpha1.GroupVersion.String(),
Kind: "ValidatingPolicy",
},
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
},
- Spec: kyvernov2alpha1.ValidatingPolicySpec{
+ Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
Variables: []admissionregistrationv1.Variable{{
Name: "cm",
diff --git a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenrule.go b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenrule.go
new file mode 100644
index 0000000000..0c40728675
--- /dev/null
+++ b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenrule.go
@@ -0,0 +1,87 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1 "k8s.io/api/admissionregistration/v1"
+)
+
+// AutogenRuleApplyConfiguration represents an declarative configuration of the AutogenRule type for use
+// with apply.
+type AutogenRuleApplyConfiguration struct {
+ MatchConstraints *v1.MatchResources `json:"matchConstraints,omitempty"`
+ MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
+ Validations []v1.Validation `json:"validations,omitempty"`
+ AuditAnnotation []v1.AuditAnnotation `json:"auditAnnotations,omitempty"`
+ Variables []v1.Variable `json:"variables,omitempty"`
+}
+
+// AutogenRuleApplyConfiguration constructs an declarative configuration of the AutogenRule type for use with
+// apply.
+func AutogenRule() *AutogenRuleApplyConfiguration {
+ return &AutogenRuleApplyConfiguration{}
+}
+
+// WithMatchConstraints sets the MatchConstraints field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MatchConstraints field is set to the value of the last call.
+func (b *AutogenRuleApplyConfiguration) WithMatchConstraints(value v1.MatchResources) *AutogenRuleApplyConfiguration {
+ b.MatchConstraints = &value
+ return b
+}
+
+// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchConditions field.
+func (b *AutogenRuleApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *AutogenRuleApplyConfiguration {
+ for i := range values {
+ b.MatchConditions = append(b.MatchConditions, values[i])
+ }
+ return b
+}
+
+// WithValidations adds the given value to the Validations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Validations field.
+func (b *AutogenRuleApplyConfiguration) WithValidations(values ...v1.Validation) *AutogenRuleApplyConfiguration {
+ for i := range values {
+ b.Validations = append(b.Validations, values[i])
+ }
+ return b
+}
+
+// WithAuditAnnotation adds the given value to the AuditAnnotation field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AuditAnnotation field.
+func (b *AutogenRuleApplyConfiguration) WithAuditAnnotation(values ...v1.AuditAnnotation) *AutogenRuleApplyConfiguration {
+ for i := range values {
+ b.AuditAnnotation = append(b.AuditAnnotation, values[i])
+ }
+ return b
+}
+
+// WithVariables adds the given value to the Variables field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Variables field.
+func (b *AutogenRuleApplyConfiguration) WithVariables(values ...v1.Variable) *AutogenRuleApplyConfiguration {
+ for i := range values {
+ b.Variables = append(b.Variables, values[i])
+ }
+ return b
+}
diff --git a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenstatus.go b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenstatus.go
new file mode 100644
index 0000000000..de931822ab
--- /dev/null
+++ b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/autogenstatus.go
@@ -0,0 +1,44 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// AutogenStatusApplyConfiguration represents an declarative configuration of the AutogenStatus type for use
+// with apply.
+type AutogenStatusApplyConfiguration struct {
+ Rules []AutogenRuleApplyConfiguration `json:"rules,omitempty"`
+}
+
+// AutogenStatusApplyConfiguration constructs an declarative configuration of the AutogenStatus type for use with
+// apply.
+func AutogenStatus() *AutogenStatusApplyConfiguration {
+ return &AutogenStatusApplyConfiguration{}
+}
+
+// WithRules adds the given value to the Rules field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Rules field.
+func (b *AutogenStatusApplyConfiguration) WithRules(values ...*AutogenRuleApplyConfiguration) *AutogenStatusApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithRules")
+ }
+ b.Rules = append(b.Rules, *values[i])
+ }
+ return b
+}
diff --git a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexception.go b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexception.go
new file mode 100644
index 0000000000..a3896c9848
--- /dev/null
+++ b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexception.go
@@ -0,0 +1,210 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CELPolicyExceptionApplyConfiguration represents an declarative configuration of the CELPolicyException type for use
+// with apply.
+type CELPolicyExceptionApplyConfiguration struct {
+ v1.TypeMetaApplyConfiguration `json:",omitempty,inline"`
+ *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+ Spec *CELPolicyExceptionSpecApplyConfiguration `json:"spec,omitempty"`
+}
+
+// CELPolicyException constructs an declarative configuration of the CELPolicyException type for use with
+// apply.
+func CELPolicyException(name, namespace string) *CELPolicyExceptionApplyConfiguration {
+ b := &CELPolicyExceptionApplyConfiguration{}
+ b.WithName(name)
+ b.WithNamespace(namespace)
+ b.WithKind("CELPolicyException")
+ b.WithAPIVersion("policies.kyverno.io/v1alpha1")
+ return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithKind(value string) *CELPolicyExceptionApplyConfiguration {
+ b.Kind = &value
+ return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithAPIVersion(value string) *CELPolicyExceptionApplyConfiguration {
+ b.APIVersion = &value
+ return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithName(value string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Name = &value
+ return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithGenerateName(value string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.GenerateName = &value
+ return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithNamespace(value string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Namespace = &value
+ return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithUID(value types.UID) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.UID = &value
+ return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithResourceVersion(value string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ResourceVersion = &value
+ return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithGeneration(value int64) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Generation = &value
+ return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.CreationTimestamp = &value
+ return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.DeletionTimestamp = &value
+ return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.DeletionGracePeriodSeconds = &value
+ return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CELPolicyExceptionApplyConfiguration) WithLabels(entries map[string]string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.Labels == nil && len(entries) > 0 {
+ b.Labels = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.Labels[k] = v
+ }
+ return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CELPolicyExceptionApplyConfiguration) WithAnnotations(entries map[string]string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.Annotations == nil && len(entries) > 0 {
+ b.Annotations = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.Annotations[k] = v
+ }
+ return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CELPolicyExceptionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithOwnerReferences")
+ }
+ b.OwnerReferences = append(b.OwnerReferences, *values[i])
+ }
+ return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CELPolicyExceptionApplyConfiguration) WithFinalizers(values ...string) *CELPolicyExceptionApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ b.Finalizers = append(b.Finalizers, values[i])
+ }
+ return b
+}
+
+func (b *CELPolicyExceptionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+ if b.ObjectMetaApplyConfiguration == nil {
+ b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+ }
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CELPolicyExceptionApplyConfiguration) WithSpec(value *CELPolicyExceptionSpecApplyConfiguration) *CELPolicyExceptionApplyConfiguration {
+ b.Spec = value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexceptionspec.go b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexceptionspec.go
new file mode 100644
index 0000000000..8659bf65b5
--- /dev/null
+++ b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/celpolicyexceptionspec.go
@@ -0,0 +1,59 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1 "k8s.io/api/admissionregistration/v1"
+)
+
+// CELPolicyExceptionSpecApplyConfiguration represents an declarative configuration of the CELPolicyExceptionSpec type for use
+// with apply.
+type CELPolicyExceptionSpecApplyConfiguration struct {
+ PolicyRefs []PolicyRefApplyConfiguration `json:"policyRefs,omitempty"`
+ MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
+}
+
+// CELPolicyExceptionSpecApplyConfiguration constructs an declarative configuration of the CELPolicyExceptionSpec type for use with
+// apply.
+func CELPolicyExceptionSpec() *CELPolicyExceptionSpecApplyConfiguration {
+ return &CELPolicyExceptionSpecApplyConfiguration{}
+}
+
+// WithPolicyRefs adds the given value to the PolicyRefs field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the PolicyRefs field.
+func (b *CELPolicyExceptionSpecApplyConfiguration) WithPolicyRefs(values ...*PolicyRefApplyConfiguration) *CELPolicyExceptionSpecApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithPolicyRefs")
+ }
+ b.PolicyRefs = append(b.PolicyRefs, *values[i])
+ }
+ return b
+}
+
+// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the MatchConditions field.
+func (b *CELPolicyExceptionSpecApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *CELPolicyExceptionSpecApplyConfiguration {
+ for i := range values {
+ b.MatchConditions = append(b.MatchConditions, values[i])
+ }
+ return b
+}
diff --git a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policyref.go b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policyref.go
new file mode 100644
index 0000000000..98e5c4b55f
--- /dev/null
+++ b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policyref.go
@@ -0,0 +1,48 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// PolicyRefApplyConfiguration represents an declarative configuration of the PolicyRef type for use
+// with apply.
+type PolicyRefApplyConfiguration struct {
+ Name *string `json:"name,omitempty"`
+ Kind *string `json:"kind,omitempty"`
+}
+
+// PolicyRefApplyConfiguration constructs an declarative configuration of the PolicyRef type for use with
+// apply.
+func PolicyRef() *PolicyRefApplyConfiguration {
+ return &PolicyRefApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *PolicyRefApplyConfiguration) WithName(value string) *PolicyRefApplyConfiguration {
+ b.Name = &value
+ return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *PolicyRefApplyConfiguration) WithKind(value string) *PolicyRefApplyConfiguration {
+ b.Kind = &value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policystatus.go b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policystatus.go
index 405eb1fe69..568ce32b11 100644
--- a/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policystatus.go
+++ b/pkg/client/applyconfigurations/policies.kyverno.io/v1alpha1/policystatus.go
@@ -25,8 +25,9 @@ import (
// PolicyStatusApplyConfiguration represents an declarative configuration of the PolicyStatus type for use
// with apply.
type PolicyStatusApplyConfiguration struct {
- Ready *bool `json:"ready,omitempty"`
- Conditions []v1.Condition `json:"conditions,omitempty"`
+ Ready *bool `json:"ready,omitempty"`
+ Conditions []v1.Condition `json:"conditions,omitempty"`
+ Autogen *AutogenStatusApplyConfiguration `json:"autogen,omitempty"`
}
// PolicyStatusApplyConfiguration constructs an declarative configuration of the PolicyStatus type for use with
@@ -52,3 +53,11 @@ func (b *PolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition)
}
return b
}
+
+// WithAutogen sets the Autogen field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Autogen field is set to the value of the last call.
+func (b *PolicyStatusApplyConfiguration) WithAutogen(value *AutogenStatusApplyConfiguration) *PolicyStatusApplyConfiguration {
+ b.Autogen = value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go
index 7ee6dcc68c..e51a35e307 100644
--- a/pkg/client/applyconfigurations/utils.go
+++ b/pkg/client/applyconfigurations/utils.go
@@ -273,6 +273,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov2beta1.ValidationApplyConfiguration{}
// Group=policies.kyverno.io, Version=v1alpha1
+ case v1alpha1.SchemeGroupVersion.WithKind("AutogenRule"):
+ return &policieskyvernoiov1alpha1.AutogenRuleApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("AutogenStatus"):
+ return &policieskyvernoiov1alpha1.AutogenStatusApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("CELPolicyException"):
+ return &policieskyvernoiov1alpha1.CELPolicyExceptionApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("CELPolicyExceptionSpec"):
+ return &policieskyvernoiov1alpha1.CELPolicyExceptionSpecApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("PolicyRef"):
+ return &policieskyvernoiov1alpha1.PolicyRefApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("PolicyStatus"):
return &policieskyvernoiov1alpha1.PolicyStatusApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("ValidatingPolicy"):
diff --git a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/celpolicyexception.go b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/celpolicyexception.go
new file mode 100644
index 0000000000..29f0ceaf69
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/celpolicyexception.go
@@ -0,0 +1,178 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ "time"
+
+ v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// CELPolicyExceptionsGetter has a method to return a CELPolicyExceptionInterface.
+// A group's client should implement this interface.
+type CELPolicyExceptionsGetter interface {
+ CELPolicyExceptions(namespace string) CELPolicyExceptionInterface
+}
+
+// CELPolicyExceptionInterface has methods to work with CELPolicyException resources.
+type CELPolicyExceptionInterface interface {
+ Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (*v1alpha1.CELPolicyException, error)
+ Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (*v1alpha1.CELPolicyException, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.CELPolicyException, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.CELPolicyExceptionList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error)
+ CELPolicyExceptionExpansion
+}
+
+// cELPolicyExceptions implements CELPolicyExceptionInterface
+type cELPolicyExceptions struct {
+ client rest.Interface
+ ns string
+}
+
+// newCELPolicyExceptions returns a CELPolicyExceptions
+func newCELPolicyExceptions(c *PoliciesV1alpha1Client, namespace string) *cELPolicyExceptions {
+ return &cELPolicyExceptions{
+ client: c.RESTClient(),
+ ns: namespace,
+ }
+}
+
+// Get takes name of the cELPolicyException, and returns the corresponding cELPolicyException object, and an error if there is any.
+func (c *cELPolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CELPolicyException, err error) {
+ result = &v1alpha1.CELPolicyException{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of CELPolicyExceptions that match those selectors.
+func (c *cELPolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CELPolicyExceptionList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v1alpha1.CELPolicyExceptionList{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested cELPolicyExceptions.
+func (c *cELPolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a cELPolicyException and creates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *cELPolicyExceptions) Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (result *v1alpha1.CELPolicyException, err error) {
+ result = &v1alpha1.CELPolicyException{}
+ err = c.client.Post().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(cELPolicyException).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a cELPolicyException and updates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *cELPolicyExceptions) Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (result *v1alpha1.CELPolicyException, err error) {
+ result = &v1alpha1.CELPolicyException{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ Name(cELPolicyException.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(cELPolicyException).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the cELPolicyException and deletes it. Returns an error if one occurs.
+func (c *cELPolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cELPolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched cELPolicyException.
+func (c *cELPolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error) {
+ result = &v1alpha1.CELPolicyException{}
+ err = c.client.Patch(pt).
+ Namespace(c.ns).
+ Resource("celpolicyexceptions").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_celpolicyexception.go b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_celpolicyexception.go
new file mode 100644
index 0000000000..474ab3ec76
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_celpolicyexception.go
@@ -0,0 +1,129 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+
+ v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+)
+
+// FakeCELPolicyExceptions implements CELPolicyExceptionInterface
+type FakeCELPolicyExceptions struct {
+ Fake *FakePoliciesV1alpha1
+ ns string
+}
+
+var celpolicyexceptionsResource = v1alpha1.SchemeGroupVersion.WithResource("celpolicyexceptions")
+
+var celpolicyexceptionsKind = v1alpha1.SchemeGroupVersion.WithKind("CELPolicyException")
+
+// Get takes name of the cELPolicyException, and returns the corresponding cELPolicyException object, and an error if there is any.
+func (c *FakeCELPolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.CELPolicyException, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewGetAction(celpolicyexceptionsResource, c.ns, name), &v1alpha1.CELPolicyException{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.CELPolicyException), err
+}
+
+// List takes label and field selectors, and returns the list of CELPolicyExceptions that match those selectors.
+func (c *FakeCELPolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.CELPolicyExceptionList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewListAction(celpolicyexceptionsResource, celpolicyexceptionsKind, c.ns, opts), &v1alpha1.CELPolicyExceptionList{})
+
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v1alpha1.CELPolicyExceptionList{ListMeta: obj.(*v1alpha1.CELPolicyExceptionList).ListMeta}
+ for _, item := range obj.(*v1alpha1.CELPolicyExceptionList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cELPolicyExceptions.
+func (c *FakeCELPolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewWatchAction(celpolicyexceptionsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cELPolicyException and creates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *FakeCELPolicyExceptions) Create(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.CreateOptions) (result *v1alpha1.CELPolicyException, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewCreateAction(celpolicyexceptionsResource, c.ns, cELPolicyException), &v1alpha1.CELPolicyException{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.CELPolicyException), err
+}
+
+// Update takes the representation of a cELPolicyException and updates it. Returns the server's representation of the cELPolicyException, and an error, if there is any.
+func (c *FakeCELPolicyExceptions) Update(ctx context.Context, cELPolicyException *v1alpha1.CELPolicyException, opts v1.UpdateOptions) (result *v1alpha1.CELPolicyException, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateAction(celpolicyexceptionsResource, c.ns, cELPolicyException), &v1alpha1.CELPolicyException{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.CELPolicyException), err
+}
+
+// Delete takes name of the cELPolicyException and deletes it. Returns an error if one occurs.
+func (c *FakeCELPolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewDeleteActionWithOptions(celpolicyexceptionsResource, c.ns, name, opts), &v1alpha1.CELPolicyException{})
+
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCELPolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewDeleteCollectionAction(celpolicyexceptionsResource, c.ns, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v1alpha1.CELPolicyExceptionList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched cELPolicyException.
+func (c *FakeCELPolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.CELPolicyException, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(celpolicyexceptionsResource, c.ns, name, pt, data, subresources...), &v1alpha1.CELPolicyException{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.CELPolicyException), err
+}
diff --git a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_policies.kyverno.io_client.go b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_policies.kyverno.io_client.go
index 17c52d84cd..515ae41fa4 100644
--- a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_policies.kyverno.io_client.go
+++ b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/fake/fake_policies.kyverno.io_client.go
@@ -28,6 +28,10 @@ type FakePoliciesV1alpha1 struct {
*testing.Fake
}
+func (c *FakePoliciesV1alpha1) CELPolicyExceptions(namespace string) v1alpha1.CELPolicyExceptionInterface {
+ return &FakeCELPolicyExceptions{c, namespace}
+}
+
func (c *FakePoliciesV1alpha1) ValidatingPolicies() v1alpha1.ValidatingPolicyInterface {
return &FakeValidatingPolicies{c}
}
diff --git a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/generated_expansion.go b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/generated_expansion.go
index 671dcb8875..c3bd19b5c3 100644
--- a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/generated_expansion.go
+++ b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/generated_expansion.go
@@ -18,4 +18,6 @@ limitations under the License.
package v1alpha1
+type CELPolicyExceptionExpansion interface{}
+
type ValidatingPolicyExpansion interface{}
diff --git a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/policies.kyverno.io_client.go b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/policies.kyverno.io_client.go
index d4d4a47fc6..71bbd3360e 100644
--- a/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/policies.kyverno.io_client.go
+++ b/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1/policies.kyverno.io_client.go
@@ -28,6 +28,7 @@ import (
type PoliciesV1alpha1Interface interface {
RESTClient() rest.Interface
+ CELPolicyExceptionsGetter
ValidatingPoliciesGetter
}
@@ -36,6 +37,10 @@ type PoliciesV1alpha1Client struct {
restClient rest.Interface
}
+func (c *PoliciesV1alpha1Client) CELPolicyExceptions(namespace string) CELPolicyExceptionInterface {
+ return newCELPolicyExceptions(c, namespace)
+}
+
func (c *PoliciesV1alpha1Client) ValidatingPolicies() ValidatingPolicyInterface {
return newValidatingPolicies(c)
}
diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go
index 59a95ee377..46633f0291 100644
--- a/pkg/client/informers/externalversions/generic.go
+++ b/pkg/client/informers/externalversions/generic.go
@@ -82,6 +82,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().ValidatingPolicies().Informer()}, nil
// Group=policies.kyverno.io, Version=v1alpha1
+ case v1alpha1.SchemeGroupVersion.WithResource("celpolicyexceptions"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Policies().V1alpha1().CELPolicyExceptions().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("validatingpolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policies().V1alpha1().ValidatingPolicies().Informer()}, nil
diff --git a/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/celpolicyexception.go b/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/celpolicyexception.go
new file mode 100644
index 0000000000..1b144be243
--- /dev/null
+++ b/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/celpolicyexception.go
@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ time "time"
+
+ policieskyvernoiov1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+ internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+ v1alpha1 "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// CELPolicyExceptionInformer provides access to a shared informer and lister for
+// CELPolicyExceptions.
+type CELPolicyExceptionInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v1alpha1.CELPolicyExceptionLister
+}
+
+type cELPolicyExceptionInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+ namespace string
+}
+
+// NewCELPolicyExceptionInformer constructs a new informer for CELPolicyException type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCELPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredCELPolicyExceptionInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCELPolicyExceptionInformer constructs a new informer for CELPolicyException type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCELPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.PoliciesV1alpha1().CELPolicyExceptions(namespace).List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.PoliciesV1alpha1().CELPolicyExceptions(namespace).Watch(context.TODO(), options)
+ },
+ },
+ &policieskyvernoiov1alpha1.CELPolicyException{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *cELPolicyExceptionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredCELPolicyExceptionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cELPolicyExceptionInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&policieskyvernoiov1alpha1.CELPolicyException{}, f.defaultInformer)
+}
+
+func (f *cELPolicyExceptionInformer) Lister() v1alpha1.CELPolicyExceptionLister {
+ return v1alpha1.NewCELPolicyExceptionLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/interface.go b/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/interface.go
index 9ab6c89381..e39b5b1db9 100644
--- a/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/interface.go
+++ b/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1/interface.go
@@ -24,6 +24,8 @@ import (
// Interface provides access to all the informers in this group version.
type Interface interface {
+ // CELPolicyExceptions returns a CELPolicyExceptionInformer.
+ CELPolicyExceptions() CELPolicyExceptionInformer
// ValidatingPolicies returns a ValidatingPolicyInformer.
ValidatingPolicies() ValidatingPolicyInformer
}
@@ -39,6 +41,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
+// CELPolicyExceptions returns a CELPolicyExceptionInformer.
+func (v *version) CELPolicyExceptions() CELPolicyExceptionInformer {
+ return &cELPolicyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
// ValidatingPolicies returns a ValidatingPolicyInformer.
func (v *version) ValidatingPolicies() ValidatingPolicyInformer {
return &validatingPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
diff --git a/pkg/client/listers/policies.kyverno.io/v1alpha1/celpolicyexception.go b/pkg/client/listers/policies.kyverno.io/v1alpha1/celpolicyexception.go
new file mode 100644
index 0000000000..3cb0ba4d65
--- /dev/null
+++ b/pkg/client/listers/policies.kyverno.io/v1alpha1/celpolicyexception.go
@@ -0,0 +1,99 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// CELPolicyExceptionLister helps list CELPolicyExceptions.
+// All objects returned here must be treated as read-only.
+type CELPolicyExceptionLister interface {
+ // List lists all CELPolicyExceptions in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error)
+ // CELPolicyExceptions returns an object that can list and get CELPolicyExceptions.
+ CELPolicyExceptions(namespace string) CELPolicyExceptionNamespaceLister
+ CELPolicyExceptionListerExpansion
+}
+
+// cELPolicyExceptionLister implements the CELPolicyExceptionLister interface.
+type cELPolicyExceptionLister struct {
+ indexer cache.Indexer
+}
+
+// NewCELPolicyExceptionLister returns a new CELPolicyExceptionLister.
+func NewCELPolicyExceptionLister(indexer cache.Indexer) CELPolicyExceptionLister {
+ return &cELPolicyExceptionLister{indexer: indexer}
+}
+
+// List lists all CELPolicyExceptions in the indexer.
+func (s *cELPolicyExceptionLister) List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.CELPolicyException))
+ })
+ return ret, err
+}
+
+// CELPolicyExceptions returns an object that can list and get CELPolicyExceptions.
+func (s *cELPolicyExceptionLister) CELPolicyExceptions(namespace string) CELPolicyExceptionNamespaceLister {
+ return cELPolicyExceptionNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CELPolicyExceptionNamespaceLister helps list and get CELPolicyExceptions.
+// All objects returned here must be treated as read-only.
+type CELPolicyExceptionNamespaceLister interface {
+ // List lists all CELPolicyExceptions in the indexer for a given namespace.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error)
+ // Get retrieves the CELPolicyException from the indexer for a given namespace and name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*v1alpha1.CELPolicyException, error)
+ CELPolicyExceptionNamespaceListerExpansion
+}
+
+// cELPolicyExceptionNamespaceLister implements the CELPolicyExceptionNamespaceLister
+// interface.
+type cELPolicyExceptionNamespaceLister struct {
+ indexer cache.Indexer
+ namespace string
+}
+
+// List lists all CELPolicyExceptions in the indexer for a given namespace.
+func (s cELPolicyExceptionNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.CELPolicyException, err error) {
+ err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.CELPolicyException))
+ })
+ return ret, err
+}
+
+// Get retrieves the CELPolicyException from the indexer for a given namespace and name.
+func (s cELPolicyExceptionNamespaceLister) Get(name string) (*v1alpha1.CELPolicyException, error) {
+ obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v1alpha1.Resource("celpolicyexception"), name)
+ }
+ return obj.(*v1alpha1.CELPolicyException), nil
+}
diff --git a/pkg/client/listers/policies.kyverno.io/v1alpha1/expansion_generated.go b/pkg/client/listers/policies.kyverno.io/v1alpha1/expansion_generated.go
index ca78d298d1..ca84a6421b 100644
--- a/pkg/client/listers/policies.kyverno.io/v1alpha1/expansion_generated.go
+++ b/pkg/client/listers/policies.kyverno.io/v1alpha1/expansion_generated.go
@@ -18,6 +18,14 @@ limitations under the License.
package v1alpha1
+// CELPolicyExceptionListerExpansion allows custom methods to be added to
+// CELPolicyExceptionLister.
+type CELPolicyExceptionListerExpansion interface{}
+
+// CELPolicyExceptionNamespaceListerExpansion allows custom methods to be added to
+// CELPolicyExceptionNamespaceLister.
+type CELPolicyExceptionNamespaceListerExpansion interface{}
+
// ValidatingPolicyListerExpansion allows custom methods to be added to
// ValidatingPolicyLister.
type ValidatingPolicyListerExpansion interface{}
diff --git a/pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions/resource.generated.go b/pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions/resource.generated.go
new file mode 100644
index 0000000000..3982b2cd83
--- /dev/null
+++ b/pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions/resource.generated.go
@@ -0,0 +1,337 @@
+package resource
+
+import (
+ context "context"
+ "fmt"
+ "time"
+
+ "github.com/go-logr/logr"
+ github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1"
+ "github.com/kyverno/kyverno/pkg/metrics"
+ "github.com/kyverno/kyverno/pkg/tracing"
+ "go.opentelemetry.io/otel/trace"
+ "go.uber.org/multierr"
+ k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+ k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
+)
+
+func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+ return &withLogging{inner, logger}
+}
+
+func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+ return &withMetrics{inner, recorder}
+}
+
+func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+ return &withTracing{inner, client, kind}
+}
+
+type withLogging struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
+ logger logr.Logger
+}
+
+func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Create")
+ ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Create failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Create done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Delete")
+ ret0 := c.inner.Delete(arg0, arg1, arg2)
+ if err := multierr.Combine(ret0); err != nil {
+ logger.Error(err, "Delete failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Delete done", "duration", time.Since(start))
+ }
+ return ret0
+}
+func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "DeleteCollection")
+ ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+ if err := multierr.Combine(ret0); err != nil {
+ logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
+ } else {
+ logger.Info("DeleteCollection done", "duration", time.Since(start))
+ }
+ return ret0
+}
+func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Get")
+ ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Get failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Get done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "List")
+ ret0, ret1 := c.inner.List(arg0, arg1)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "List failed", "duration", time.Since(start))
+ } else {
+ logger.Info("List done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Patch")
+ ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Patch failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Patch done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Update")
+ ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Update failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Update done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Watch")
+ ret0, ret1 := c.inner.Watch(arg0, arg1)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Watch failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Watch done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+
+type withMetrics struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
+ recorder metrics.Recorder
+}
+
+func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ defer c.recorder.RecordWithContext(arg0, "create")
+ return c.inner.Create(arg0, arg1, arg2)
+}
+func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ defer c.recorder.RecordWithContext(arg0, "delete")
+ return c.inner.Delete(arg0, arg1, arg2)
+}
+func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ defer c.recorder.RecordWithContext(arg0, "delete_collection")
+ return c.inner.DeleteCollection(arg0, arg1, arg2)
+}
+func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ defer c.recorder.RecordWithContext(arg0, "get")
+ return c.inner.Get(arg0, arg1, arg2)
+}
+func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
+ defer c.recorder.RecordWithContext(arg0, "list")
+ return c.inner.List(arg0, arg1)
+}
+func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ defer c.recorder.RecordWithContext(arg0, "patch")
+ return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+}
+func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ defer c.recorder.RecordWithContext(arg0, "update")
+ return c.inner.Update(arg0, arg1, arg2)
+}
+func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ defer c.recorder.RecordWithContext(arg0, "watch")
+ return c.inner.Watch(arg0, arg1)
+}
+
+type withTracing struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface
+ client string
+ kind string
+}
+
+func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Create"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Delete"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0 := c.inner.Delete(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret0)
+ }
+ return ret0
+}
+func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("DeleteCollection"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret0)
+ }
+ return ret0
+}
+func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Get"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyExceptionList, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("List"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.List(arg0, arg1)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Patch"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_policies_kyverno_io_v1alpha1.CELPolicyException, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Update"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Watch"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Watch(arg0, arg1)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
diff --git a/pkg/clients/kyverno/policiesv1alpha1/client.generated.go b/pkg/clients/kyverno/policiesv1alpha1/client.generated.go
index 573778ca32..4b00c5785f 100644
--- a/pkg/clients/kyverno/policiesv1alpha1/client.generated.go
+++ b/pkg/clients/kyverno/policiesv1alpha1/client.generated.go
@@ -3,6 +3,7 @@ package client
import (
"github.com/go-logr/logr"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policies.kyverno.io/v1alpha1"
+ celpolicyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/policiesv1alpha1/celpolicyexceptions"
validatingpolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/policiesv1alpha1/validatingpolicies"
"github.com/kyverno/kyverno/pkg/metrics"
"k8s.io/client-go/rest"
@@ -29,6 +30,10 @@ type withMetrics struct {
func (c *withMetrics) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
+func (c *withMetrics) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+ recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "CELPolicyException", c.clientType)
+ return celpolicyexceptions.WithMetrics(c.inner.CELPolicyExceptions(namespace), recorder)
+}
func (c *withMetrics) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ValidatingPolicy", c.clientType)
return validatingpolicies.WithMetrics(c.inner.ValidatingPolicies(), recorder)
@@ -42,6 +47,9 @@ type withTracing struct {
func (c *withTracing) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
+func (c *withTracing) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+ return celpolicyexceptions.WithTracing(c.inner.CELPolicyExceptions(namespace), c.client, "CELPolicyException")
+}
func (c *withTracing) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
return validatingpolicies.WithTracing(c.inner.ValidatingPolicies(), c.client, "ValidatingPolicy")
}
@@ -54,6 +62,9 @@ type withLogging struct {
func (c *withLogging) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
+func (c *withLogging) CELPolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.CELPolicyExceptionInterface {
+ return celpolicyexceptions.WithLogging(c.inner.CELPolicyExceptions(namespace), c.logger.WithValues("resource", "CELPolicyExceptions").WithValues("namespace", namespace))
+}
func (c *withLogging) ValidatingPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policies_kyverno_io_v1alpha1.ValidatingPolicyInterface {
return validatingpolicies.WithLogging(c.inner.ValidatingPolicies(), c.logger.WithValues("resource", "ValidatingPolicies"))
}
diff --git a/pkg/controllers/report/aggregate/controller.go b/pkg/controllers/report/aggregate/controller.go
index 694953cc7f..f1ea2e7bb3 100644
--- a/pkg/controllers/report/aggregate/controller.go
+++ b/pkg/controllers/report/aggregate/controller.go
@@ -12,9 +12,9 @@ import (
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
- kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+ policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
- kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/controllers"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@@ -52,7 +52,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
- vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
+ vpolLister policiesv1alpha1listers.ValidatingPolicyLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
ephrLister cache.GenericLister
cephrLister cache.GenericLister
@@ -73,7 +73,7 @@ func NewController(
metadataFactory metadatainformers.SharedInformerFactory,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
- vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+ vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
) controllers.Controller {
ephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("ephemeralreports"))
diff --git a/pkg/controllers/report/background/controller.go b/pkg/controllers/report/background/controller.go
index 253525a1a1..9f2e3e34e3 100644
--- a/pkg/controllers/report/background/controller.go
+++ b/pkg/controllers/report/background/controller.go
@@ -8,17 +8,17 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
"github.com/kyverno/kyverno/pkg/breaker"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
- kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+ policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
- kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/controllers"
@@ -63,7 +63,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
- vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
+ vpolLister policiesv1alpha1listers.ValidatingPolicyLister
polexLister kyvernov2listers.PolicyExceptionLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
vapBindingLister admissionregistrationv1listers.ValidatingAdmissionPolicyBindingLister
@@ -94,7 +94,7 @@ func NewController(
metadataFactory metadatainformers.SharedInformerFactory,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
- vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+ vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
polexInformer kyvernov2informers.PolicyExceptionInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
vapBindingInformer admissionregistrationv1informers.ValidatingAdmissionPolicyBindingInformer,
@@ -208,17 +208,17 @@ func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
c.enqueueResources()
}
-func (c *controller) addVP(obj *kyvernov2alpha1.ValidatingPolicy) {
+func (c *controller) addVP(obj *policiesv1alpha1.ValidatingPolicy) {
c.enqueueResources()
}
-func (c *controller) updateVP(old, obj *kyvernov2alpha1.ValidatingPolicy) {
+func (c *controller) updateVP(old, obj *policiesv1alpha1.ValidatingPolicy) {
if old.GetResourceVersion() != obj.GetResourceVersion() {
c.enqueueResources()
}
}
-func (c *controller) deleteVP(obj *kyvernov2alpha1.ValidatingPolicy) {
+func (c *controller) deleteVP(obj *policiesv1alpha1.ValidatingPolicy) {
c.enqueueResources()
}
diff --git a/pkg/controllers/report/resource/controller.go b/pkg/controllers/report/resource/controller.go
index ce8f0246c6..0c719520ee 100644
--- a/pkg/controllers/report/resource/controller.go
+++ b/pkg/controllers/report/resource/controller.go
@@ -10,9 +10,9 @@ import (
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/admissionpolicy"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
- kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+ policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
- kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/controllers"
"github.com/kyverno/kyverno/pkg/controllers/report/utils"
@@ -81,7 +81,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
- vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
+ vpolLister policiesv1alpha1listers.ValidatingPolicyLister
vapLister admissionregistrationv1listers.ValidatingAdmissionPolicyLister
// queue
@@ -96,7 +96,7 @@ func NewController(
client dclient.Interface,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
- vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+ vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
vapInformer admissionregistrationv1informers.ValidatingAdmissionPolicyInformer,
) Controller {
c := controller{
diff --git a/pkg/controllers/report/utils/utils.go b/pkg/controllers/report/utils/utils.go
index ca9b1e2671..adcb33af7d 100644
--- a/pkg/controllers/report/utils/utils.go
+++ b/pkg/controllers/report/utils/utils.go
@@ -4,12 +4,12 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
"github.com/kyverno/kyverno/pkg/autogen"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
- kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -151,8 +151,8 @@ func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrati
return bindings, nil
}
-func FetchValidatingPolicies(vpolLister kyvernov2alpha1listers.ValidatingPolicyLister) ([]kyvernov2alpha1.ValidatingPolicy, error) {
- var policies []kyvernov2alpha1.ValidatingPolicy
+func FetchValidatingPolicies(vpolLister policiesv1alpha1listers.ValidatingPolicyLister) ([]policiesv1alpha1.ValidatingPolicy, error) {
+ var policies []policiesv1alpha1.ValidatingPolicy
if pols, err := vpolLister.List(labels.Everything()); err != nil {
return nil, err
} else {
diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go
index ab6dee6d98..461a90dd5e 100644
--- a/pkg/controllers/webhook/controller.go
+++ b/pkg/controllers/webhook/controller.go
@@ -11,14 +11,17 @@ import (
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/ext/wildcard"
"github.com/kyverno/kyverno/pkg/autogen"
vpolautogen "github.com/kyverno/kyverno/pkg/cel/autogen"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
+ policiesv1alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policies.kyverno.io/v1alpha1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
+ policiesv1alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/controllers"
@@ -100,7 +103,7 @@ type controller struct {
vwcLister admissionregistrationv1listers.ValidatingWebhookConfigurationLister
cpolLister kyvernov1listers.ClusterPolicyLister
polLister kyvernov1listers.PolicyLister
- vpolLister kyvernov2alpha1listers.ValidatingPolicyLister
+ vpolLister policiesv1alpha1listers.ValidatingPolicyLister
deploymentLister appsv1listers.DeploymentLister
secretLister corev1listers.SecretLister
leaseLister coordinationv1listers.LeaseLister
@@ -143,7 +146,7 @@ func NewController(
vwcInformer admissionregistrationv1informers.ValidatingWebhookConfigurationInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
polInformer kyvernov1informers.PolicyInformer,
- vpolInformer kyvernov2alpha1informers.ValidatingPolicyInformer,
+ vpolInformer policiesv1alpha1informers.ValidatingPolicyInformer,
deploymentInformer appsv1informers.DeploymentInformer,
secretInformer corev1informers.SecretInformer,
leaseInformer coordinationv1informers.LeaseInformer,
@@ -382,7 +385,7 @@ func (c *controller) recordPolicyState(webhookConfigurationName string, policies
}
}
-func (c *controller) recordValidatingPolicyState(validatingpolicies ...kyvernov2alpha1.GenericPolicy) {
+func (c *controller) recordValidatingPolicyState(validatingpolicies ...policiesv1alpha1.GenericPolicy) {
c.vpolState = make(map[string]bool)
for _, policy := range validatingpolicies {
c.vpolState[policy.GetName()] = true
@@ -661,9 +664,9 @@ func (c *controller) updateValidatingPolicyStatuses(ctx context.Context) error {
return err
}
- updateStatusFunc := func(vpol kyvernov2alpha1.GenericPolicy) error {
+ updateStatusFunc := func(vpol policiesv1alpha1.GenericPolicy) error {
status := vpol.GetStatus()
- status.SetReadyByCondition(kyvernov2alpha1.PolicyConditionTypeWebhookConfigured, metav1.ConditionTrue, "Webhook configured")
+ status.SetReadyByCondition(policiesv1alpha1.PolicyConditionTypeWebhookConfigured, metav1.ConditionTrue, "Webhook configured")
status.Autogen.Rules = nil
rules := vpolautogen.ComputeRules(vpol)
status.Autogen.Rules = append(status.Autogen.Rules, rules...)
@@ -677,12 +680,12 @@ func (c *controller) updateValidatingPolicyStatuses(ctx context.Context) error {
}
err := controllerutils.UpdateStatus(
ctx,
- vpol.(*kyvernov2alpha1.ValidatingPolicy),
- c.kyvernoClient.KyvernoV2alpha1().ValidatingPolicies(),
- func(vpol *kyvernov2alpha1.ValidatingPolicy) error {
+ vpol.(*policiesv1alpha1.ValidatingPolicy),
+ c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies(),
+ func(vpol *policiesv1alpha1.ValidatingPolicy) error {
return updateStatusFunc(vpol)
},
- func(a *kyvernov2alpha1.ValidatingPolicy, b *kyvernov2alpha1.ValidatingPolicy) bool {
+ func(a *policiesv1alpha1.ValidatingPolicy, b *policiesv1alpha1.ValidatingPolicy) bool {
return datautils.DeepEqual(a.Status, b.Status)
},
)
@@ -1136,13 +1139,13 @@ func (c *controller) getAllPolicies() ([]kyvernov1.PolicyInterface, error) {
return policies, nil
}
-func (c *controller) getValidatingPolicies() ([]kyvernov2alpha1.GenericPolicy, error) {
+func (c *controller) getValidatingPolicies() ([]policiesv1alpha1.GenericPolicy, error) {
validatingpolicies, err := c.vpolLister.List(labels.Everything())
if err != nil {
return nil, err
}
- vpols := make([]kyvernov2alpha1.GenericPolicy, 0)
+ vpols := make([]policiesv1alpha1.GenericPolicy, 0)
for _, vpol := range validatingpolicies {
vpols = append(vpols, vpol)
}
diff --git a/pkg/controllers/webhook/validatingpolicy.go b/pkg/controllers/webhook/validatingpolicy.go
index 8a7eae561d..2cfd52bff2 100644
--- a/pkg/controllers/webhook/validatingpolicy.go
+++ b/pkg/controllers/webhook/validatingpolicy.go
@@ -1,14 +1,14 @@
package webhook
import (
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/cel/autogen"
"github.com/kyverno/kyverno/pkg/config"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/utils/ptr"
)
-func buildWebhookRules(cfg config.Configuration, server string, servicePort int32, caBundle []byte, vpols []kyvernov2alpha1.GenericPolicy) (webhooks []admissionregistrationv1.ValidatingWebhook) {
+func buildWebhookRules(cfg config.Configuration, server string, servicePort int32, caBundle []byte, vpols []policiesv1alpha1.GenericPolicy) (webhooks []admissionregistrationv1.ValidatingWebhook) {
var (
webhookIgnoreList []admissionregistrationv1.ValidatingWebhook
webhookFailList []admissionregistrationv1.ValidatingWebhook
@@ -49,7 +49,7 @@ func buildWebhookRules(cfg config.Configuration, server string, servicePort int3
webhook.Rules = append(webhook.Rules, match.RuleWithOperations)
}
- for _, rule := range autogen.ComputeRules(vpol.(*kyvernov2alpha1.ValidatingPolicy)) {
+ for _, rule := range autogen.ComputeRules(vpol.(*policiesv1alpha1.ValidatingPolicy)) {
for _, match := range rule.MatchConstraints.ResourceRules {
webhook.Rules = append(webhook.Rules, match.RuleWithOperations)
}
diff --git a/pkg/controllers/webhook/validatingpolicy_test.go b/pkg/controllers/webhook/validatingpolicy_test.go
index 1933ba276c..d9c389ccef 100644
--- a/pkg/controllers/webhook/validatingpolicy_test.go
+++ b/pkg/controllers/webhook/validatingpolicy_test.go
@@ -3,7 +3,7 @@ package webhook
import (
"testing"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/kyverno/kyverno/pkg/config"
"github.com/stretchr/testify/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -14,14 +14,14 @@ import (
func TestBuildWebhookRules(t *testing.T) {
tests := []struct {
name string
- vpols []*kyvernov2alpha1.ValidatingPolicy
+ vpols []*policiesv1alpha1.ValidatingPolicy
expectedWebhooks []admissionregistrationv1.ValidatingWebhook
}{
{
name: "Single Ignore Policy",
- vpols: []*kyvernov2alpha1.ValidatingPolicy{
+ vpols: []*policiesv1alpha1.ValidatingPolicy{
{
- Spec: kyvernov2alpha1.ValidatingPolicySpec{
+ Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
MatchConstraints: &admissionregistrationv1.MatchResources{
@@ -63,9 +63,9 @@ func TestBuildWebhookRules(t *testing.T) {
},
{
name: "Single Fail Policy",
- vpols: []*kyvernov2alpha1.ValidatingPolicy{
+ vpols: []*policiesv1alpha1.ValidatingPolicy{
{
- Spec: kyvernov2alpha1.ValidatingPolicySpec{
+ Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Fail),
MatchConstraints: &admissionregistrationv1.MatchResources{
@@ -107,13 +107,13 @@ func TestBuildWebhookRules(t *testing.T) {
},
{
name: "Fine-Grained Ignore Policy",
- vpols: []*kyvernov2alpha1.ValidatingPolicy{
+ vpols: []*policiesv1alpha1.ValidatingPolicy{
{
ObjectMeta: metav1.ObjectMeta{
Name: "test-fine-grained-ignore",
},
- Spec: kyvernov2alpha1.ValidatingPolicySpec{
- WebhookConfiguration: &kyvernov2alpha1.WebhookConfiguration{
+ Spec: policiesv1alpha1.ValidatingPolicySpec{
+ WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
TimeoutSeconds: ptr.To(int32(30)),
},
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
@@ -161,13 +161,13 @@ func TestBuildWebhookRules(t *testing.T) {
},
{
name: "Fine-Grained Fail Policy",
- vpols: []*kyvernov2alpha1.ValidatingPolicy{
+ vpols: []*policiesv1alpha1.ValidatingPolicy{
{
ObjectMeta: metav1.ObjectMeta{
Name: "test-fine-grained-fail",
},
- Spec: kyvernov2alpha1.ValidatingPolicySpec{
- WebhookConfiguration: &kyvernov2alpha1.WebhookConfiguration{
+ Spec: policiesv1alpha1.ValidatingPolicySpec{
+ WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
TimeoutSeconds: ptr.To(int32(20)),
},
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
@@ -229,7 +229,7 @@ func TestBuildWebhookRules(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- var vpols []kyvernov2alpha1.GenericPolicy
+ var vpols []policiesv1alpha1.GenericPolicy
for _, vpol := range tt.vpols {
vpols = append(vpols, vpol)
}
diff --git a/pkg/engine/api/policy.go b/pkg/engine/api/policy.go
index 1045ef1c92..f5d3e83b44 100644
--- a/pkg/engine/api/policy.go
+++ b/pkg/engine/api/policy.go
@@ -2,7 +2,7 @@ package api
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,7 +25,7 @@ type GenericPolicy interface {
// AsValidatingAdmissionPolicy returns the validating admission policy
AsValidatingAdmissionPolicy() *admissionregistrationv1.ValidatingAdmissionPolicy
// AsValidatingPolicy returns the validating policy
- AsValidatingPolicy() *kyvernov2alpha1.ValidatingPolicy
+ AsValidatingPolicy() *policiesv1alpha1.ValidatingPolicy
}
type genericPolicy struct {
@@ -33,7 +33,7 @@ type genericPolicy struct {
PolicyInterface kyvernov1.PolicyInterface
ValidatingAdmissionPolicy *admissionregistrationv1.ValidatingAdmissionPolicy
MutatingAdmissionPolicy *admissionregistrationv1alpha1.MutatingAdmissionPolicy
- ValidatingPolicy *kyvernov2alpha1.ValidatingPolicy
+ ValidatingPolicy *policiesv1alpha1.ValidatingPolicy
}
func (p *genericPolicy) AsObject() any {
@@ -48,7 +48,7 @@ func (p *genericPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1.V
return p.ValidatingAdmissionPolicy
}
-func (p *genericPolicy) AsValidatingPolicy() *kyvernov2alpha1.ValidatingPolicy {
+func (p *genericPolicy) AsValidatingPolicy() *policiesv1alpha1.ValidatingPolicy {
return p.ValidatingPolicy
}
@@ -61,7 +61,7 @@ func (p *genericPolicy) GetAPIVersion() string {
case p.MutatingAdmissionPolicy != nil:
return admissionregistrationv1alpha1.SchemeGroupVersion.String()
case p.ValidatingPolicy != nil:
- return kyvernov2alpha1.GroupVersion.String()
+ return policiesv1alpha1.GroupVersion.String()
}
return ""
}
@@ -109,7 +109,7 @@ func NewMutatingAdmissionPolicy(pol *admissionregistrationv1alpha1.MutatingAdmis
}
}
-func NewValidatingPolicy(pol *kyvernov2alpha1.ValidatingPolicy) GenericPolicy {
+func NewValidatingPolicy(pol *policiesv1alpha1.ValidatingPolicy) GenericPolicy {
return &genericPolicy{
Object: pol,
ValidatingPolicy: pol,
diff --git a/pkg/utils/admission/celexception.go b/pkg/utils/admission/celexception.go
index ce28ea9258..4b9ab01a5d 100644
--- a/pkg/utils/admission/celexception.go
+++ b/pkg/utils/admission/celexception.go
@@ -1,21 +1,21 @@
package admission
import (
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/util/json"
)
-func UnmarshalCELPolicyException(raw []byte) (*kyvernov2alpha1.CELPolicyException, error) {
- var exception *kyvernov2alpha1.CELPolicyException
+func UnmarshalCELPolicyException(raw []byte) (*policiesv1alpha1.CELPolicyException, error) {
+ var exception *policiesv1alpha1.CELPolicyException
if err := json.Unmarshal(raw, &exception); err != nil {
return nil, err
}
return exception, nil
}
-func GetCELPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2alpha1.CELPolicyException, *kyvernov2alpha1.CELPolicyException, error) {
- var empty *kyvernov2alpha1.CELPolicyException
+func GetCELPolicyExceptions(request admissionv1.AdmissionRequest) (*policiesv1alpha1.CELPolicyException, *policiesv1alpha1.CELPolicyException, error) {
+ var empty *policiesv1alpha1.CELPolicyException
exception, err := UnmarshalCELPolicyException(request.Object.Raw)
if err != nil {
return exception, empty, err
diff --git a/pkg/utils/admission/celexception_test.go b/pkg/utils/admission/celexception_test.go
index a230f0a598..7ca8fe03af 100644
--- a/pkg/utils/admission/celexception_test.go
+++ b/pkg/utils/admission/celexception_test.go
@@ -6,7 +6,7 @@ import (
"k8s.io/apimachinery/pkg/util/json"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
)
@@ -56,7 +56,7 @@ func Test_UnmarshalCELPolicyException(t *testing.T) {
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
- var exception *kyvernov2alpha1.CELPolicyException
+ var exception *policiesv1alpha1.CELPolicyException
json.Unmarshal(test.raw, &exception)
if !reflect.DeepEqual(result, exception) {
t.Errorf("Expected %+v, got %+v", exception, result)
@@ -155,7 +155,7 @@ func TestGetCELPolicyExceptions(t *testing.T) {
for _, test := range testCases {
t.Run(test.name, func(t *testing.T) {
p1, p2, _ := GetCELPolicyExceptions(test.args.request)
- var empty *kyvernov2alpha1.CELPolicyException
+ var empty *policiesv1alpha1.CELPolicyException
expectedP1, err := UnmarshalCELPolicyException(test.args.request.Object.Raw)
if err != nil {
expectedP2 := empty
diff --git a/pkg/utils/yaml/loadpolicy.go b/pkg/utils/yaml/loadpolicy.go
index 69f5263068..01e5954db6 100644
--- a/pkg/utils/yaml/loadpolicy.go
+++ b/pkg/utils/yaml/loadpolicy.go
@@ -4,7 +4,7 @@ import (
"fmt"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
- kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
+ policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
extyaml "github.com/kyverno/kyverno/ext/yaml"
log "github.com/kyverno/kyverno/pkg/logging"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -18,7 +18,7 @@ func GetPolicy(bytes []byte) (
policies []kyvernov1.PolicyInterface,
validatingAdmissionPolicies []admissionregistrationv1.ValidatingAdmissionPolicy,
validatingAdmissionPolicyBindings []admissionregistrationv1.ValidatingAdmissionPolicyBinding,
- validatingPolicies []kyvernov2alpha1.ValidatingPolicy,
+ validatingPolicies []policiesv1alpha1.ValidatingPolicy,
err error,
) {
documents, err := extyaml.SplitDocuments(bytes)
@@ -84,7 +84,7 @@ func parse(obj unstructured.Unstructured) (
*admissionregistrationv1.ValidatingAdmissionPolicy,
*admissionregistrationv1.ValidatingAdmissionPolicyBinding,
kyvernov1.PolicyInterface,
- *kyvernov2alpha1.ValidatingPolicy,
+ *policiesv1alpha1.ValidatingPolicy,
error,
) {
switch obj.GetKind() {
@@ -159,8 +159,8 @@ func parseClusterPolicy(obj unstructured.Unstructured) (*kyvernov1.ClusterPolicy
return &out, nil
}
-func parseValidatingPolicy(obj unstructured.Unstructured) (*kyvernov2alpha1.ValidatingPolicy, error) {
- var out kyvernov2alpha1.ValidatingPolicy
+func parseValidatingPolicy(obj unstructured.Unstructured) (*policiesv1alpha1.ValidatingPolicy, error) {
+ var out policiesv1alpha1.ValidatingPolicy
if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(obj.Object, &out, true); err != nil {
return nil, fmt.Errorf("failed to decode policy: %v", err)
}
diff --git a/pkg/validation/exception/validate_test.go b/pkg/validation/exception/validate_test.go
index 779150b922..f0dcb7af60 100644
--- a/pkg/validation/exception/validate_test.go
+++ b/pkg/validation/exception/validate_test.go
@@ -71,7 +71,7 @@ func Test_Validate(t *testing.T) {
Namespace: "kyverno",
},
resource: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
@@ -102,7 +102,7 @@ func Test_Validate(t *testing.T) {
Namespace: "kyverno",
},
resource: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
@@ -133,7 +133,7 @@ func Test_Validate(t *testing.T) {
Namespace: "delta",
},
resource: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
@@ -164,7 +164,7 @@ func Test_Validate(t *testing.T) {
Namespace: "*",
},
resource: []byte(`{
- "apiVersion": "kyverno.io/v2alpha1",
+ "apiVersion": "policies.kyverno.io/v1alpha1",
"kind": "CELPolicyException",
"metadata": {
"name": "pod-security-exception",
diff --git a/test/cli/test-validating-policy/check-deployment-labels/policy.yaml b/test/cli/test-validating-policy/check-deployment-labels/policy.yaml
index ca2b4aa543..8966cf229d 100644
--- a/test/cli/test-validating-policy/check-deployment-labels/policy.yaml
+++ b/test/cli/test-validating-policy/check-deployment-labels/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/cli/test-validating-policy/check-deployments-replica/policy.yaml b/test/cli/test-validating-policy/check-deployments-replica/policy.yaml
index 5dabfd21ec..fbfdacd63a 100644
--- a/test/cli/test-validating-policy/check-deployments-replica/policy.yaml
+++ b/test/cli/test-validating-policy/check-deployments-replica/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-replicas
diff --git a/test/cli/test-validating-policy/disallow-host-path/policy.yaml b/test/cli/test-validating-policy/disallow-host-path/policy.yaml
index 08a4309640..ffeed3ddd7 100644
--- a/test/cli/test-validating-policy/disallow-host-path/policy.yaml
+++ b/test/cli/test-validating-policy/disallow-host-path/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-host-path
diff --git a/test/conformance/chainsaw/cel-policy-exceptions/empty-policy-ref/exception.yaml b/test/conformance/chainsaw/cel-policy-exceptions/empty-policy-ref/exception.yaml
index a20ee0a86a..dd5a1bf9be 100644
--- a/test/conformance/chainsaw/cel-policy-exceptions/empty-policy-ref/exception.yaml
+++ b/test/conformance/chainsaw/cel-policy-exceptions/empty-policy-ref/exception.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: CELPolicyException
metadata:
name: pod-security-exception
diff --git a/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/exception.yaml b/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/exception.yaml
index 04f1b414d8..8b0176564b 100644
--- a/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/exception.yaml
+++ b/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/exception.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: CELPolicyException
metadata:
name: pod-security-exception
diff --git a/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/policy.yaml b/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/policy.yaml
index 14468cadb6..a52b53a036 100644
--- a/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/policy.yaml
+++ b/test/conformance/chainsaw/cel-policy-exceptions/exclude-deployments/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml
index 539f9cc24e..f5d9b2e002 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy.yaml
index bf45f99438..3d44d564b0 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml
index 917dda06b5..2d781f77d6 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy.yaml
index ba3fe9fde4..274df04d41 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/none/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/none/check-autogen.yaml
index aa1ee225e2..b1b6e0d00d 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/none/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/none/check-autogen.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/none/policy.yaml b/test/conformance/chainsaw/validating-policies/autogen/none/policy.yaml
index 284801a937..55a95c0ee0 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/none/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/none/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml
index 0aa9ebf0cd..244506597d 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy.yaml
index dc1e1eaa92..bea53642a7 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/check-autogen.yaml
index aa1ee225e2..b1b6e0d00d 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/check-autogen.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy.yaml
index c4e5106c11..5e1ad86952 100644
--- a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
diff --git a/test/conformance/chainsaw/validating-policies/context/configmap/policy.yaml b/test/conformance/chainsaw/validating-policies/context/configmap/policy.yaml
index 59eccd3d17..db46af78c5 100644
--- a/test/conformance/chainsaw/validating-policies/context/configmap/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/context/configmap/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/context/image-data/policy.yaml b/test/conformance/chainsaw/validating-policies/context/image-data/policy.yaml
index b35a982f62..96cba3d71a 100644
--- a/test/conformance/chainsaw/validating-policies/context/image-data/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/context/image-data/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy.yaml
index c5c53f32b0..9a9981997c 100644
--- a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy.yaml
index e373db0db2..735fe69eb5 100644
--- a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy.yaml
index f6e2a32c9f..96f7f59995 100644
--- a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/report/policy.yaml b/test/conformance/chainsaw/validating-policies/report/policy.yaml
index cdac1c7f00..e6b09edc41 100644
--- a/test/conformance/chainsaw/validating-policies/report/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/report/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy.yaml
index 9bbe90bc4a..90be6cb02f 100644
--- a/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy.yaml
index 14468cadb6..a52b53a036 100644
--- a/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/none/policy.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/none/policy.yaml
index cdac1c7f00..e6b09edc41 100644
--- a/test/conformance/chainsaw/validating-policies/validation-actions/none/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/validation-actions/none/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy.yaml
index 891f01e865..e38d862aac 100644
--- a/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy.yaml
index cdac1c7f00..e6b09edc41 100644
--- a/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy.yaml
index cdac1c7f00..e6b09edc41 100644
--- a/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/multiple/policy.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/multiple/policy.yaml
index b9b06374ae..32f0c4b4d3 100644
--- a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/multiple/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/multiple/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/single/policy.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/single/policy.yaml
index cdac1c7f00..e6b09edc41 100644
--- a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/single/policy.yaml
+++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/single/policy.yaml
@@ -1,4 +1,4 @@
-apiVersion: kyverno.io/v2alpha1
+apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels