From 7f6fb240579ff6b2961c1ff712c003b298a84dcb Mon Sep 17 00:00:00 2001 From: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com> Date: Thu, 1 Jun 2023 00:30:55 +0300 Subject: [PATCH] feat: support cel expression in validate rules (#7070) * feat: support cel expression in validate rules Signed-off-by: Mariam Fahmy * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy * Support parameter resources in validate.cel subrule Signed-off-by: Mariam Fahmy * fix Signed-off-by: Mariam Fahmy * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy * Add kuttl tests for validate.cel subrule Signed-off-by: Mariam Fahmy * fix Signed-off-by: Mariam Fahmy * Fix disallow-host-path kuttl test Signed-off-by: Mariam Fahmy * Add kuttl test for cel preconditions Signed-off-by: Mariam Fahmy * Fix kuttl tests for validate.cel Signed-off-by: Mariam Fahmy * Use K8S API Validation and AuditAnnotation Signed-off-by: Mariam Fahmy * Use K8S API ParamKind and ParamRef Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy Co-authored-by: Jim Bugwadia --- api/kyverno/v1/common_types.go | 35 + api/kyverno/v1/rule_types.go | 11 + api/kyverno/v1/zz_generated.deepcopy.go | 49 + api/kyverno/v2beta1/common_types.go | 4 + api/kyverno/v2beta1/rule_types.go | 11 + api/kyverno/v2beta1/zz_generated.deepcopy.go | 11 + charts/kyverno/templates/crds/crds.yaml | 1960 +++++++++++++++++ config/crds/kyverno.io_clusterpolicies.yaml | 980 +++++++++ config/crds/kyverno.io_policies.yaml | 980 +++++++++ config/install-latest-testing.yaml | 1960 +++++++++++++++++ docs/user/crd/index.html | 134 ++ go.mod | 9 +- .../handlers/validation/validate_cel.go | 163 ++ .../handlers/validation/validate_resource.go | 2 +- pkg/engine/validation.go | 3 + pkg/policy/validate/validate.go | 52 +- .../cel/cel-preconditions/01-policy.yaml | 6 + .../cel/cel-preconditions/02-resources.yaml | 7 + .../standard/cel/cel-preconditions/README.md | 9 + .../cel/cel-preconditions/pod-fail.yaml | 12 + .../cel/cel-preconditions/pod-pass.yaml | 12 + .../cel/cel-preconditions/policy-assert.yaml | 9 + .../cel/cel-preconditions/policy.yaml | 22 + .../cel/check-deployment-replicas/01-ns.yaml | 6 + .../cel/check-deployment-replicas/02-crd.yaml | 6 + .../03-replicaLimit.yaml | 6 + .../check-deployment-replicas/04-policy.yaml | 6 + .../05-resources.yaml | 7 + .../cel/check-deployment-replicas/README.md | 13 + .../check-deployment-replicas/crd-assert.yaml | 4 + .../cel/check-deployment-replicas/crd.yaml | 26 + .../deployment-fail.yaml | 17 + .../deployment-pass.yaml | 17 + .../cel/check-deployment-replicas/ns.yaml | 4 + .../policy-assert.yaml | 9 + .../cel/check-deployment-replicas/policy.yaml | 25 + .../replicaLimit.yaml | 6 + .../cel/disallow-host-port/01-policy.yaml | 6 + .../cel/disallow-host-port/02-resources.yaml | 7 + .../standard/cel/disallow-host-port/README.md | 7 + .../cel/disallow-host-port/pod-fail.yaml | 11 + .../cel/disallow-host-port/pod-pass.yaml | 10 + .../cel/disallow-host-port/policy-assert.yaml | 9 + .../cel/disallow-host-port/policy.yaml | 19 + 44 files changed, 6656 insertions(+), 6 deletions(-) create mode 100644 pkg/engine/handlers/validation/validate_cel.go create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/01-ns.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/02-crd.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/03-replicaLimit.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/04-policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/05-resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-fail.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-pass.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/ns.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/replicaLimit.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 5a5ddd5176..8ffd471a53 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -7,6 +7,7 @@ import ( "github.com/kyverno/kyverno/pkg/engine/variables/regex" "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest" admissionv1 "k8s.io/api/admission/v1" + "k8s.io/api/admissionregistration/v1alpha1" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -387,6 +388,10 @@ type Validation struct { // by specifying exclusions for Pod Security Standards controls. // +optional PodSecurity *PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"` + + // CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + // +optional + CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"` } // PodSecurity applies exemptions for Kubernetes Pod Security admission @@ -422,6 +427,36 @@ type PodSecurityStandard struct { Images []string `json:"images,omitempty" yaml:"images,omitempty"` } +// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). +type CEL struct { + // Expressions is a list of CELExpression types. + Expressions []v1alpha1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"` + + // ParamKind is a tuple of Group Kind and Version. + // +optional + ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"` + + // ParamRef references a parameter resource. + // +optional + ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"` + + // AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. + // +optional + AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"` +} + +func (c *CEL) HasParam() bool { + return c.ParamKind != nil && c.ParamRef != nil +} + +func (c *CEL) GetParamKind() v1alpha1.ParamKind { + return *c.ParamKind +} + +func (c *CEL) GetParamRef() v1alpha1.ParamRef { + return *c.ParamRef +} + // DeserializeAnyPattern deserialize apiextensions.JSON to []interface{} func (in *Validation) DeserializeAnyPattern() ([]interface{}, error) { anyPattern := in.GetAnyPattern() diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go index 48ad90db76..b48fa6b1b7 100644 --- a/api/kyverno/v1/rule_types.go +++ b/api/kyverno/v1/rule_types.go @@ -7,6 +7,7 @@ import ( "github.com/kyverno/kyverno/pkg/pss/utils" datautils "github.com/kyverno/kyverno/pkg/utils/data" wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/util/sets" @@ -77,6 +78,11 @@ type Rule struct { // +optional RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` + // CELPreconditions are used to determine if a policy rule should be applied by evaluating a + // set of CEL conditions. It can only be used with the validate.cel subrule + // +optional + CELPreconditions []admissionregistrationv1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"` + // Mutation is used to modify matching resources. // +optional Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"` @@ -129,6 +135,11 @@ func (r Rule) HasValidatePodSecurity() bool { return r.Validation.PodSecurity != nil && !datautils.DeepEqual(r.Validation.PodSecurity, &PodSecurity{}) } +// HasValidateCEL checks for validate.cel rule +func (r *Rule) HasValidateCEL() bool { + return r.Validation.CEL != nil && !datautils.DeepEqual(r.Validation.CEL, &CEL{}) +} + // HasValidate checks for validate rule func (r *Rule) HasValidate() bool { return !datautils.DeepEqual(r.Validation, Validation{}) diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index dd9ad92d94..2167659692 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -23,6 +23,8 @@ package v1 import ( "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + "k8s.io/api/admissionregistration/v1alpha1" rbacv1 "k8s.io/api/rbac/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -205,6 +207,43 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CEL) DeepCopyInto(out *CEL) { + *out = *in + if in.Expressions != nil { + in, out := &in.Expressions, &out.Expressions + *out = make([]v1alpha1.Validation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.ParamKind != nil { + in, out := &in.ParamKind, &out.ParamKind + *out = new(v1alpha1.ParamKind) + **out = **in + } + if in.ParamRef != nil { + in, out := &in.ParamRef, &out.ParamRef + *out = new(v1alpha1.ParamRef) + **out = **in + } + if in.AuditAnnotations != nil { + in, out := &in.AuditAnnotations, &out.AuditAnnotations + *out = make([]v1alpha1.AuditAnnotation, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CEL. +func (in *CEL) DeepCopy() *CEL { + if in == nil { + return nil + } + out := new(CEL) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CTLog) DeepCopyInto(out *CTLog) { *out = *in @@ -1123,6 +1162,11 @@ func (in *Rule) DeepCopyInto(out *Rule) { *out = new(apiextensionsv1.JSON) (*in).DeepCopyInto(*out) } + if in.CELPreconditions != nil { + in, out := &in.CELPreconditions, &out.CELPreconditions + *out = make([]admissionregistrationv1.MatchCondition, len(*in)) + copy(*out, *in) + } in.Mutation.DeepCopyInto(&out.Mutation) in.Validation.DeepCopyInto(&out.Validation) in.Generation.DeepCopyInto(&out.Generation) @@ -1367,6 +1411,11 @@ func (in *Validation) DeepCopyInto(out *Validation) { *out = new(PodSecurity) (*in).DeepCopyInto(*out) } + if in.CEL != nil { + in, out := &in.CEL, &out.CEL + *out = new(CEL) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation. diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go index a852199902..b1c4a9640c 100644 --- a/api/kyverno/v2beta1/common_types.go +++ b/api/kyverno/v2beta1/common_types.go @@ -37,6 +37,10 @@ type Validation struct { // by specifying exclusions for Pod Security Standards controls. // +optional PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"` + + // CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + // +optional + CEL *kyvernov1.CEL `json:"cel,omitempty" yaml:"cel,omitempty"` } // ConditionOperator is the operation performed on condition key and value. diff --git a/api/kyverno/v2beta1/rule_types.go b/api/kyverno/v2beta1/rule_types.go index af28bb27ae..b09af59b8a 100644 --- a/api/kyverno/v2beta1/rule_types.go +++ b/api/kyverno/v2beta1/rule_types.go @@ -5,6 +5,7 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" datautils "github.com/kyverno/kyverno/pkg/utils/data" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" ) @@ -45,6 +46,11 @@ type Rule struct { // +optional RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` + // CELPreconditions are used to determine if a policy rule should be applied by evaluating a + // set of CEL conditions. It can only be used with the validate.cel subrule + // +optional + CELPreconditions []admissionregistrationv1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"` + // Mutation is used to modify matching resources. // +optional Mutation kyvernov1.Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"` @@ -97,6 +103,11 @@ func (r Rule) HasValidatePodSecurity() bool { return r.Validation.PodSecurity != nil && !datautils.DeepEqual(r.Validation.PodSecurity, &kyvernov1.PodSecurity{}) } +// HasValidateCEL checks for validate.cel rule +func (r *Rule) HasValidateCEL() bool { + return r.Validation.CEL != nil && !datautils.DeepEqual(r.Validation.CEL, &kyvernov1.CEL{}) +} + // HasValidate checks for validate rule func (r *Rule) HasValidate() bool { return !datautils.DeepEqual(r.Validation, Validation{}) diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index 4c50dc311a..f68ebe4347 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -23,6 +23,7 @@ package v2beta1 import ( v1 "github.com/kyverno/kyverno/api/kyverno/v1" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -405,6 +406,11 @@ func (in *Rule) DeepCopyInto(out *Rule) { *out = new(AnyAllConditions) (*in).DeepCopyInto(*out) } + if in.CELPreconditions != nil { + in, out := &in.CELPreconditions, &out.CELPreconditions + *out = make([]admissionregistrationv1.MatchCondition, len(*in)) + copy(*out, *in) + } in.Mutation.DeepCopyInto(&out.Mutation) in.Validation.DeepCopyInto(&out.Validation) in.Generation.DeepCopyInto(&out.Generation) @@ -521,6 +527,11 @@ func (in *Validation) DeepCopyInto(out *Validation) { *out = new(v1.PodSecurity) (*in).DeepCopyInto(*out) } + if in.CEL != nil { + in, out := &in.CEL, &out.CEL + *out = new(v1.CEL) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation. diff --git a/charts/kyverno/templates/crds/crds.yaml b/charts/kyverno/templates/crds/crds.yaml index 44c5529e02..0ba7ecab21 100644 --- a/charts/kyverno/templates/crds/crds.yaml +++ b/charts/kyverno/templates/crds/crds.yaml @@ -3880,6 +3880,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -6014,6 +6056,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -7388,6 +7625,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -9618,6 +9901,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -11149,6 +11639,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -12945,6 +13477,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -14373,6 +15100,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -16603,6 +17376,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -18161,6 +19141,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -20295,6 +21317,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -21670,6 +22887,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -23900,6 +25163,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -25432,6 +26902,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -27228,6 +28740,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -28656,6 +30363,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -30886,6 +32639,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 30ad4f590c..999640c451 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -126,6 +126,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -2260,6 +2302,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -3634,6 +3871,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -5864,6 +6147,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -7395,6 +7885,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -9191,6 +9723,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -10619,6 +11346,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -12849,6 +13622,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index fe22af5b0a..764c0e3bcf 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -127,6 +127,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -2261,6 +2303,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -3636,6 +3873,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -5866,6 +6149,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -7398,6 +7888,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -9194,6 +9726,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -10622,6 +11349,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -12852,6 +13625,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index db7a86aa42..88b47ddc32 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -4083,6 +4083,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -6217,6 +6259,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -7591,6 +7828,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -9821,6 +10104,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -11352,6 +11842,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -13148,6 +13680,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -14576,6 +15303,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -16806,6 +17579,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -18364,6 +19344,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -20498,6 +21520,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -21873,6 +23090,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -24103,6 +25366,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -25635,6 +27105,48 @@ spec: to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -27431,6 +28943,201 @@ spec: At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. @@ -28859,6 +30566,52 @@ spec: declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array context: description: Context defines variables and data sources that can be used during rule execution. @@ -31089,6 +32842,213 @@ spec: patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'authorizer' - A CEL Authorizer. May be + used to perform authorization checks for + the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: Name of the resource being referenced. + type: string + namespace: + description: Namespace of the referenced resource. + Should be empty for the cluster-scoped resources + type: string + type: object + x-kubernetes-map-type: atomic + type: object deny: description: Deny defines conditions used to pass or fail a validation rule. diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 93cf25631e..220aee3cd8 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -927,6 +927,82 @@ attributes for keyless verification, or a nested attestor declaration.

+

CEL +

+

+(Appears on: +Validation, +Validation) +

+

+

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+expressions
+ + +[]Kubernetes admissionregistration/v1alpha1.Validation + + +		 +

Expressions is a list of CELExpression types.

+
+paramKind
+ + +Kubernetes admissionregistration/v1alpha1.ParamKind + + +		 +(Optional) +

ParamKind is a tuple of Group Kind and Version.

+
+paramRef
+ + +Kubernetes admissionregistration/v1alpha1.ParamRef + + +		 +(Optional) +

ParamRef references a parameter resource.

+
+auditAnnotations
+ + +[]Kubernetes admissionregistration/v1alpha1.AuditAnnotation + + +		 +(Optional) +

AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.

+
+

CTLog

@@ -3060,6 +3136,21 @@ See: https://k +celPreconditions
+ + +[]Kubernetes admissionregistration/v1.MatchCondition + + + + +(Optional) +

CELPreconditions are used to determine if a policy rule should be applied by evaluating a +set of CEL conditions. It can only be used with the validate.cel subrule

+ + + + mutate
@@ -3774,6 +3865,20 @@ PodSecurity by specifying exclusions for Pod Security Standards controls.

+ + +cel
+ + +CEL + + + + +(Optional) +

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+ +
@@ -6701,6 +6806,21 @@ See: https://k +celPreconditions
+ + +[]Kubernetes admissionregistration/v1.MatchCondition + + + + +(Optional) +

CELPreconditions are used to determine if a policy rule should be applied by evaluating a +set of CEL conditions. It can only be used with the validate.cel subrule

+ + + + mutate
@@ -7052,6 +7172,20 @@ PodSecurity by specifying exclusions for Pod Security Standards controls.

+ + +cel
+ + +CEL + + + + +(Optional) +

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+ +
diff --git a/go.mod b/go.mod index ff7c56b59e..cfecfba775 100644 --- a/go.mod +++ b/go.mod @@ -83,6 +83,12 @@ require ( sigs.k8s.io/yaml v1.3.0 ) +require ( + github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect + github.com/google/cel-go v0.12.6 // indirect + github.com/stoewer/go-strcase v1.2.0 // indirect +) + require ( cloud.google.com/go/compute v1.19.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect @@ -119,7 +125,6 @@ require ( github.com/alibabacloud-go/tea-utils v1.4.5 // indirect github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.2.7 // indirect - github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 // indirect github.com/aws/aws-sdk-go-v2 v1.17.7 // indirect github.com/aws/aws-sdk-go-v2/config v1.18.19 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect @@ -192,7 +197,6 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.1.2 // indirect - github.com/google/cel-go v0.12.6 // indirect github.com/google/certificate-transparency-go v1.1.4 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/go-github/v45 v45.2.0 // indirect @@ -280,7 +284,6 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/spf13/viper v1.15.0 // indirect github.com/spiffe/go-spiffe/v2 v2.1.3 // indirect - github.com/stoewer/go-strcase v1.2.0 // indirect github.com/subosito/gotenv v1.4.2 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go new file mode 100644 index 0000000000..518891d530 --- /dev/null +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -0,0 +1,163 @@ +package validation + +import ( + "context" + "fmt" + + "github.com/go-logr/logr" + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/clients/dclient" + engineapi "github.com/kyverno/kyverno/pkg/engine/api" + "github.com/kyverno/kyverno/pkg/engine/handlers" + engineutils "github.com/kyverno/kyverno/pkg/engine/utils" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apiserver/pkg/admission" + "k8s.io/apiserver/pkg/admission/plugin/cel" + "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" + "k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions" + celconfig "k8s.io/apiserver/pkg/apis/cel" +) + +type validateCELHandler struct { + client dclient.Interface +} + +func NewValidateCELHandler(client dclient.Interface) (handlers.Handler, error) { + return validateCELHandler{ + client: client, + }, nil +} + +func (h validateCELHandler) Process( + ctx context.Context, + logger logr.Logger, + policyContext engineapi.PolicyContext, + resource unstructured.Unstructured, + rule kyvernov1.Rule, + _ engineapi.EngineContextLoader, +) (unstructured.Unstructured, []engineapi.RuleResponse) { + if engineutils.IsDeleteRequest(policyContext) { + logger.V(3).Info("skipping CEL validation on deleted resource") + return resource, nil + } + + oldResource := policyContext.OldResource() + + var object, oldObject, versionedParams runtime.Object + object = resource.DeepCopyObject() + if oldResource.Object == nil { + oldObject = nil + } else { + oldObject = oldResource.DeepCopyObject() + } + + var expressions, messageExpressions, matchExpressions, auditExpressions []cel.ExpressionAccessor + + validations := rule.Validation.CEL.Expressions + auditAnnotations := rule.Validation.CEL.AuditAnnotations + + // Get the parameter resource + hasParam := rule.Validation.CEL.HasParam() + + if hasParam { + paramKind := rule.Validation.CEL.GetParamKind() + paramRef := rule.Validation.CEL.GetParamRef() + + apiVersion := paramKind.APIVersion + kind := paramKind.Kind + + name := paramRef.Name + namespace := paramRef.Namespace + + if namespace == "" { + namespace = "default" + } + + paramResource, err := h.client.GetResource(ctx, apiVersion, kind, namespace, name, "") + if err != nil { + return resource, handlers.WithError(rule, engineapi.Validation, "Error while getting the parameterized resource", err) + } + + versionedParams = paramResource.DeepCopyObject() + } + + for _, cel := range validations { + condition := &validatingadmissionpolicy.ValidationCondition{ + Expression: cel.Expression, + Message: cel.Message, + } + + messageCondition := &validatingadmissionpolicy.MessageExpressionCondition{ + MessageExpression: cel.MessageExpression, + } + + expressions = append(expressions, condition) + messageExpressions = append(messageExpressions, messageCondition) + } + + for _, condition := range rule.CELPreconditions { + matchCondition := &matchconditions.MatchCondition{ + Name: condition.Name, + Expression: condition.Expression, + } + + matchExpressions = append(matchExpressions, matchCondition) + } + + for _, auditAnnotation := range auditAnnotations { + auditCondition := &validatingadmissionpolicy.AuditAnnotationCondition{ + Key: auditAnnotation.Key, + ValueExpression: auditAnnotation.ValueExpression, + } + + auditExpressions = append(auditExpressions, auditCondition) + } + + filterCompiler := cel.NewFilterCompiler() + filter := filterCompiler.Compile(expressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) + messageExpressionfilter := filterCompiler.Compile(messageExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) + auditAnnotationFilter := filterCompiler.Compile(auditExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) + matchConditionFilter := filterCompiler.Compile(matchExpressions, cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}, celconfig.PerCallLimit) + + newMatcher := matchconditions.NewMatcher(matchConditionFilter, nil, nil, "", "") + + validator := validatingadmissionpolicy.NewValidator(filter, newMatcher, auditAnnotationFilter, messageExpressionfilter, nil, nil) + + admissionAttributes := admission.NewAttributesRecord( + object, + oldObject, + resource.GroupVersionKind(), + resource.GetNamespace(), + resource.GetName(), + schema.GroupVersionResource{}, + "", + admission.Operation(policyContext.Operation()), + nil, + false, + nil, + ) + versionedAttr, _ := admission.NewVersionedAttributes(admissionAttributes, admissionAttributes.GetKind(), nil) + validateResult := validator.Validate(ctx, versionedAttr, versionedParams, celconfig.RuntimeCELCostBudget) + + for _, decision := range validateResult.Decisions { + switch decision.Action { + case validatingadmissionpolicy.ActionAdmit: + if decision.Evaluation == validatingadmissionpolicy.EvalError { + return resource, handlers.WithResponses( + engineapi.RuleError(rule.Name, engineapi.Validation, decision.Message, nil), + ) + } + case validatingadmissionpolicy.ActionDeny: + return resource, handlers.WithResponses( + engineapi.RuleFail(rule.Name, engineapi.Validation, decision.Message), + ) + } + } + + msg := fmt.Sprintf("Validation rule '%s' passed.", rule.Name) + return resource, handlers.WithResponses( + engineapi.RulePass(rule.Name, engineapi.Validation, msg), + ) +} diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index bacec36bf1..8f62c9ea6a 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -129,7 +129,7 @@ func (v *validator) validate(ctx context.Context) *engineapi.RuleResponse { return ruleResponse } - v.log.V(2).Info("invalid validation rule: podSecurity, patterns, or deny expected") + v.log.V(2).Info("invalid validation rule: podSecurity, cel, patterns, or deny expected") return nil } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index d6a4da6f8a..bd6ab4579b 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -38,6 +38,7 @@ func (e *engine) validate( if hasValidate { hasVerifyManifest := rule.HasVerifyManifests() hasValidatePss := rule.HasValidatePodSecurity() + hasValidateCEL := rule.HasValidateCEL() if hasVerifyManifest { return validation.NewValidateManifestHandler( policyContext, @@ -45,6 +46,8 @@ func (e *engine) validate( ) } else if hasValidatePss { return validation.NewValidatePssHandler() + } else if hasValidateCEL { + return validation.NewValidateCELHandler(e.client) } else { return validation.NewValidateResourceHandler() } diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go index 02fcc846ee..40bb552e99 100644 --- a/pkg/policy/validate/validate.go +++ b/pkg/policy/validate/validate.go @@ -68,17 +68,61 @@ func (v *Validate) Validate(ctx context.Context) (string, error) { } } + if v.rule.CEL != nil { + for _, expression := range v.rule.CEL.Expressions { + if expression.Expression == "" { + return "", fmt.Errorf("cel.expressions.expression is required") + } + } + + if v.rule.CEL.ParamKind != nil { + if v.rule.CEL.ParamKind.APIVersion == "" { + return "", fmt.Errorf("cel.paramKind.apiVersion is required") + } + + if v.rule.CEL.ParamKind.Kind == "" { + return "", fmt.Errorf("cel.paramKind.kind is required") + } + + if v.rule.CEL.ParamRef == nil { + return "", fmt.Errorf("cel.paramRef is required") + } + } + + if v.rule.CEL.ParamRef != nil { + if v.rule.CEL.ParamRef.Name == "" { + return "", fmt.Errorf("cel.paramRef.name is required") + } + + if v.rule.CEL.ParamKind == nil { + return "", fmt.Errorf("cel.paramKind is required") + } + } + + if v.rule.CEL.AuditAnnotations != nil { + for _, auditAnnotation := range v.rule.CEL.AuditAnnotations { + if auditAnnotation.Key == "" { + return "", fmt.Errorf("cel.auditAnnotation.key is required") + } + + if auditAnnotation.ValueExpression == "" { + return "", fmt.Errorf("cel.auditAnnotation.valueExpression is required") + } + } + } + } + return "", nil } func (v *Validate) validateElements() error { count := validationElemCount(v.rule) if count == 0 { - return fmt.Errorf("one of pattern, anyPattern, deny, foreach must be specified") + return fmt.Errorf("one of pattern, anyPattern, deny, foreach, cel must be specified") } if count > 1 { - return fmt.Errorf("only one of pattern, anyPattern, deny, foreach can be specified") + return fmt.Errorf("only one of pattern, anyPattern, deny, foreach, cel can be specified") } return nil @@ -110,6 +154,10 @@ func validationElemCount(v *kyvernov1.Validation) int { count++ } + if v.CEL != nil { + count++ + } + if v.Manifests != nil && len(v.Manifests.Attestors) != 0 { count++ } diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml new file mode 100644 index 0000000000..b20ef0bd7d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml new file mode 100644 index 0000000000..25c98454b7 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: pod-pass.yaml + shouldFail: false +- file: pod-fail.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/README.md new file mode 100644 index 0000000000..86c9fe12dd --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/README.md @@ -0,0 +1,9 @@ +## Description + +This test validates the use of `rule.celPreconditions`. +The policy will be applied on resources that matches the CEL Preconditions. + +## Expected Behavior + +The policy will be applied on `pod-fail` and since it violates the rule, it will be blocked. +The policy won't be applied on `pod-pass` because it doesn't match the CEL precondition. Therefore it will be created. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml new file mode 100644 index 0000000000..f532677735 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml new file mode 100644 index 0000000000..0f39450a86 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml new file mode 100644 index 0000000000..9ee9af9fde --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-range +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml new file mode 100644 index 0000000000..fe4ebfdb42 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-range +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port-range + match: + any: + - resources: + kinds: + - Pod + celPreconditions: + - name: "first match condition in CEL" + expression: "object.metadata.name.matches('nginx-pod')" + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))" + message: "The only permitted hostPorts are in the range 5000-6000." diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/01-ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/01-ns.yaml new file mode 100644 index 0000000000..4f2f0049df --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/01-ns.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- ns.yaml +assert: +- ns.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/02-crd.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/02-crd.yaml new file mode 100644 index 0000000000..d83d93edd9 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/02-crd.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- crd.yaml +assert: +- crd-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/03-replicaLimit.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/03-replicaLimit.yaml new file mode 100644 index 0000000000..8ec6015703 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/03-replicaLimit.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- replicaLimit.yaml +assert: +- replicaLimit.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/04-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/04-policy.yaml new file mode 100644 index 0000000000..b20ef0bd7d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/04-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/05-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/05-resources.yaml new file mode 100644 index 0000000000..e7a3917b1f --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/05-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: deployment-pass.yaml + shouldFail: false +- file: deployment-fail.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/README.md new file mode 100644 index 0000000000..138716a22c --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/README.md @@ -0,0 +1,13 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespace `test-params` +2. A custom resource definition `ReplicaLimit` +3. A policy that checks the deployment replicas using the parameter resource. +4. Two deployments. + +## Expected Behavior + +The deployment `deployment-fail` is blocked, and the deployment `deployment-pass` is created. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd-assert.yaml new file mode 100644 index 0000000000..8a52042686 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: replicalimits.rules.example.com \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd.yaml new file mode 100644 index 0000000000..817a4b09fb --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: replicalimits.rules.example.com +spec: + group: rules.example.com + names: + kind: ReplicaLimit + plural: replicalimits + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + maxReplicas: + type: integer \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-fail.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-fail.yaml new file mode 100644 index 0000000000..cc24bd227a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-fail.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail +spec: + replicas: 4 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-pass.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-pass.yaml new file mode 100644 index 0000000000..19f9b25db0 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/deployment-pass.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass +spec: + replicas: 2 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/ns.yaml new file mode 100644 index 0000000000..1e4f718efa --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-params \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy-assert.yaml new file mode 100644 index 0000000000..83ef2bb225 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy.yaml new file mode 100644 index 0000000000..7911c0756f --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deployment-replicas + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: ReplicaLimit + paramRef: + name: "replica-limit-test.example.com" + namespace: "test-params" + expressions: + - expression: "object.spec.replicas <= params.maxReplicas" + messageExpression: "'Deployment spec.replicas must be less than ' + string(params.maxReplicas)" \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/replicaLimit.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/replicaLimit.yaml new file mode 100644 index 0000000000..94a976d38a --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/check-deployment-replicas/replicaLimit.yaml @@ -0,0 +1,6 @@ +apiVersion: rules.example.com/v1 +kind: ReplicaLimit +metadata: + name: "replica-limit-test.example.com" + namespace: test-params +maxReplicas: 3 \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml new file mode 100644 index 0000000000..b20ef0bd7d --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml new file mode 100644 index 0000000000..25c98454b7 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: pod-pass.yaml + shouldFail: false +- file: pod-fail.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/README.md new file mode 100644 index 0000000000..d5fa6cd256 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy that uses CEL expressions to disallow host ports in pods. + +## Expected Behavior + +The pod `pod-fail` is blocked, and the pod `pod-pass` is created. diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml new file mode 100644 index 0000000000..6372287332 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml new file mode 100644 index 0000000000..5c766069f2 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml new file mode 100644 index 0000000000..a53a885448 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml new file mode 100644 index 0000000000..2000bc88bd --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" + message: "The fields spec.containers[*].ports[*].hostPort must either be unset or set to `0`"